AICPA Service Organization Control Reports
SSAE 18/ISAE 3402: SOC 1 TYPE II
Service organization reports serve to assist organizations that operate information systems and provide information system services to other entities. The reports help to build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.
The SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities for financial reporting. The two types of SOC 1 reports are listed below:
- Type I – this is a report on policies and procedures placed in operation as of a specified point in time. SSAE 18 type I reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a specific date.
- Type II – this is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SSAE 18 type II reports include the examination and confirmation steps involved in a type I examination. Additionally, this report includes an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months.
Alert Logic undergoes regular audits to ensure the requirements of Trust Service Principles are met and that we remain SOC 1 TYPE II compliant.
SSAE 18/ISAE 3000: SOC 2 TYPE II
Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on the five Trust Service Principles: security, availability, processing integrity, confidentiality, and privacy. Independent third-party auditors assess the extent to which Alert Logic® complies with one or more of the five trust principles based on the systems and processes in place.
The Trust Service Principles are explained below:
- Security: The security principle refers to protection of system resources against unauthorized access. Access controls are in place at Alert Logic and help prevent potential system abuse, theft, or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information. IT security tools such as network and web application firewalls (WAFs), two-factor authentication, and intrusion detectionused at Alert Logic are useful in preventing security breaches that can lead to unauthorized access of systems and data.
- Availability:The availability principle refers to the accessibility of the system, products, or services as stipulated by a contract or service level agreement (SLA). Monitoring network performance and availability, site failover, and security incident handling are critical in this context.
- Processing Integrity:The processing integrity principle addresses whether a system achieves its purpose (such as delivering the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely, and authorized. Monitoring of data processing, coupled with quality assurance procedures, helps Alert Logic ensure processing integrity.
- Confidentiality: Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists, and other types of sensitive financial information. Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, are used to safeguard information being processed or stored on computer systems at Alert Logic.
- Privacy: The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with an Alert Logic privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) refers to details that can distinguish an individual (such as their name, address, and Social Security number). Some personal data related to health, race, sexuality, and religion is also considered sensitive and generally requires an extra level of protection. Controls are in place to protect all PII from unauthorized access at Alert Logic.
Alert Logic undergoes regular audits to ensure the requirements of Trust Service Principles are met and that we remain SOC 2 TYPE II compliant.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment to ensure that credit card data is protected. PCI compliance is enforced by the PCI Standards Council, and all businesses that store, process, or transmit credit card data electronically are required to follow the compliance guidelines below:
- Build and maintain a secure network
- Install and maintain firewall configurations to protect cardholder data
- Never use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data
- Protect clients’ sensitive data by using encryption, truncation, masking, and hashing
- Never store cardholder data unless necessary
- Encrypt transmission of cardholder data across open and public networks
- Maintain a vulnerability management program
- Protect all systems against malware (regularly update anti-virus software or programs)
- Develop and maintain secure systems and applications
- Implement strong security access control measures
- Restrict access to cardholder data
- Restrict physical access to cardholder data
- Identify and authenticate access to system components
- Regularly test and monitor networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an information security policy
- Maintain a policy that addresses information security for all personnel
Alert Logic® is committed to protecting client data. Our alignment with PCI DSS is reflected in the people, technology, and processes we employ.
The International Organization of Standardization (ISO) is an independent non-governmental organization and the world’s largest developer of voluntary international standards. ISO/IEC 27000 standards outline hundreds of controls and control mechanisms to help organizations of all types and sizes keep information assets secure.
ISO/IEC 27001 mandates how to implement, monitor, maintain, and continually improve the Information Security & Privacy Information Management System (ISPIMS) that is intended to bring information security under explicit management control. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps Alert Logic® comply with numerous regulatory and legal requirements that relate to the security of information.
ISO/IEC 27001 requires Alert Logic to:
- Systematically examine the organization’s information security risks
- Take account of the threats, vulnerabilities, and impacts
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
Compliance with these standards, audited by an accredited assessor, demonstrates that Alert Logic uses best practices to manage the infrastructure and validates that Alert Logic uses internationally recognized processes. Alert Logic goes through an ISO/IEC27001 certification process at least annually. Based upon the scope of our ISPIMS, Alert Logic is audited by a 3rd party ISO/IEC 27001 Certification Body. Refer to – Alert Logic ISO 27001:2013 Certificate of Registration
Alert Logic has adopted the ISO/IEC 27701 standard to better ensure adherence to the European Union’s General Data Protection Regulation (GDPR) Privacy Requirements. ISO/IEC 27701 mandates how to implement, monitor, maintain, and continually improve the Information Security and Privacy Information Management System (ISPIMS) that is intended to bring privacy under explicit management control. It also prescribes a set of best practices for data collection and processing requirements of Personally Identifiable Information (PII) for both controllers and processors. Certification to ISO/IEC 27701 helps Alert Logic® comply with numerous regulatory and legal requirements that relate to the privacy of information.
ISO/IEC 27701 requires Alert Logic to:
- Systematically examine the organization’s information privacy risks
- Take account of the types of information retrieved and processed in pursuance of security objectives, and ensure that information privacy is addressed for information gathering, information storage, information transfer, information provision, information access rights, as well information retention and information disposal
- Design and implement a coherent and comprehensive suite of information privacy controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
- Data Protection Officer is employed to oversee the Data Privacy Program, and adherence to GDPR requirements
- Adopt an overarching management process to ensure that information privacy requirements are met
Compliance with these standards, audited by an accredited assessor, demonstrates that Alert Logic uses best practices to manage the infrastructure and validates that Alert Logic uses internationally recognized processes. Alert Logic goes through an ISO/IEC 27701 certification process at least annually. Based upon the scope of our ISPIMS, Alert Logic is audited by a 3rd party ISO/IEC 27701 Certification Body. Refer to – Alert Logic ISO 27701:2019 Certificate of Registration
EU-U.S. Privacy Shield Framework
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce, and the European Commission, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.
In light of the Court of Justice of the European Union (CJEU) ruling in July 2020, Alert Logic will no longer rely on the EU-US Privacy Shield program as a mechanism for the international transfer of personal data. Alert Logic will continue to adhere the EU-US Privacy Shield principles in respect to data already transferred under the Privacy Shield program. Please refer to our Privacy Statement for more information.
Cyber Essentials is a UK government-backed cyber security certification scheme that sets out a good baseline of cyber security suitable for all organizations in all sectors. Alert Logic undergoes an annual assessment of five key controls that corresponds to five basic technical elements listed on the NCSC website – Five Technical Control themes. Through this certification, Alert Logic has been able to reassure customers that we have a secure IT environment against cyber attacks, clear picture of Alert Logic’s cyber security level and also maintaining the security posture for Government contracts requirements for Cyber Essential certification.
Cloud Security Alliance (CSA) STAR Self-Assessment
The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. Alert Logic has completed the CSA STAR Self-Assessment via the Consensus Assessments Initiative Questionnaire (CAIQ) and published the results to the CSA Security, Trust, and Assurance Registry: Alert Logic – CAIQ (v3).