Daly City, CA – Tuesday, May 10, 2023 – AKTEK Inc. announces today that it has achieved SOC2 Type II compliance in accordance with the American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations, also known as SSAE 18.
AKTEK Inc. was audited by Prescient Assurance, a leader in security and compliance attestation for B2B SAAS companies worldwide.
Prescient Assurance is a registered public accounting in the US and Canada. It provides risk management and assurance services, including SOC2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, and CSA STAR.
Trust has been a foundational part of AKTEK's mission since the inception of its flagship product AKTEK iO.
Last year, we started a program in pursuit of System and Organizational Compliance (SOC), resulting in an attestation to communicate this trust to our clients and partners.
What is a SOC2 Type II Compliance Certification?
The SOC2 Type II is a report on the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems.
What does SOC2 Type II mean for our Clients?
SOC2 Type II compliance is becoming increasingly important for clients in various industries, especially those relying on cloud-based software and service.
By complying with SOC2 type II, our clients should rest assured that we are taking the necessary steps to safeguard their sensitive data through a robust security program.
The Road to Compliance
The controls required by the trust service criteria set forth by the AICPA for SOC2 are not foreign to AKTEK's day-to-day operations. We implement most of these controls by design, particularly in product security areas.
What needed to be done then was to organize and collect evidence of the measures in place. For example, AKTEK maintained an active risk register before the start of our compliance journey.
Hence such a requirement didn't show up in our gap analysis, and we fulfilled the requirements for this control by migrating our data to our compliance automation platform for the auditors to inspect.
Additionally, securing endpoint devices in a remote work environment is challenging. Careful security measures must be implemented to prevent transforming an employee's laptop into a potential gateway for attackers.
Furthermore, the workstations the employees and contractors work with are usually mobile, giving rise to the possibility that any place comfortable enough for work, private or public, can constitute a temporary office space.
Here at AKTEK, we drafted a set of measures that can address the above concerns and collected relevant evidence to submit to our auditors, either manually or through our mobile device management (MDM) dashboard.
These measures include:
1. Outlining requirements for security and including them in our policies: Policies such as our remote work policy have been updated to reflect the recommended security requirements for remote workstations.
The policy is then communicated to the employees and contractors for acknowledgment and signature. All staff members are required to disclose their working location initially and whenever they change this location and the reason behind this change. Furthermore, they should not expect privacy on machines or accounts to access the company's resources.
2. A mobile device management (MDM) solution is used, and an agent is installed on each remote device to check that the user's environment is implementing security requirements, such as disk encryption.
3. The principle of least privilege is in effect for all access granted to AKTEK's resources, and a register of who has access to which resource is maintained and reviewed monthly. This will reduce the probability of encountering lateral movement attempts, privilege escalation, or data exfiltration.
4. AKTEK offers its employees a set of alternatives to fulfill each security requirement. All inconveniences or shortcomings of one particular solution are communicated to AKTEK's security engineer, responsible for finding an alternative solution compatible with the user's environment and compliant with security standards and audit procedures.
5. Non-intrusive monitoring of user devices was critical in enforcing AKTEK's information security policies.
Such a measure was adopted to prevent hindering staff productivity by performing periodic check-ins on the users with a single batch of questions rather than continuous interrogation and evidence requests.
The agents installed on each device report their findings to a dashboard supervised by AKTEK's security engineer.
6. Employees are encouraged to pause their work-related activities and take a break should their primary work location be affected by environmental circumstances.
While one can move to a public cafe for internet access if the internet goes down at the primary work location, one is generally advised against conducting work activities, particularly meetings and gatherings, in public places.
Rogue access points, insecure Wi-Fi networks, and shoulder surfing are some of the threats that arise in public spaces. An employee or contractor can take a break and compensate later until any issues are resolved.
For severe circumstances, one can move to a secondary work location and communicate the change through a dedicated channel with the team.
AKTEK's Policies and Procedures
SOC2 Type II focuses on a company's policies and verifies that controls are in place to address the commitments made in those policies.
These policies act as the source of truth for information security, human resource management, and risk management, to name a few.
Here at AKTEK, we have created our policy management platform to draft, review, and keep track of changes and history.
AKTEK's policies focus on implementing realistic measures rather than providing literature on what should be done.
Each policy has an owner responsible for its content, tracks its enforcement, and conducts annual reviews with the stakeholders.
Key Takeaways
Although technical implementations, evidence collection, and policy reviews take most of the time to undergo a SOC2 certification, communication remains the most critical factor.
Team members from all departments, particularly those who work in engineering and have little to no time to do "paperwork," should be on board with the journey and have visibility of the process to ensure buy-in and proactive collaboration.
The trust and implementation team should avoid distributing tasks arbitrarily and try their best to organize the evidence collection.
Random meetings and unnecessary emails can hinder the team's productivity and rarely contribute to the mission.
That being said, AKTEK's implementation team focused on weekly briefings, compact and straight to the point, and delivered requirements through the established team hierarchy.
Here at AKTEK, we perform internal audits on standards that we find capable of improving our system and fostering trust with our clients, as that is the foundation of any good partnership.
The outcome of this journey, aside from the certification itself, is a renewed company-wide commitment to security, organization, and compliance.