As organizations increasingly move their business communications from on-premises environments to the cloud, they are realizing a host of benefits, including unparalleled scalability, flexibility, and cost-efficiency. However, this transition also brings new challenges, especially when it comes to security. To ensure that data is effectively protected in the cloud, security controls such as the Service Organization Control (SOC 2) Type 2 report serve as an important mark of quality.
While most on-premises security efforts focus on protecting servers from physical harm, in the cloud, proper configuration is critical to protecting an organization. As Gartner’s Cloud Security Posture Management report states, “nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and errors.” However, 43% of organizations struggle with a cybersecurity talent gap and don’t have the internal resources to adequately manage their systems themselves. Software as a Service providers offer to fill this gap by providing robust and managed IT systems.
But with so many vendors on the market, it is important to carefully evaluate software vendors to make sure that they are keeping your business data safe and secure. To ease the evaluation process, third-party audits are a quick way to ensure that secure and effective security protocols are in place. The gold standard to look for is a SOC2 Type II attestation, which demonstrates an organization’s commitment to the highest security standards.
SOC2 is an assurance report by the American Institute of Certified Public Accountants (AICPA). It is a structured audit of an organizations internal controls relating to operations and compliance. Controls are tested against one or more of these main categories: security, availability, processing integrity, confidentiality, and privacy. To achieve a SOC2 attestation, an organization must be audited by a third-party certified public auditor. There are two types of SOC 2 reports: Type 1 and Type 2.
A common misconception is that SOC2 is a certification. However, there is no pass or fail element to the SOC2 attestation. Instead the organization undergoing auditing will receive a SOC2 auditor report. Every report is a summarization of the control design, effectiveness and its use in operations. As technology rapidly advances, audits are conducted on a rolling bases and organizations continue to undergo routine testing.
The resulting report is a highly insightful and confidential document. While there is no “certification”, reports use clear language to help interpret the results. Auditors provide their opinion and will give an unqualified opinion to organizations with thorough controls.
Unqualified Opinion: Depending on whether a Type 1 or Type 2 report was prepared, this opinion means that the controls were designed and operating effectively to achieve the stated control objectives.
Qualified Opinion: The auditor cannot issue an unqualified opinion because one or more control objectives (SOC 1) or trust services criteria (SOC 2) have not been effectively addressed.
Adverse Opinion: Test exceptions are severe and controls are generally not designed and/or operating effectively.
Disclaimer Opinion: The auditor cannot express an official opinion because the auditor was unable to obtain sufficient evidence to express an opinion.
Luware is committed to ensuring that the highest security protocols are in place to protect customer data. Therefore, Luware has designed, implemented, and maintains controls to reduce the risks associated with the security of Luware Nimbus and Luware Recording.
Luware has completed its first formal audit for the period of February 1, 2023 – April 30, 2023 and obtained the SOC2 Type II attestation in September 2023 on the principles of Security, receiving an unqualified opinion. To ensure continuous risk mitigation, Luware will continue to engage an independent service auditor to issue the SOC2 Type II attestation report on the principles of Security.