Shifting software development to the cloud may raise concerns about losing direct control over your source code security. However, selecting a source code management platform with SOC 2 Type II certification should put those concerns to rest. Read on to understand the workings of AICPA SOC 2 and its implications for the security of your source code.
System and Organizations Control is a collection of audits that companies can have performed by external auditors to verify different levels of compliance with security best practices. SOC 1 focuses on internal controls for financial statements and reporting, including how customer information is processed and protected. SOC 2 focuses on internal controls for customer data and how it is handled across five Trust Services Criteria: data security, availability, integrity, confidentiality, and privacy of data. SOC 3 is an official summary of a company’s SOC 2 results which can be marketed to the general public.
Assembla is dedicated to maintaining high levels of compliance and has obtained AICPA SOC Type 2 Certification across all areas of our source code management platform. SOC 2 Type 2 rigorously evaluates an organization’s internal controls over a specified testing period.
There are two types of SOC 2 compliance. SOC 2 Type 1 is a point in time audit that describes internal controls and processes and specifies whether the system design is effective. SOC 2 Type 2 is an audit done over an extended period of time (usually 3-12 months) that assesses how internal controls and processes are designed and how they function to specify whether the system operation is effective.
SOC 2 compliance breaks down into five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 security covers access controls, change management, systems operation, and mitigating risk. These essential security measures focus on preventing unauthorized access, unauthorized changes, deviations from organizational procedures for operations, and identifying, preventing, and handling risks when they arise.
Availability refers to service or system uptime. Can users access their data during agreed upon working hours, as set up in the terms of use and service level agreements?
For financial transactions, processing integrity ensures that the transmissions are encrypted. For data storage and hosting, companies must show how they maintain data integrity across systems.
Confidentiality is about restricting access to data, particularly sensitive data such as PII (personally identifiable information). Companies must document their policies and procedures for how they handle data and restrict access to comply with privacy policies and laws.
Privacy centers around customer data. What data does a company collect, how is it stored, how is it shared, and what do they do with it?
A SOC 2 Type 2 audits are conducted by a licensed CPA from the AICPA (American Institute of Certified Public Accountants). The first step in the audit is to determine the scope. Of the five Trust Services Criteria, all companies must complete the Security portion for a SOC 2 audit. The remaining criteria – availability, processing integrity, confidentiality, and privacy – are only evaluated if they apply to the processes and data of the organization
Once the scope is defined, the CPA does a gap analysis of the security practices and controls. If gaps are discovered, the CPA provides a remediation plan and works with companies to implement it. The CPA then examines the design and operating effectiveness of the Trust Services Criteria over a period of months. This examination includes talking with company management, reviewing documents, and running tests. Once the necessary period of time for full observation and evaluation has passed, the CPA writes up their findings in a report.
The SOC 2 Type 2 report includes a management assertion section, where company management outlines the protocols and controls related to the Trust Services Criteria. The CPA auditor will compare these descriptions against how the systems actually performs in each of the five Trust Services Criteria areas and provide an attestation on the accuracy of the descriptions and that their designs held up over the period of time the audit was performed.
The report also includes a detailed overview of the organization’s services and systems, which should include people, processes, data, software, and infrastructure. Finally, the CPA documents all the tests they conducted during their audit and the results.
When customers move their source code to a cloud-hosted solution, they gain the flexibility and scalability the cloud offers without the administration overhead, but they are also giving up direct control of the security and management of their source code. It is important for customers to know the new system is secure and held to the same high standard they had on-prem. With our SOC 2 Type 2 compliance, your team can rest assured knowing that our systems, processes, procedures, and data function the way we say they do and are secure and reliable across the Trust Services Criteria.
Assembla operates as a subsidiary of Idera, Inc., and the certification and compliance measures of Idera also apply to Assembla. Assembla maintains an equivalent Governance, Risk, and Compliance (GRC) posture, along with corresponding technical and organizational security measures.
A SOC 2 audit institution rigorously evaluated Idera’s internal controls over a specified testing period. It focused on data security, availability, integrity, confidentiality, and privacy of data. The audit concluded with a successful issuance of the SOC 2 Type 2 certification and Assembla therefore obtained the AICPA SOC 2 Type 2 Certification.
We prioritize the security and reliability of your source code by selecting a source code development platform that protects, audits, and monitors your company’s most valuable assets. For more information, see our Security page.
If you’re ready to try cloud-based source code management, start a free 14 day trial of Assembla. Our team would love to talk with you about how a cloud solution can meet your development needs.
