Orchestry is now SOC 2 Type II compliant

The dictionary  understanding of organizational values is:

“A set of core beliefs held by an organization. They act as guiding principles that provide an organization with purpose and direction and set the tone for its interactions with its customers, employees, and other stakeholders.”

For Orchestry, organizational values are not just words that are written on our website or collect dust in our employee handbook, only to be read once and forgotten.

Our values are agreed upon and upheld by each and every staff member, although oftentimes maintaining them means going down a thorny, less traveled, challenging path of most resistance. 

The latest tangible proof of our commitment to our organizational value of Security is our achievement of SOC 2 Type II compliance –  the most comprehensive certification within the Systems and Organization Controls protocol. 

And an easy feat it wasn’t. Implementation of security measures of every size and shape, across each and every device of each and every team member, months of filling out security documentation, table-top disaster, and security breach practice exercises, penetration tests – you name it, we’ve been through it all.

The difference between SOC1 & SOC2

SOC 1, SOC 2, and SOC 3 certifications all require the service organization to implement controls that regulate their handling of client data. The different SOC levels indicate differences in the scope of the certification and the target audience for the reports.

• SOC 1 reports on the service organization’s controls related to its clients’ financial reporting. SOC 2 builds on SOC 1 by requiring additional controls related to organizational oversight, vendor management, risk management, and regulatory oversight.
• A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
• SOC 3 reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with fewer regulatory oversight concerns.

The SOC 2 standard is intended for more advanced information technology services providers, such as managed IT service providers (MSPs), cloud computing vendors, data centers, and software-as-a-service (SaaS) companies.

The SOC 2 framework is composed of five key sections, which make up a set of criteria referred to as the Trust Services Principles. These sections cover various aspects of the service provider’s system, including:

• Security of the system
• Processing integrity of the system
• Availability of the system
• Privacy of personal information collected and used by the provider
• Confidentiality of the information processed or maintained by the provider for user entities.

SOC2 Type I vs. Type II

SOC 2 reports are available in two different forms.

• Type I reports cover the policies and procedures that were implemented at a specific point in time.
• Type II reports cover policies and procedures over a specified period, which typically involves a more comprehensive evaluation of the system. To obtain a Type II report, the system must be evaluated for at least six months.

SOC 2 Type II reports are the most thorough certifications under the Systems and Organization Controls framework. If your business is considering onboarding an IT service provider or SaaS platform, you should be looking for the SOC2 Type II certification to know with confidence that that vendor has taken EVERY precaution when it comes to the management and handling of your organizational data.

This is why Orchestry is so proud of this certification – obtaining the SOC 2 Type II certification is evidence that we have implemented a system that is intended to maintain the security of our client’s sensitive data.

Secure Personnel

Orchestry takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.

• All Orchestry contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
• Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
• We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

Secure Development

• All development projects at Orchestry, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
• All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into the proposed development.
• All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training. Software development is conducted in line with OWASP’s Top 10 recommendations for web application security.

Secure Testing

Orchestry deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis.

• All new systems and services are scanned prior to being deployed to production.
• We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
• We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.

Want more insights like this?

For more Microsoft 365, SharePoint Online, and Teams insights, tips and tricks, best practices, and exclusive events delivered straight to your inbox, join our mailing list today and level up your Microsoft 365 game!