SOC it To Me

Fact of life: Data and the processing and transactional functionality that makes use of that data has to reside in a secure environment. Given the number of data breaches that have occurred this year alone, that’s self-evident. So, when the organizations with which you work are reported to be compliant with SOC and other data-security requirements, that compliance is not to be taken lightly. Here’s why:

Who’s Watching?

Compliance indicates the processes and practices within the organization have required levels of oversight. Monitoring is in place for unusual activity, configuration changes are authorized, and access is granted only to approved users. Normal activity is baselined to make deviations readily apparent and to determine the presence of potential threats.

Compliance also indicates adequate alerts and audit procedures are in place to:

  1. Ensure awareness aberrant activity and to initiate a corrective response.
  2. Identify the root causes of aberrant activity to ensure appropriate remediation.
  3. Trace aberrant activity forensically to determine its source, its path in the system, the parts of the system affected, the nature of the affect, where it might go or what it might affect next.

But Who’s Accounting?

Compliance with SOC and other data-security requirements also means personnel within compliant organizations are accountable to their customers and to each other for upholding the terms of compliance. From preventing breaches to identifying potential weaknesses, from shoring up potential weaknesses to remediation if it’s required, the appropriate people in audited organizations are on notice and on the hook. They should also be responsible for conducting regular assessments on patch management, vulnerability management, and overall system-security management — and reporting the results of those assessments to all of their data- and system-security peers in the organization.

If you’re not sure if the organizations with which you work are compliant with data-security requirements, here are a few things you should do:

  • Ask if the organization has any data-security policies or procedures in place.
  • If so, ask what they are.
  • If not, worry … a lot … and find a new home for your data.

Some things are worth worrying about more than others. The security of your data is one of them.

Getting to Know You

Before people fully realize we’re an insurance-focused, software-development shop, they often think we’re Rogers and Hammerstein fans. For a while, we weren’t sure why that was. Then it hit us.

One day, we were on a conference call with a prospect. The discussion went something like this:

Prospect: What the most important thing to you?
Us: Getting to know you.
Prospect: I love that show!
Us: Huh?
Prospect: Never mind.

After the call, we looked up “Getting to Know You” and found out what all the confusion was about. Now we can’t get that darn tune out of our heads.

The Big Picture

Kidding aside, maybe we’re nosey or something; but we like to know our prospects’ businesses before we formalize relationships. To us, that seems more sensible and more productive than signing contracts — then trying to figure out what needs to be done.

So, over and above all the other activity it takes to be identified as their preferred vendor, we typically go to our prospects’ locations and spend three days with them. It gives us the chance to get acquainted with them. It lets us get to know their environments. It helps us to understand their cultures and the ways in which their people interact. It’s a more effective way to familiarize ourselves with their processes and to more completely identify their preferences and define their requirements. And we wouldn’t want this to get out, but it’s also fun.

A Word About Trust

The other reason getting to know you (not the song) is so important to us is that it gives us the opportunity to establish mutual trust. Like honesty and integrity, trust is something that can’t be establishes through talk or writing. At least initially, it has to be earned, ideally face to face. Then it has to be demonstrated — early, often, and with absolute consistency.

So, yeah. Getting to know you is important. And while we might not be as musical as Rogers and Hammerstein, we’ll stick to this tune as long as it works for us … and for our customers.

And based on our customers’ feedback, we do seem to be hitting all the right notes.