We’re proud to announce that Lewan has completed a third party audit attesting to our achievement of the data security requirements of the Service Organization Controls (SOC 2) Type II and HIPAA Security and Breach Notification Requirements.
This is a notable achievement that few providers possess and as such, many clients don’t know to look for these certifications when vetting a new managed services or managed security company.
What to Look for Before Choosing a Provider
First, there are two types of SOC 2 audits I want to distinguish between – Type I and a Type II reports.
Type I indicates that the policies of an organization were reviewed and meet the critical controls needed to pass the audit. Type II includes a review of the effectiveness of those critical controls. In other words, a Type II shows not only the appropriate policies in place, but that the organization can do what they say in the policies by effectively controlling the intended initiative.
At minimum, you want to work with a provider that has passed the Type I audit, but Type II is the true measure of a trusted managed services or managed security provider.
Requirements of a Provider Taking the The SOC 2 Type II Examination
A Type II attestation consists of a thorough examination of an organization’s internal practices and controls (policies) over a 6 month period. This exam period could be longer, but 6 months to a year is the normal time period chosen for examination. This audit is accomplished by a certified 3rd party that follows stringent requirements set forth by the American Institute of CPAs (AICPA).
When trusting a managed service provider with sensitive and confidential information such as passwords, documents, secure images, etcetera, you want them to have obtained a high-level attestation like the SOC 2 Type II to show they have the architecture, policies, procedures and guidelines in place to support your needs in a secure manner.
SOC 2 Type II Focus Areas
To achieve a SOC 2 Type II attestation from a certified AICPA auditor the following areas of a managed service provider’s policies and practices are reviewed, audited and attested to:
- Infrastructure: The physical and hardware components of a system.
- Software: The programs and operating software of a system.
- People: The personnel involved in the operation and use of a system.
- Procedures: The automated and manual procedures involved in the operation of a system.
- Data: The information used and supported by a system.
- Training: The continuous training of personnel to achieve the above while keeping information secure.
In addition to the Types, if you are in the healthcare industry, there is a HIPAA component that you will also want your provider to possess. HIPAA is designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
The HIPAA Compliance Examination Covers the HIPAA Security and HIPAA Breach Notification Rules
- Security: Critical controls are in place to defend against unauthorized access (physical and digital/electronic).
- Availability: Appropriate SLA’s are in place for system operation and use to support the activities of the managed services organization and its contracts with clients.
- Processing Integrity: Systems are architected, and policies are in place to ensure functions processed are complete, accurate, timely and authorized.
- Confidentiality: Systems and policy are in place to ensure that information deemed confidential is protected as such.
- Privacy: Any Personal information (identity or health) that is collected by the provider or its clients is done so in accordance with AICPA privacy principles as well as HIPAA requirements.
So how does Lewan stack up?
Lewan has achieved a SOC 2 Type II and HIPAA attestation from Linford & Company LLP. We want to ensure our clients upfront that we are providing them with the highest standard of security for their data and systems, and save them the investment of vetting us at their own cost.
We provide a 24x7 SOC that clients can leverage in addition to our managed services Network Operations Center (NOC). These services can be utilized separately or together based on your needs. to learn more.