Service Organization Control (SOC)
Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs:
SOC 1 Reports:
To give the auditor of a user entity’s financial statements information about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A Type 2 SOC 1 report includes a detailed description of tests of controls performed by the CPA and results of the tests.
SOC 2 Reports:
To give management of a service organization, user entities and others report about controls at a service organization relevant to the security, availability or processing integrity of the service organization’s system, or the confidentiality and privacy of the data processed by that system. A Type 2 SOC 2 report includes a detailed description of tests of controls performed by the CPA and results of the tests.
SOC 3 Reports:
To give users and interested parties a report about controls at the service organization related to security, availability, processing integrity, confidentiality or privacy. SOC 3 reports are a short-form report (i.e., no description of tests of controls and results) and may be used in a ser vice organization’s marketing efforts.
Payment Card Industry (PCI)
The Payment Card Industry (PCI) Data Security Standard exists to support secure practices in credit card processing. The objective of the PCI program is to encourage companies to maintain a high level of security to protect cardholder information regardless of where it resides. The foundation of PCI was built from Visa’s Cardholder Information Security Program (CISP). The standard provides the requirements that all entities storing, processing or transmitting cardholder data must abide by.
The following are compliance requirements:
- Create and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Execute strong access control measures
- Monitor and test networks frequently
- Sustain an information security policy
It is mandatory for companies to comply and, further, to conduct business with other PCI-compliant members. Credit card companies can impose hefty fines reaching $500,000 per incident and your credit card processing services could be terminated. PCI compliance provisions should be included in third-party contacts as well.
Prism Privacy+ Certification
Privacy+ is an international certification program open to all companies providing outsourced storage and protection of hard-copy records and off-line removable computer media. Participation in Privacy+ is voluntary and allows companies to publicly demonstrate their commitment to protecting the privacy of information entrusted to them by their clients. Privacy+ certification is owned and administered by PRISM International (Professional Records & Information Services Management), also referred to herein as the “Association,” the not-for-profit trade association for the commercial information management industry. Privacy+ certification is applicable only to participating companies’ physical storage and handling of hard-copy records and off-line removable computer media. Without limitation, Privacy+ is not applicable to related services such as document imaging, shredding services, or any form of cloud storage.
The purposes of the Privacy+ program are to:
• Provide participants a vehicle to publicly demonstrate their commitment to ensuring the privacy of information in their custody
• Share resources and best practices to help participants reduce risks in their businesses
• Reduce the number of privacy breach incidents caused by members of our industry, thereby,
• Preserving the reputation and trusted status of our industry
• Reducing the likelihood and severity of government-imposed legislation on our industry
An international trade association for the information destruction industry. NAID offers a voluntary certification program conducted by Pinkerton, Inc. Criteria involves both annual and unannounced onsite audits of building and transportation security, destruction processes, employee background checks, plus insurance and bonding requirements. Business Data Record Services carries the highest AAA rating.
The NAID Certification Program establishes standards for employee hiring and screening, operations, destruction process and insurance as well as other business factors for Business Data Record Services.
Business Data Record Services provides excellent customer service. Their team is always on time and provides solutions to any
questions we might have.