SOC 2 Type 2 Report Issued June 30, 2020
In keeping with our history of innovation and commitment to security, we are pleased to announce that NowSecure has achieved a significant milestone in completing a SOC 2 security audit. The report attests that NowSecure has controls which are suitably designed and effectively operated to meet our commitment to customer security. NowSecure is the first mobile app security vendor to achieve SOC 2 compliance.
As defined by the American Institute of Certified Public Accountants (AICPA), System and Organization Controls (SOC) 2 reports “are designed to help service organizations build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.” NowSecure completed a SOC 2 Type 2 audit for the Security Criteria, which reviews the effectiveness of the controls related to the objectives.
The NowSecure mission is to save the world from unsafe mobile apps and we are trusted by many of the most mature and security-conscious organizations in the world. We implement internal security policies and procedures to safeguard customer data and protect the NowSecure Platform from threats to confidentiality, integrity and availability. Please read on for more details about our information security program and the SOC 2 Type 2 report.
Why SOC 2 (Type 2) for Security?
The SOC program is governed by the AICPA, the national organization governing auditors with the CPA credential. The program provides standards for meeting specific Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality or Privacy) and the procedures for auditors to review and report on the effectiveness of an organization’s controls in meeting these criteria. SOC 2 is a widely recognized standard for service providers to provide assurance to their customers based on an independent third-party audit.
For our initial SOC 2 engagement, NowSecure focused on the Security Criteria, which are required for all SOC 2 audits. While a Type 1 audit would report on the suitability of the design of the controls to achieve the related control objectives, the Type 2 audit goes further to review the operating effectiveness of the controls throughout a specified period — in our case, Feb. 1, 2020 – April 30, 2020. The SOC 2 Type 2 requires a more robust review of the operation of our security program, providing greater assurance to our customers and stakeholders. NowSecure completed the review with no exceptions.
NowSecure System Description
The SOC 2 report contains a detailed system description regarding the subject of the audit, NowSecure, including the purpose, architecture, people, and security controls. The security controls must meet the criteria established by the AICPA in design and operation. The important NowSecure controls described in the report include the following:
- Control Environment: NowSecure values and ethics are guided by documented standards and a code of conduct, with strong oversight by an independent Board of Directors. A highly engaged management team leads the organization with clear lines of responsibility and structured planning and monitoring of execution. Management implements background screening of personnel, onboarding and annual refresher security training, regular performance reviews, and a disciplinary process for violations of policies.
- Communication and Information: NowSecure maintains documented policies and procedures which are reviewed and updated regularly and communicated to personnel, and which require reporting of security any observed incidents or violations of policy (with “whistleblower” protection). Customers are informed of information and changes via status and customer support portals, email communications and portal alerts.
- Risk Assessment and Mitigation: NowSecure implements a risk management program aligned to ISO 27001 policy and NIST procedures for risk assessment. An organizational-level risk assessment is performed annually, considering many threat sources including adversarial and non-adversarial. Risk owners identify mitigation plans for significant risks, and the company maintains a risk register for ongoing monitoring.
- Monitoring: NowSecure monitors the security of the Platform and supporting systems, the company security controls, security risk related to suppliers, and the relevant security information reported in our industry and the broader market including relevant security threats, vulnerabilities, standards of practice, and innovations. NowSecure monitors the security posture of the Platform and company networks via HIDS/FIM, office IDS systems, regular vulnerability scanning and regular red team web pen testing. We also monitor the efficacy of our program and the security of our key suppliers.
- Control Activities: Our Master IS Policy specifies the control requirements based on ISO 27002, and our controls cover areas including: Personnel Security, Asset Management, User Access Control, Cryptography, Physical Access, Network Security, Product and Development Security, Supplier Security, Incident Management, and Compliance. We follow a documented software development lifecycle with change controls, and require non-disclosure agreements from all personnel.
Once again, we are excited to announce that NowSecure is the first and only mobile application security testing vendor to achieve this critical SOC 2 Type 2 compliance. Contact us to learn more about NowSecure solutions and our security practices.