The RIB Cloud Promise: Continually Optimizing Security Management Processes and Controls
As the world becomes increasingly digital, and more companies lean on Microsoft and the cloud to support their businesses as they digitally transform, what is holding Microsoft partners accountable to deliver what they say they will? For any partner worth their name, that means preparing and being put under audit.
A SOC 1 audit is an evaluation of the internal controls which a service organization, such as RIB Cloud, has implemented to protect client data. Upon successful completion, a report is created which covers the internal management processes the company has. This ensures, for example, that the proper security measures, availability and correct data safeguards are in place.
“We complete these audits every year to show we are 100% committed to service availability, security, and data protection for our customers.” -Berend-Jan van Maanen, CEO, SaaSplaza
For any company functioning as a managed services provider, security should be the top priority. Creating a secure service for our customers and our employees involves a lot of distinct areas that are covered in the audit. This particular audit covers nine essential controls which prove we hold our organization to high standards as a promise to our customers.
In order to make sure we are functioning as well as can be, we not only identify control objectives that must be met, but also the methods of how to achieve them and means to fix points that aren’t reaching our standards. After all, performing an audit without the means or plans to address any improvements that come out of it is virtually meaningless.
So, what do we consider the most important points to nail in our business practices? Here are our top 9 Control Objectives:
1. Security Management
This control objective provides reasonable assurance that relevant risks to confidentiality, integrity and availability of provided IT services are addressed and responsibilities of the security organization are clearly defined. This includes measures such as having a security council, annual security awareness seminars, and annual risk assessments.
2. Human Resource Management
This control objective provides reasonable assurance that employees are adequately trained, are aware of their responsibilities and behave in line with company policies.
3. Physical Security
This control objective provides reasonable assurance that physical access to data is restricted only to authorized persons.
4. Logical Security
This control objective provides reasonable assurance that logical access to data is restricted only to authorized persons, which is determined by our internal authorization matrix. In addition to making sure there is anti-virus software installed on all workstations, we ensure our network infrastructure is unreachable by outside sources.
5. Availability Management
This objective provides reasonable assurance that the configuration of the infrastructure is based on guidelines defined in our security policy to protect the confidentiality, integrity and availability of data. We tackle this objective with firewall management, vendor-supplied security patches when necessary, company wide anti-virus software, Intrusion Detection Systems, and secure disposal of all company media and materials.
6. Supplier Management
This control objective provides reasonable assurance that any suppliers used for IT service delivery adhere to internal controls, risk management and security practices.
7. Incident Management
This control objective provides reasonable assurance that incidents that impact the availability of provided IT services are detected and solved in a timely and controlled manner.
8. Change Management
This objective provides reasonable assurance that changes to provided IT services are authorized and implemented in a controlled manner. This way, we always ensure that every piece of the puzzle fits together as it should.
9. Service Continuity
This objective provides reasonable assurance that in case of a calamity caused by damage and/or interference of facilities, equipment or software are recoverable in the agreed time frame.
While some of these Control Objectives may not stand out on their own, together they make the entire process of what we are achieving, possible: delivering a high standard of managed cloud services for our customers. Running the annual audit based on these points is the most essential way to making sure that we are doing what we say we can. We make our audit reports available to partners and customers upon request, but we also leverage the findings to get useful and relevant observations of our business practices, and as another way to showcase that, if you’re working with RIB Cloud, you’re in good hands.