Walker360 is proud to be a SOC 2® certified printer. Our staff works hard each year to maintain this certification, as it reflects our commitment to keeping your business’s data secure and safe. AICPA uses SOC reporting as validated documentation of internal controls and the information systems accessed by users. If you are unfamiliar with AICPA or SOC 2® certification, keep reading to learn more about how this certification impacts your business printing and mailing services with Walker360.
What is AICPA?
AICPA (American Institute of CPAs) is the world’s largest member association representing the accounting profession since 1887. Over 431,000+ people spanning across 130 countries and territories are members of AICPA and represent all types of business industries. While they specialize in many important areas for CPAs, AICPA has also created defining criteria known as Trust Services Criteria which plays a crucial role in earning a SOC 2® certification.
What are Trust Services Criteria?
The Trust Services Criteria is a list of requirements defined by AICPA that a business must meet to obtain a SOC 2® certification. These requirements are the primary focus of the AICPA for maintaining secure and safe internal system and organization controls. Trust Services Criteria cover the following five areas of a business’s operations: security, availability, processing integrity, confidentiality, and privacy. A business wishing to earn their SOC 2® certification would have to meet requirements for each area.
• Security – evaluation to ensure a company’s information and systems are protected against unauthorized access and unauthorized disclosure of information. A company’s information and systems are also evaluated for damage to systems that could compromise the availability, integrity, confidentiality, and privacy of data, as well as the effect on the company’s ability to meet objectives.
• Availability – evaluation of how the information and systems are available for operation, how they will be accessed by authorized users, and how employees become authorized users.
• Processing Integrity – evaluation of system processing to complete valid, accurate, timely, and authorized requests that meet the company’s objectives.
• Confidentiality – evaluation of how information is designated confidential as well as how confidential information is protected and accessed by authorized users.
• Privacy – evaluation of how personal information is collected, used, retained, disclosed, and disposed of to meet the company’s objectives.
What is SOC 2®?
SOC (System and Organization Controls) is an information security compliance standard created and updated regularly by AICPA. The SOC reports can come in several varieties and document internal controls of an organization. Within SOC reports, there are two different types of areas a business can become certified for:
• SOC 1® focuses on system controls that affect financial statements.
• SOC 2® focuses on system controls surrounding information, security, availability, processing, integrity, confidentiality, and privacy.
Regardless of which SOC certification a business chooses, SOC reports help ensure that all users who need detailed information and assurance are able to retrieve and use the data within controlled measures. A big difference between SOC 1 and SOC 2® is that SOC 2® certification must comply with AICPA’s Trust Services Criteria. Whereas, SOC 1 certification does not have to comply with the Trust Services Criteria.
Why become SOC 2® certified?
The SOC 2® certification focuses on security controls within every level of a business. A SOC 2® certification plays a vital role in a business’s oversight of the organization, vendor management programs, internal risk management processes, and regulatory oversight. This certification applied more accurately to the business printing services and internal processes of Walker360. We knew becoming a SOC 2® certified printer would be most beneficial for our customers and business development.
How did Walker360 qualify for the SOC 2® certification?
In order to qualify, Walker360 had to build a security framework around the 5 Trust Services Criteria, document our procedures and continually monitor our controls. Yearly, an AICPA certified auditor must review our company process descriptions, the security measures taken to protect customer data and proof of continuous monitoring. Those measures include, but are not limited to:
- Controlled building access that requires visitors to sign-in and wear a visitor badge. Employees are required to use a key card to access our building.
- Employee Security Awareness training that includes annual review and employee attestation of company information, security policy covering customer data protection, email, internet & social media, computer and usage.
- Training to resist threats such as malware, phishing, ransomware and social engineering, as well as understanding password security.
- Regular employee email phishing tests.
- Continual internal and network scanning for threats and proof of remediation as needed.
- Continual Firewall monitoring and providing proof of regular backups for both on and offsite.
- Using 2 factor network authentication.
- Proof of up-to-date Windows patching and virus protection.
- Vendor Confidentiality Agreements must be updated yearly.
- Documentation of preventative maintenance agreements with vendors.
- Provide a Yearly Risk Assessment, Disaster Plan, Data Retention Policy, and evidence of controlled data disposal.
- Documentation showing testing of UPS, generators and fire alarms.
Walker360 provided all necessary SOC reports and documentation outlining these items to an external auditor. Where needed, Walker360 updated our internal systems and processes to meet the Trust Services Criteria for SOC 2® certification.
How long does SOC 2® certification last?
A SOC 2® Certification is only valid for 12 months, which means that every year Walker360 has to submit documentation to have our certification renewed. This helps to ensure that we not only updated our system and organization controls, but also that we maintain those consistent controls over time.
Why is SOC 2® Certification important?
More than 4,100 publicly disclosed data breaches occurred in 2022 equating to approximately 22 billion records being exposed. Cyber security publication “Security Magazine” reported that the final figures for 2022 are expected to exceed 2021 by as much as five percent. Your company data is only as safe as the vendor that accesses it. 54% of organizations were breached through third parties in the last 12 months including Toyota, the Major League Baseball Players Benefits Plan, USA School Districts and Highmark Healthcare company.
The top 7 vendor breaches of all time are:
The hackers accessed sensitive information of approximately 147 million consumers like names, social security numbers, birth dates, addresses, and in some cases, driver`s license numbers and the credit card numbers of about 209,000 US consumers. The breach was caused by a flaw in the software used for the website accessed by customers.
Cost: A total cost of about $1.38 billion, according to the settlement documents as quoted by The New York Times.
The payment accounts of about 41 million customers and the personal details of around 70 million were stolen resulting in an estimated total of 110 million affected parties. The breach was caused by a third-party HVAC vendor.
Cost: About $236 million in total expenses and more than 140 lawsuits filed against the company.
The incident compromised the credit card data of roughly 56 million customers, as well as separate files containing approximately 53 million email addresses. An estimated 109 million consumers were affected.
Cost: About $179 million. The attackers used a Home Depot`s third-party vendor’s login credentials to install memory scraping malware on over 7,500 self-checkout POS terminals.
The parent company of prominent hotel chains like Sheraton, W Hotels, Westin Hotels, and Le Méridien, became aware of the massive hack on September 8, 2018. The company received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the USA. Further investigations revealed that there had been unauthorized access to the Starwood network for 4 years before it was discovered. Starwood was a third-party vendor used for booking reservations. The company was subject to several lawsuits for failing to protect its guests` accounts.
Cost: It took $72 million to repair the damages.
Around 150 million MyFitnessPal accounts compromised. The leaked data included usernames, hashed passwords, and email addresses.
Cost: Not fully clarified yet. A consumer class action lawsuit was filed against Under Armour, which might face a number of legal claims or investigations by government regulators and agencies. The company may also be required to incur additional expenses to further enhance its data security infrastructure.
Our promise to you.
At Walker360, our data management policy is simple. We will consistently provide you with outstanding print and mail services that are on time, on budget, and always exceeding your specifications and expectations. We will always work on improving and refining our internal processes to meet your satisfaction and all the SOC 2® requirements. We focus on building lasting creditability and relationships so you know you can always depend on us, regardless of the print or mail job. SOC 2® certification isn’t just a checked box for us. It represents our commitment to constantly improve our performance and methods to be the best they can be.