Microsoft 365 Blog: Updates & News

Orchestry Announces Achievement of SOC 2 Type II Compliance

Written by Valerie Sergienko | Mar 27, 2023 7:00:00 AM

At one point, or another in the journey of every organization comes a time to define organizational values.

The dictionary  understanding of organizational values is:

“A set of core beliefs held by an organization. They act as guiding principles that provide an organization with purpose and direction and set the tone for its interactions with its customers, employees, and other stakeholders.”

 

For Orchestry, organizational values are not just words that are written on our website or collect dust in our employee handbook, only to be read once and forgotten.

 

Our values are agreed upon and upheld by each and every staff member, although oftentimes maintaining them means going down a thorny, less traveled, challenging path of most resistance. 

 

The latest tangible proof of our commitment to our organizational value of Security is our achievement of SOC 2 Type II compliance –  the most comprehensive certification within the Systems and Organization Controls protocol. 

 

 

And an easy feat it wasn’t. Implementation of security measures of every size and shape, across each and every device of each and every team member, months of filling out security documentation, table-top disaster, and security breach practice exercises, penetration tests – you name it, we’ve been through it all.

 

Why go through the trouble?

Apart from us living and breathing our organizational values, the trust, confidence, and peace of mind of our customers and partners is the reason why we went after the coveted SOC2 Type II certification.

Industry experts estimate that about 60% of all data breaches happen via third-party vendors, including email & cloud service providers.
According to IBM, on average, it takes companies 280 days to detect a third-party data breach. This often happens because third-party vendors tend to hide the fact that a data breach had occurred because many of them lack the security controls and protocols that are aimed at protecting their customers’ data.

With the average cost of a data breach expected to reach $5M in 2023, we weren’t prepared to take chances with our customers’ and partners’ data.

 

We’ve held the SOC2 Type I certification for some time, but didn’t want to stop at that, and continued to pursue the Type II accreditation.

Let’s dig in to understand what these accreditations stand for, and the difference between Types I & II.

 

What is SOC2 accreditation?

SOC is a set of standards designed to evaluate the effectiveness of a service organization’s controls and processes in managing its information. It stands for “system and organization controls.”

The SOC standards help to provide assurance and peace of mind to organizations when they engage third-party vendors, by offering a systematic approach to assessing and reporting on the controls in place at the service organization. This helps organizations to make informed decisions about the risks associated with engaging the service provider and to ensure that the provider is following established best practices.

 

An organization that has received SOC certification has undergone an examination conducted by an independent certified public accountant. This examination has concluded that the organization has implemented the necessary safeguards and procedures as per the SOC standards.

The difference between SOC1 & SOC2

SOC 1, SOC 2, and SOC 3 certifications all require the service organization to implement controls that regulate their handling of client data. The different SOC levels indicate differences in the scope of the certification and the target audience for the reports.

 

  • SOC 1 reports on the service organization’s controls related to its clients’ financial reporting. SOC 2 builds on SOC 1 by requiring additional controls related to organizational oversight, vendor management, risk management, and regulatory oversight.
  • A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
  • SOC 3 reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with fewer regulatory oversight concerns.

 

The SOC 2 standard is intended for more advanced information technology services providers, such as managed IT service providers (MSPs), cloud computing vendors, data centers, and software-as-a-service (SaaS) companies.

The SOC 2 framework is composed of five key sections, which make up a set of criteria referred to as the Trust Services Principles. These sections cover various aspects of the service provider’s system, including:

 

  • Security of the system
  • Processing integrity of the system
  • Availability of the system
  • Privacy of personal information collected and used by the provider
  • Confidentiality of the information processed or maintained by the provider for user entities.

SOC2 Type I vs. Type II

SOC 2 reports are available in two different forms.

 

  • Type I reports cover the policies and procedures that were implemented at a specific point in time.
  • Type II reports cover policies and procedures over a specified period, which typically involves a more comprehensive evaluation of the system. To obtain a Type II report, the system must be evaluated for at least six months.

 

SOC 2 Type II reports are the most thorough certifications under the Systems and Organization Controls framework. If your business is considering onboarding an IT service provider or SaaS platform, you should be looking for the SOC2 Type II certification to know with confidence that that vendor has taken EVERY precaution when it comes to the management and handling of your organizational data.

 

This is why Orchestry is so proud of this certification – obtaining the SOC 2 Type II certification is evidence that we have implemented a system that is intended to maintain the security of our client’s sensitive data.

 

Security as Orchestry's Organizational Value

Orchestry’s security & compliance principles guide how we deliver our products and services. 

Secure Personnel

Orchestry takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.

 

  • All Orchestry contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

Secure Development

  • All development projects at Orchestry, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into the proposed development.
  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training. Software development is conducted in line with OWASP’s Top 10 recommendations for web application security.

Secure Testing

Orchestry deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis.

 

  • All new systems and services are scanned prior to being deployed to production.
  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
  • We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.
 

This is only the beginning

Achieving this certification is a massive milestone for us at Orchestry, and you can be sure that we took a minute to breathe out and celebrate it. But this is only the beginning. With Security at the forefront of our organization, and Integrity being a close second, we will continue to uphold the security standard of the highest level each and every day.

Want more insights like this?

For more Microsoft 365, SharePoint Online, and Teams insights, tips and tricks, best practices, and exclusive events delivered straight to your inbox, join our mailing list today and level up your Microsoft 365 game!