The Role of the SOC 2 Standard for a Development Company

Cybercrime will cost companies around the world 10,500 billon dollars per year by 2025, compared to 3000 billion dollars in 2015, according to experts’ previsions. When facing the increase of cybercrime threats, it is imperative for development companies to proactively improve internal protocols to ensure the privacy and the security of client projects.

In addition to our already established security committee, we are proud to be a company conformed to the SOC 2 standard (System and Organization Controls), which was created by the American Institute of Certified Public Accountants (AICPA) to ensure the cybersecurity of our company and our projects.

Francis Venne, Information security officer at nventive, concretely explains the role of the SOC 2 in our organization.

SOC 2 is a conformity standard that company can acquire to establish organizational practices and controls to efficiently protect the privacy and the security of its organization and client data.

It consists of a set of policies, procedures, and controls audited by audit chartered professional accountants.

To better understand, here is the definition of these terms:

• Controls: risk-mitigating systems or policies.
• Policies: written document that describes what to do or not to do.
• Procedures: document listing the steps to follow in a given situation.

The SOC 2 standard comprises of five criteria that make up the ‘‘Trust Services Criteria’’:

• Security: protect data and systems against unauthorized accesses.
• Confidentiality: limit the access to data and data disclosure to a specific group of people.
• Integrity: ensure a system or data has not been modified or destroyed in an unauthorized manner.
• Availability: guarantee system accessibility as stated in a contract that includes security criteria.
• Private life: protect all personally identifiable information.

To ensure conformity to the SOC 2, auditors evaluate the efficiency of the controls performed throughout the year.

Our Confidentiality and Security team includes Francis Venne, Head of Computer Security, our experts from the IT team, and our management. It is a solid multidisciplinary team that ensures each SOC 2 processes are implemented daily.

The security of our clients’ data is our priority. To that end, several controls are performed during mobile and web development. For all of our projects, we conduct a thorough risk analysis, we establish a recovery plan in case of violation and, lastly, we foster a security culture by using the Agile DevSecOps (development, security, operations) method.

Conforming to the SOC 2 standard gave us the opportunity to strengthen and to optimize our cybersecurity practices in accordance with the DevSecOps method.

With an agile and iterative methodology as foundation, our experts proactively identify risks and apply corrective processes to guarantee a secure environment for our clients.

We perform a control at each step of the software development phase in our projects:

• Plan: plan tasks and establish threat models.
• Code: develop code using reliable practices and a code-review system.
• Build: compile source code in binary to ensure it is functional and test code quality before deffusion.
• Test: perform integration and quality assurance (QA) tests.
• Release: secure the execution environment’s infrastructure.
• Deploy: solve security issues that arise only directly in the production system after the production phase.
• Operate: deploy infrastucture tools as code to update and secure the whole infrastructure.
• Monitoring: continuously track security irregularities.

Attackers constantly evolve and so software development teams must also evolve. That’s why our Confidentiality and Security team has also the goal of permanently improving our cybersecurity culture. The team offers support and training, while also sharing information and new practices with the teams to offer a secure service to our clients. This translates into monthly cybersecurity trainings and Lunch & Learn sessions about precise subjects in the field of cybersecurity.

‘‘People get more motivated to be prudent when they understand the impact they have on the company’s cybersecurity. It’s also more gratifying to teach things to teams than to tell them what they should have done afterwards.’’ says Francis.