"Who will watch the watchmen?" It's a deceptively poignant and tricky question dating back to ancient Rome when it was famously posed by Juvenal. Then, as now, it would seem many of the most biting social commentaries rise to popular consciousness through the satirists.
When it comes to cybersecurity, the question is all the more critical. In this new arena, political, business, and criminal interests compete for dominance, with fortunes won and lost on the cutting edge. This arena is so complex, entangled, and increasingly specialized that every organization, in one way or another, relies on outside help and third-parties to defend their digital domains. And yet, the more complex, interdependent, and specialized the challenges become, the less transparency organizations seem to have into the true capabilities of their would-be defenders.
A good example of this can be seen in artificial intelligence. According to Encyclopedia Britannica, artificial intelligence refers to "[T]he ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings." Because this definition is so broad it means that even relatively basic software functionality may be legitimately called AI.
At the same time, because the public imagination is dominated by the futuristic AI incarnations of popular science-fiction, there is a big gap in what security firms use the term to mean and how it's interpreted. Then again, because there are is small number of organizations making very meaningful advances in the design and application of truly innovative AI, it's totally legitimate for security vendors to invoke trade secrets or proprietary technologies to avoid having to hash out the details and narrow the divide between implication and inference.
The result is that most cybersecurity providers are eager to boast of their unique AI applications, but reluctant to offer any details as to what that means. Over the years, decision makers have grown wise to this and now look skeptically at unsubstantiated claims of AI innovation. Indeed, unless the security provider is an established market fixture with Fortune 500 like resources, in most cases, overemphasis of AI capabilities is actually seen as a sign of product/service immaturity.
In any case, the point remains: cybersecurity products and services are too often treated like black boxes. Vendors say they will give you something uniquely effective, but there's little transparency around how and there's no way for you to look under the hood.
And that's precisely the reason why the American Institute of CPAs (AICPA) introduced the System and Organization Controls (SOC) reporting process. In answer to Juvenal's question, when it comes to cybersecurity providers, SOC is designed to watch the watchman. And as of today, CyberMDX is proud to announce that it has successfully completed the SOC 2 Type II examination and reporting process and has been deemed compliant.
Why Rock the SOC?
SOC defines a standard for managing customer data based on 5 “trust principles”. All SOC certifications are issued by outside auditors. In the case of CyberMDX, we worked with EY, the industry leader for SOC reporting.
There are 3 basis types of SOC reports. SOC 1 reports provide assurance to financially significant processes only. SOC 2 reports, on the other hand, can provide assurance over non-financially related processes and assurances related to one or more of the five trust services principles. And SOC 3 adds additional focus on specific achievements and actions undertaken to apply the 5 trust principles.
SOC 1 and SOC 2 reports come in two types:
- Type I reports concern policies and procedures that were placed in operation at a specific moment in time.
- Type II reports concern policies and procedures over a specified time period. For this report, systems must be evaluated for a minimum of six months.
The five trust principles that forms the basis for the reports are as follows:
- Security — the system is protected against unauthorized access. Access control help prevent potential attacks, theft or unauthorized data deletion and disclosure of information.
- Processing Integrity — system processing is complete, accurate, timely and authorized. This principle helps asses if the service functions according to its purpose.
- Availability — the system is functionings and available for use agreed by a contract or service level agreement (SLA). The principle refers to security-related criteria that may affect availability and not system functionality or usability.
- Confidentiality — confidential information is protected as committed while disclosure of this information is restricted to a specified set of persons or organizations. One example could be data intended only for company personnel, such as sensitive financial information.
- Privacy — personal information is collected, retained, disclosed and being used in according to the commitments described in the entity’s privacy notice.
The SOC 2 Type II certification is the most comprehensive reporting process in the repertoire of SOC standards. Usually, companies seeking a cybersecurity services will find SOC 2 Type II the most relevant.
A company that has achieved SOC 2 Type II certification has proven its service is designed to keep its customers’ sensitive data secure. When it comes to working with cloud-based and related IT services, such performance and reliability is essential and required by regulators and auditors.
SOC 2 reporting is all about building trust. Trust is achieved by the service organization if they deliver in accordance with what was promised and demonstrate transparency across their business — especially as it pertains to operations and risk management.
The SOC 2 report provides organizations, along with regulators, business partners, suppliers, etcetera, important information about how the service provider manages their data. To meet SOC 2 reporting standards, vendors must be fair and trustworthy in their product's/service's presentation, communication, and end of day value offering.
What SOC 2 Type II Means for CyberMDX & Our Prospects/Customers
CyberMDX achieved SOC 2 Type II certification in record time. A process that by definition takes a minimum of six months took us precisely six months to complete. That suggests that we were doing a lot right before we even started with the reporting process. Even more than that though, it's a testament to what our team can achieve when committed to a shared goal. Of course, to those of us inside the company, this is just the latest example in a long list.
As smooth and quick as the process was, it wasn't easy. Our success is owed to the great efforts put forth by many individuals and the great coordination of the team. Over these six months, we implemented additional security measures, strengthened our risk assessment processes, enhanced our threat response availability, and have taken a number of steps to ensure that our solution accords with industry best practices.
CyberMDX is officially trustworthy, according to the highest standards, to help healthcare organizations ensure the security and integrity of their most critical assets; at the same time, the company has demonstrated its commitment to processing and protecting end user data with the greatest care, control, and adherence to established best practices.
For more information or to see the full CyberMDX SOC 2 Type II report, please issue a request through your account representative.