pasUNITY is proud to announce SOC 2 Type II certification



What is a SOC report?

A SOC report is proof, audited by impartial 3^rd parties, that a managed service provider has implemented a wide range of internal controls, policies, and procedures designed to report on the security, availability, processing integrity, and confidentiality of a service.  In short, this is the peace of mind that you want (need) that assures you that your provider (pasUNITY) is not asleep at the wheel and is in fact doing everything that you would expect them to be doing to safeguard the data and services that you depend on.

So how is this different from those other certifications like SAS-70 and SSAE-16 I always see?

These are quite a bit different. 

A SAS-70 is a rather toothless auditing standard that focuses almost exclusively on internal controls over financial reporting.  It has been brandishes about by many a services company as proof that they could be trusted.  The fact is that it has been used irresponsibly and in many ways downright deceptively by a number of organizations over the years.  You see, the SAS-70 only verifies that a service provider has procedures in place and follows them.  In no way does it dictate what those procedures have to do making it worthless for service organizations. pasUNITY never bothered with this one. 

The SSAE-16 is a meatier attestation standard designed for data center providers and some other service organizations to convey additional assurances regarding the design and effectiveness of controls.  It goes well beyond the SAS-70 and requires a written assertion from management of the controls being reviewed.  Any good data center worth their salt has one of these.  Our providers have them and we know – we obtain them annually and review them in detail.  See, like you we want to know that our infrastructure is going to be there tomorrow too.

The SOC 1 report is essentially an unbiased, independent evaluation of the policies and controls attested to by the service organization in an SSAE-16.  The auditor essentially provides their opinion on how well the service organization adhered to their policies and procedures.  That and a quarter and you have 25 cents.  pasUNITY never bothered with this one either.  Nothing wrong with this option – I would expect every data center to have one and would not trust one without it – it is a great start.  It still just does not have teeth for service organizations.

The SOC 2 report has some teeth.  Like shark teeth.  Jaws.  Grimlock.  Godzilla.  You see, this is an actual standard that dictates all the controls that an excellent service organization needs to implement.  Everything from disaster recovery plans to HR policies.  Further, it does it in a standard way that allows a customer to compare service organizations against one another to see how they stack up.  There is an insane amount of controls in here and an organization has to work hard to implement them all.  Harder still to make sure people are trained on them and make sure people follow them.  The SOC 2 is the shopping list for the secret sauce of the service organization.  It may not divulge the full recipe but you can tell quite clearly, what goes into it.  If you have not guessed by now, yes, this is one pasUNITY has.  Because it does give away a lot about the secret sauce, we only let this document out under NDA.

The SOC 3 report is similar to a SOC 2 report.  Just a bit watered down is all.  You need to go through just as much work to get your SOC 3 as you do the SOC 2 but the report itself includes only the system description and auditor opinion and omits the service auditor testing and results portion.  You now know what grocery store we buy the secret sauce ingredients from but good luck trying to make it.  pasUNITY has this too.  This you will find on our websites for public consumption.  We want people to know how cool the secret sauce is – we just do not want to see it on at someone else’s burrito stand if you know what I mean.

All these SOC reports (1, 2, and 3) all come in two flavors.  The first one is the Type I and this is at a specific moment in time.  An auditor shows up on a Tuesday, reviews your stuff, and confirms that you followed the rules all day on Tuesday.  The second is the Type II and this applies to an entire period of no less than 6 months and no more than one year.  An auditor shows up on a Tuesday, reviews your stuff, and then goes digging through your drawers and flipping over the furniture to make sure you have been following the rules all along and not just on Tuesday.  pasUNITY has (you guessed it) the Type II.

So what exactly is in the secret sauce?

Topics ranging from information security to risk management to HR to software development.  Everything from details on how to implement encryption on a database, what you can post on Facebook, what makes a good password, when you can listen to iTunes, and hundreds of other things big and small.   You can find out more about SOC reports from the AICPA website.

So why now?

We have had these policies and procedures in place for quite a while now.  Years.  That is how we skipped the Type I and went straight to the Type II as that required we show at least one full year of documented and verifiable evidence that we had solid policies, procedures, controls, and audits in place.  That said we review them all regularly and make tweaks as necessary to account for evolving technologies and trends.

What does the future hold?

Well, for starters you can expect us to continue this process into the future.  That means that each year we will repeat the entire process again to evidence that we are still fighting the good fight.  We do expect the SOC standards and specification to evolve over time and like any good service organization, we will adapt and evolve with them.  In addition, we will continue to do so for as long as the SOC is still relevant or until an even better successor standard comes along.