When you’re shopping for business software-as-a-service (SaaS), how do you know if a vendor can keep your data secure? You know it’s important to do everything possible to ensure your business’ cybersecurity & data protection. You want to believe the salesperson’s claims about security. But what can a business leader without expertise in technology do to prevent their business from being the next high-profile hacking victim? Rather than take security claims at face value, ask for a Service Organization Control (SOC) Report.
A SOC audit investigates how software providers operate. It can reveal how securely they build, test, deploy, manage, and operate their platforms. It also documents how they manage data privacy in their human resources departments, physical offices, and other environments in which information is vulnerable.
For cannabis businesses holding private customer data, including medical information with HIPPA compliance mandates, data privacy is a critical issue for the industry. As the industry grows and matures, utilizing enterprise-grade SaaS while maintaining security controls that go above and beyond will be what separates the businesses with staying power from those who fall victim to data theft and consumer lawsuits. Learning the lingo and best practices is the first step to ensuring your business’ longevity.
Thus, SOC 2 Type 2 answers the toughest questions: How would the vendor actually handle and protect your data? How would its team ensure uptime and performance?
SOC 2 Type 2 could, for instance, confirm that the company runs disaster recovery tabletop exercises on a monthly basis and conducts access reviews to ensure single sign on. It could also verify that the company enforces strong password and network polices and removes terminated employee access within 24 hours.
When you read a SOC 2 Type 2 Report, look for the list of exceptions, which are controls that were not in compliance during the audit window. The number of exceptions is a barometer for how well a vendor has delivered on the Trust Services Principles and Criteria.
To learn more of have a consultation with our HoRizon business development team, get in touch with us today.