RTO is proud to announce that, as of October 1, 2024, we were officially SOC 2 certified! This is an incredibly important step in RTO’s evolution as a trusted source for online training. But what does it all mean? Here is what you need to know about SOC 2 certification.
What is SOC 2 Certification?
SOC 2 stands for Security Organization Control 2. It provides a standard for how companies manage, process and store customer data. This standardized approach is based around five service trust categories: security, availability, processing integrity, confidentiality, and privacy. SOC 2 primarily focuses on security, but the other categories are still quite important to a company’s protection plan.
Being SOC 2 certified means you are compliant with certain expectations and requirements when it comes to data protection and security. The exact measures a company takes are unique to their needs; there is no exact checklist that needs to be followed, and SOC 2 is reviewed on a case-by-case basis. However, protective measures that many companies undertake include:
- Instituting and enforcing multi factor authentication
- Strengthening firewalls
- Creating intrusion detection systems
- Ensuring confidential data is encrypted
- Monitoring data and scanning infrastructure for irregularities
- Installing data removal processes so that only necessary data is retained
This list is not exhaustive and, again, some of these remedies may be more relevant to certain companies than others. These are just some examples of the steps a company needs to take to ensure they are SOC 2 compliant.
What Kind of Data Is Protected if a Company Is SOC 2 Certified?
It protects customer/client data, so things like names, addresses, phone numbers, social security numbers, etc. The range of these items depends on the company (a company might not need a social security number, for example), but whatever data the company procures, SOC 2 shows they are taking steps to protect it.
How Does a Company Become SOC 2 Certified?
An independent, sanctioned auditor will review the measures a company has in place, critiquing the security measures for their efficacy and determining if there are any blind spots or vulnerabilities.
The auditor will compile a report which will then provide the opinion (the final grade, so to speak). This verdict can be one of four opinions, with only one that is considered a ‘passing grade’. If you receive that top mark, you are officially considered SOC-2 certified! Anything less than that and it’s back to the drawing board.
The report the auditor completes for the company does not expire, but it is generally considered good practice to renew your SOC 2 compliance annually.
What Else Is There To Know About SOC 2 Certification?
This is a good general overview of what one should know about SOC 2 certification. However, there is more to discuss when it comes to how specific businesses maintain compliance and the effects of having the certification.
In Part Two of this post, we’ll dive into those specifics as they pertain to RTO. We’ll explain how and why RTO became SOC 2 certified and how this will affect our company going forward!