IWS SOC Audit
IWS recently completed our first SOC 1 Type 2 examination, formerly SAS 70, achieving all 14 company defined Control Objectives. The Control Objectives and supporting Control Activities were determined by IWS based on an evaluation of current processes, recommendations by the auditing firm, and best practices in the industry.
In the Spring of 2012, IWS engaged a major accounting and consulting firm based on their reputation in the industry. IWS initially worked with the firm to complete a GAP analysis prior to the SOC 1 examination period to determine that the defined Control Objectives and Control Activities were consistent with the needs of their clients and their clients' auditors.
Completion of the SOC 1 Type 2 examination demonstrates IWS' commitment to safeguarding client data through the design and operating effectiveness and efficiency of controls in place. The scope of the examination included physical security, logical access, client data backup, change management and problem management. Through IWS’s SOC 1 examination, the firm tested the defined Control Activities to determine that controls are in place to secure client data.
BriteCore client Doug Fincannon of Alamance Farmers’ Mutual Insurance Company, shows his appreciation of the investment made by IWS in a statement he provided, “In an environment of increased cyber threats, having our software vendor successfully complete the SOC I examination gives us greater confidence in protecting our policyholders data.”
From this point forward IWS will continuously be under examination by the accounting and consulting firm, and they'll periodically test our controls throughout the twelve-month examination period. If you or your auditors would like to receive a copy of IWS' SOC report, contact Kevin Yount at firstname.lastname@example.org. A bridge or gap letter may also be provided during the audit period, if needed.
Audit Objectives and Controls
In preparation for the SOC 1 examination, IWS worked with a major accounting and consulting firm to identify fourteen objectives that are consistent with the needs of our clients. However, clients have influence over these objectives, and changes and adjustments can be made. If you'd like to review the objectives, they're posted below. Feel free to offer feedback or pose questions for these objectives on our forum.
1. Controls provide reasonable assurance that senior management provides oversight of the organization’s objectives.
- Executive leadership regularly discusses the operation and financial performance of the company.
- The organizational structure provides support for segregation of duties between business operations and IT.
- New employees sign Non-Disclosure and Employee agreements.
- Employee performance is evaluated at least annually.
- Various internal reports to monitor business processes and operations are available for management to review.
2. Controls provide reasonable assurance that new customer implementations follow a standard methodology.
- IWS and the client execute a contract (authorize the contract) that outlines the duties and obligations of both parties.
- IWS uses a standard scoping document and project plan to manage new client implementations.
- Client implementations are supported by client authorization.
- BriteCore training documentation and release notes are posted on IWS' external website and are available for clients to review.
3. Controls provide reasonable assurance that IWS provides mechanisms for client restriction of access to client instances of BriteCore.
- IWS provides notice of password best practices to clients annually along with a current user list.
- Clients are provisioned unique instances of BriteCore to process their insurance payment and commission transactions.
- The BriteCore system requires a logon ID and password to gain system access.
- Clients with BriteCore Administrator access are provided individual accounts to access their BriteCore systems.
- IWS creates an administrator account for clients upon receipt of authorization.
4. Controls provide reasonable assurance that payment data is received securely.
- Management has established and documented standard operating procedures for client data input.
- IWS provides clients with a unique client identifier.
- Incoming payment data transfers from clients travel over an encrypted link.
- Incoming payment data passes through a series of checks to help ensure duplicate or bad data is not processed.
- Input data transmission exceptions are communicated to the client.
5. Controls provide reasonable assurance that payment data is completely and accurately processed timely.
- Management has established and documented standard operating procedures for job processing.
- The BriteCore system automatically processes client data to completion when received.
- Application programs perform checks for reasonableness of data and missing data.
- IWS obtains authorization from clients prior to changes to client payment data.
6. Controls provide reasonable assurance that commission data is processed accurately and timely.
- The BriteCore system automatically processes client commission data to completion on a monthly basis.
- Application programs perform checks for reasonableness of commission data and missing data.
- IWS obtains approvals from clients prior to changes to client commission data.
7. Controls provide reasonable assurance that access to processed payment data is secure and available for client review.
- Access to client reports is restricted to authorized users.
- Reports are generated upon request of stored client data.
- Exceptions are promptly communicated to the client.
8. Controls provide reasonable assurance that access to processed client commission data is secure and available for client review.
- Annual confirmations are completed with clients to confirm report availability, completeness and accuracy.
- Access to client reports is restricted to authorized users.
- Exceptions are communicated to the client.
9. Controls provide reasonable assurance that logical access to the BriteCore system is restricted to authorized individuals.
- An Information Security Policy exists.
- Employees are provided individual accounts to access the network and BriteCore and that access is authorized.
- BriteCore user accounts for terminated users are disabled in the BriteCore system.
- BriteCore system parameters have been configured to enforce password management.
- A network perimeter security system is in operation.
- Access to the BriteCore base code management system is segregated.
- Access to system administration privileges is restricted to authorized individuals.
- A process to review and confirm employee access to the network and the BriteCore system is performed.
- Access to client databases is restricted to authorized employees.
- Commit access to BriteCore source code is restricted to authorized employees through the use of Subversion (SVM).
10. Controls provide reasonable assurance that physical access to local computer resources is restricted to authorized individuals.
- A building security system is utilized to restrict access to the corporate facility.
- A process to review and confirm user physical access to the corporate facility and server room is in place.
- The local server room is kept locked and access is restricted to authorized personnel.
11. Controls provide reasonable assurance that client data, which has been identified as requiring periodic backup, is backed up and properly stored.
- Documented standards and procedures for backup exist.
- A full system backup of client production data is performed on a daily basis.
- Backup files are copied to an external drive on a daily basis in on offsite facility.
12. Controls provide reasonable assurance that new BriteCore application systems being developed and changes to existing BriteCore application systems are authorized, tested, and approved prior to being placed in operation.
- Requests for application changes are documented and authorized.
- Application change are tested and approved prior to deployment.
- Update access to the production environment is restricted authorized users.
13. Controls provide reasonable assurance that acquisition of hardware and system software are tested and approved prior to being placed in operation.
- Documented standards and procedures for hardware and system software acquisition and maintenance exist.
- Requests for hardware and operating system software changes are documented.
- Hardware and operating system software changes are tested and approved prior to deployment.
14. Controls provide reasonable assurance that the BriteCore system environment is monitored and that problems or incidents are tracked and resolved.
- Documented standard procedures for system monitoring and problem/incident management.
- A problem management system is in place that tracks problems to resolution.