Tuesday, February 11, 2020

SOC2: Building Trust and Securing Data

Lumavate offers our customers a low-code mobile app platform for marketers. Our customers range from mid-market organizations to Fortune 200 companies, and security is always one of their key priorities. Our customers trust us and our Platform to engage with their customers, employees, and other stakeholders through multiple mobile apps including internal communications, events, onboarding, compliance, content distribution, and more. Our customers also trust us to securely handle their data as it’s processed by any of apps they build in our Platform.

Our customers trust us to assure our Platform:

  • Is available, reliable, serviceable, and can handle necessary volume while delivering appropriate response times;
  • Is secure;
  • Protects their data and maintains the integrity of the data.

While our customers trust us, they also seek to verify that we can and should be trusted. Verification often includes asking us to complete questionnaires about our security policies, controls, and practices. Verification may also include asking us to provide them with a copy of our SOC2 audit report.

We want to demonstrate to our customers that we can and should be trusted. We also want to manage our costs and the time of our people. Rather than enabling customers to individually evaluate our security policies, controls, and practices, we engaged an audit firm to evaluate the suitability of the design of our control system and individual controls, a SOC2 evaluation for Lumavate. We plan to have the same audit firm evaluate the operating effectiveness of those controls later in 2020.

Before we dive into specifics about our SOC2 audit, let’s review a few key pieces of information:

  • SOC stands for Service Organization C. Lumavate is a service organization to our customers.
  • SOC2 indicates that the controls relate to operations and compliance rather than financial controls which would be indicated by SOC1.
  • The American Institute of Certified Public Accountants (AICPA) has developed a set of Trust Services Criteria against which a service organization’s controls are evaluated for suitability and for operating effectiveness. The Trust Services Criteria cover security, availability, processing integrity, confidentiality, and privacy.

Preparing for our SOC2 evaluation, we selected those parts of the trust services criteria that will be most important to our customers. We chose security and confidentiality for the scope of our external evaluation. We proceeded to map our existing security policies and practices to the trust services criteria for security and confidentiality. We did our own assessment of the suitability of our security policies and practices and identified a few gaps that we needed to fill. We also assured we are documenting our security practices appropriately, so our audit firm has documentation to review as they conduct their evaluation. During this process, we identified that our use of Amazon Web Services (AWS) causes us to rely on AWS for selected controls, and we also rely on our customers to control access to our Platform to their authorized users.

Given this is our first SOC2 evaluation, we reviewed our map of policies and practices to the Trust Services Criteria and our documentation with our audit firm to get their initial readiness assessment. Once we determined readiness, we assembled copies of our policies and practices and our documentation and provided them to the auditors for their use in performing their field work.

Audit field work included review of our policies and practices, interviews with our leaders and team members responsible for executing and overseeing selected control practices and testing our documentation. The audit team worked on site at our offices and also at their offices. Once the auditors completed their evaluation, they prepared their report. The report includes the auditor’s report and opinion, the Assertion of Management of Lumavate, Lumavate’s description of the Lumavate Platform and its operation, and the description of controls in relation to the Trust Services Criteria.

As with any audit, we’ve learned some things that will allow us to continuously improve our controls and their operating effectiveness. We can make the SOC2 evaluation report available to executives at customers and prospects. We’ve taken what we believe to be another important step to building trust with our customers and providing them with ongoing assurance that their data is secure.