Compliance Does Not Equal Security

April 30, 2016

In a world where Software as a Service (SaaS) is becoming just one of many “technology as a service” offerings, businesses are seeking assurance that their data will be available and, most importantly, secure. That’s why LifeStatus360 chooses to go above and beyond compliance to industry norms and works towards security certifications that will actually make a difference for our customers.

Traditionally, our competitors focus on Service Organization Controls (SOC) certifications. First launched in 2011, the SOC family of reports are governed by the American Institute of Certified Public Accountants (AICPA).

SOC reports come in three varieties:

  • SOC 1 is primarily focused on the financial controls of the service organization. For example, a payroll service may have a SOC 1 audit report issued to provide clients an understanding of the company’s financial controls.
  • SOC 2 can cover one or more of what are referred to as Trust Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. Service organizations like SaaS providers may have SOC 2 audits performed on one or more of the Trust Principles in order to provide clients with an independent analysis of controls that support the Principle(s).
  • SOC 3 is essentially an executive summary of the SOC 2 report for the service organization, but does not include an enumeration of the controls and test results.

The key here is that SOCs are managed and maintain by CPAs. Which is great, if your concentration is paper, but these certifications don’t necessarily equal security when you’re talking about digital data and software.

At our core, Life Status 360 is a technology company.  We are housed in a very secure Class A building, behind biometric controlled locks, in a closed and monitored network. As a tech company we choose to concentrate on ensuring that network security, cyber and application security and web security are hardened, in place and secure. First and foremost we provide our clients with great SaaS tech solutions. For us, technology was not an afterthought.

Our philosophy is in line with Roberto Sandoval – the Global Service Delivery Manager of Security Intelligence & Operations at Hewlett-Packard – who stated in his State of Security Operations 2014 report, “Compliance is a side effect of a highly capable threat detection function; effective detection does not result from compliance alone.”

Life Status goes deeper than mere compliance and we look at vulnerability threat assessments (VTA) in the areas of data center security, network security, service security and application security, monitoring and disaster recovery.  We look to professionals in the industry that are experienced, educated and certified in the fields of computer science, information technology,  security, penetration testing, cyber security and network security audits. Others in our industry choose compliance, concentrating on paperwork audited by CPAs. How secure is that really?

Our competitors started as brick and mortar companies with paper, pencils and CPA certifications and then stumbled into tech. LifeStatus360 started as a technology company and we will continue to evolve from there.  We are data engineers at our core and will do whatever it takes to keep that data, and our clients, secure.

Leave a Reply

Your email address will not be published.