In the first quarter of 2021, Accelevents became certified to be a SOC 2 Type 1 compliant organization. We are very excited about this huge accomplishment. And soon, we will be SOC 2 Type 2 compliant for security.
So what does this mean for our customers and business partners?
We wanted to fill you in on what SOC 2 is all about and what it means for those who work with Accelevents!
What is SOC 2 Certification?
The SOC 2 certification was developed by the American Institute of Certified Public Accountants (AICPA) as a way of evaluating that a company follows the criteria for managing customer data based on principles of trust.
There are two parts of the SOC 2 Certification, Type 1 and Type 2.
- During the Type 1 audit, businesses are evaluated on their hiring and data management systems, and the SOC 2 auditors determine if their design meets the trust principles.
- In Type 2, the continued effectiveness of those systems is checked.
When evaluating an organization’s SOC 2 compliance, auditors identify how a business manages customer data according to each of the following five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
What SOC 2 Means for Accelevents’ Customers?
Accelevents has gone through SOC 2 Type 1 procedures to reassure our consumers that we take security seriously. So what does this mean for you as a consumer?
We interviewed our CEO Jon Kazarian, Cloud Architect Julian Severino, and Director of Talent Carrie Matthews to learn more about the process and the goal behind it.
“At Accelevents, we have always put data protection and controls as a top priority. The effort to become SOC 2 certified was an easy decision. Having a third party auditor ensure that we are following all best practices and controls is another step in putting customer data first.”
“A major part of putting customer data first is putting the security of your infrastructure and applications first. We leverage the tools and infrastructure provided by Amazon Web Services, bring the ‘security-by-design’ approach to everything we build, and use best practices in automation and data security.
Just doing things isn’t enough though! So we drilled down and developed policies and procedures addressing things like our disaster recovery plans, how we perform data classification and incident response, our software development lifecycle, access management across the organization, and so much more. It is important for any organization to have solidified, iterable processes they can use to best serve their customers.”
“Though we are still a relatively young company, we have experienced tremendous growth over the past year. It was important to us to show customers and potential customers that we’ve invested in proper processes and procedures as we have grown our headcount.”
With the support of the information systems team, the talent team worked to document internal processes, procedures, and company structures in order to satisfy the audit. Particularly of note in this effort is documenting employee onboarding and offboarding procedures. We put documentation in place to ensure that system access control procedures were consistently followed for all new hires and for those leaving the company as well.
Here’s What SOC 2 Looks Like on the Inside
Naturally, you may be wondering exactly what steps and processes were necessary for this certification.
There are general guidelines, but every organization is different! For four months, our team worked with auditors from Armanino, one of the top accounting firms in the nation, to answer that question for Accelevents. Because we had most of the processes already set up internally, a lot of the work involved following the AICPA guidelines and making sure we had our T’s crossed and I’s dotted.
As Carrie stated, “We were following almost all of the suggested procedures anyway because it’s best practice… but this just proves to the outside world that this is how we operate and we can be trusted with their data and their business.”
From a human resources perspective, here are some of the items that were verified through the certification process:
- Usage of an applicant tracking system to ensure consistency in our hiring process, including a structured interview sequence
- Consistent onboarding and offboarding process for every new hire, including access forms for each hiring manager to complete prior to allowing new employees access to internal systems
- Confirmation that all new employees go through and pass a background check, inclusive of a criminal check, education verification, and employment verification
- Confirmation that all new employees acknowledge the receipt of our employee handbook, including our non-disclosure and conflict of interest policies
- Organizational structure including job descriptions and reporting structures
- Setting up whistleblower procedures for internal and external parties to report any unauthorized or unethical behavior
Here’s a bit more of what we did on the technical side:
- Adopted VeryGoodSecurity’s compliance monitoring platform technology to support continuous compliance across our organization
- Partnered with a CREST-certified penetration-testing company
- Set up policies and procedures for data classification and data access
- Set up fine-grained access controls to prevent potential abuse, of systems, processes, and data exfiltration
- Set up web application firewalls (WAFs)
- Enforced two-factor authentication organization-wide
- Enforcement of continuous access control audits and principle of least privilege
- Established monitoring for network performance and availability, site failover, and security incident handling
- Optimized data processing to ensure it is complete, valid, accurate, timely, and authorized
- Enforced encryption configuration across our infrastructure
- Followed the AICPA’s generally accepted privacy principles (GAPP) criteria
- Auditing and mapping of Application Architecture and Network Infrastructure
The Importance of Being SOC 2 Certified
In today’s data-driven society and economy, it’s imperative that companies can prove themselves trustworthy and do everything possible to protect their users’ data. Now that Accelevents is SOC 2 certified, we can proudly say that we’re dotting our I’s, crossing our T’s, and doing the work every day to prove to our customers that they’re in good hands.