Earlier this month, Brittany Farb emailed me to let me know that Keeper Security, a password manager I reviewed from Techweek Chicago, received SOC 2 Type II Certification. To achieve that certification, the following areas of Keeper’s policies and practices were reviewed:
- Infrastructure: The physical and hardware components of a system.
- Software: The programs and operating software of a system.
- People: The personnel involved in the operation and use of a system.
- Procedures: The automated and manual procedures involved in the operation of a system.
- Data: The information used and supported by a system.
For the security minded, that is a big deal. For the rest of us, it sounds like a big deal. I asked for more information. Keeper Security provided a nice breakdown of what SOC 2 Type II Certification means, and why it’s important.
What is it?
The Service Organization Control (SOC) 2 Type II examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities, and tested those controls to ensure that they are operating effectively.
SOC 2 is based on Policies, Communications, Procedures and Monitoring. The specific Trust Service Principles explained below must be met in order to successfully achieve certification.
- Security: The system has controls in place to protect against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely and authorized.
- Confidentiality: Information that is designated as “confidential” by a user is protected.
- Privacy: Personal information is collected, used, retained and disclosed in accordance with the operation’s privacy notice and principles set by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
There are two types of SOC 2 reports: Type I and Type II.
The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time. The Type I report is preliminary to the Type II report and is based on the ability to test and report on design. Type I reports are issued to organizations that have audited controls in place, but have not yet audited the effectiveness of the controls over a period of time.
Why is it important and why does it matter?
Type II Certification consists of a thorough examination by a third party firm of an organization’s internal control policies and practices over a specified period of time. The period of time is typically six months to one year. This independent review ensures that the organization meets the stringent requirements set forth by the AICPA and CICA. When trusting an application with highly sensitive and confidential information, such as passwords, documents and secure images, obtaining high level certification is imperative.
How does it impact applications?
Applications and software developed by a SOC 2 certified organization must be developed following audited processes and controls. This helps ensure that applications and code are developed, reviewed, tested, and released following the the AICPA Trust Services Principles. The result is an application that has been developed under an audited processes and controls to help ensure the highest level of trust and security.
How does it impact users?
When a company works with a third party who has been granted access to any type of system that the customer owns, this creates some level of internal control risk. The type of access granted to a third party vendor and the type of systems they have access to ultimately determines the level of risk for the organization. Even the smallest of data breaches can become a substantial issue for a large company if it has inadequate internal control policies and systems.
By working with a SOC 2 certified vendor like Keeper, users ensure that data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework (as mentioned above).
Keeper encrypts user data on the end-user device and can only be decrypted by the user’s master password. The master password is never sent from the user device, and any data backed-up in Keeper’s cloud is encrypted and cannot be decrypted by Keeper (or anyone else, without the master password). Because Keeper is a SOC 2 certified organization, with audited controls and processes in place, users can be sure that the application performs and operates as described. Applications developed by organizations that are not SOC 2 certified do not have the same level of assurance.