Meeting SOC 2 Type II Compliance with Incapsula

We are pleased to announce that Imperva has released an audited SOC 2 Type II report for the Incapsula service. A SOC 2 Type II report establishes trust, and not all companies in the space are endorsed by AICPA, the governing standards body.

SOC 2 Type II Compliance and What It Means for You

The AICPA (American Institute of CPAs) is the world’s largest member association representing the accounting profession. One of its key functions is to set global auditing standards for companies, organizations and governments. Auditors are able to offer audit opinion based on these rigorous professional standards of compliance

The SOC 2 standard is a set of non-financial principles that measure how well a service organization, like Imperva Incapsula, controls its information.  This certification helps build customer trust in organizations, without having to perform their own compliance investigation. The Trust Services Principles (TSP) includes five criteria for controls including

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

An example would be that our service is available when needed and that personal information passing through it is maintained confidential at all times.

SOC 2 replaced SAS-70 some years ago as the standard for service providers. SOC Type I reviews controls and evidence in place at a point in time. Type II reports include a review of controls and evidence for a period of six to 12 months.  This makes the evidence collection and process far more comprehensive and intensive.

The SOC certification is just one of three third-party certifications (see below for more details) we perform for our services to meet stringent compliance and regulation standards. Our security services secure your customers’ interactions with you and help you gain their trust.

Achieving Certification for Incapsula

The Imperva Incapsula audit was conducted by a third-party compliance audit firm, covering the following principles and related criteria that are most relevant to our service:

  • Security — The system is protected against unauthorized access, use, or modification to meet the entity’s commitments and system requirements.
  • Availability — The system is available for operation and use to meet the entity’s commitments and system requirements.

Each of the related TSP Common Criteria has risks associated with it.  The TSP also provides illustrative controls which relate to those risks. The Imperva Incapsula service has approximately 100 controls based on the Common Criteria and the two principal areas.  The audit reviewed controls from May 1, 2016, to November 30, 2016.

Our auditors reviewed our controls for the testing period and offered a non-qualified (no significant exceptions) opinion.  The report accurately reflects our documented controls and our operational implementation of the controls.

Questions to Ask Your Provider

If you are with a cloud security provider it’s time to find out if it is SOC 2 Type II certified. Perhaps you are in the process of selecting a cloud service and looking into its commitment to security, availability and privacy. If that’s the case, ask the following questions to see how your provider is protecting your data and transactions.

  • Request a current SOC 2 Type II report.
  • Identify the principles and controls that you feel are needed in the report.
  • Validate that the audit report includes these controls.
  • Check the current status of the control according to the auditors findings.
  • Discuss any questions or concerns you may have about the report.
  • Document your expectations in your service provider agreement.

Incapsula is built on policies, standards, processes and controls measuring up to the requirements in SOC, PCI and ISO 27001. You are welcome to contact us for more information on our SOC 2 Type II or other certifications.

Fuente: Incapsula