With attention-grabbing headlines about major security breaches occurring almost daily, plan sponsors need to be assured that their service providers are on guard 24-7, protecting sensitive information and intellectual property, wherever it may reside.
One sign that a service provider has a strong commitment to security and controls is SOC certification, which results from successful Service Organization Controls (SOC) examinations. SOC examinations are conducted in accordance with attestation standards established by the American Institute of CPAs (AICPA), and are designed to provide comfort that a service organization meets key security principles, validated through an independent service audit.
Protect Sensitive Information, In Whatever State It Resides
It’s important to understand that sensitive information and intellectual property doesn’t just reside on a storage device, or on a piece of paper. It can also be at rest or on the move, and it’s critical for a service provider to understand the various states in which it resides, and to formulate protective measures for each of those states, including:
- In use: Actions such as copying data to a storage device or printing it
- In motion: Network communications such as email, web traffic and instant messaging
- At rest: Data stored in file shares or on users’ drives or devices
Kicking the Tires of Your Service Provider’s Internal Security
Once we understand the different states of data, we can formulate & implement specific, protective security measures.
Here is an important (but by no means exhaustive) list of some of the internal measures we believe are critical for all service providers to adopt, and that we’ve taken care to effectively implement throughout our organization.