Platform Updates

Safeheron Attains SOC 2 Type I Certification, Adhering to the Highest Standards of Data Security

By Safeheron Team - 2023-06-16

Safeheron, an open-source digital asset MPC self-custody solution provider, announces the attainment of SOC 2 Type I certification for data security and privacy standards. The achievement provided by Deloitte, a leading global provider of audit and related services, assessed if the design of security processes and controls are in line with compliance, ensuring that Safeheron's security design, organizational controls, etc. have been fully implemented.

Furthermore, the Deloitte team has been auditing Safeheron for the SOC 2 Type II certification. This certification assesses how effective the security system and those controls are over time, protecting customer data from unauthorized access and maintaining system security, user data confidentiality and privacy. SOC 2 Type II will further demonstrate Safeheron's capabilities in open-source transparency, security, and reliability, as well as the commitment to protecting our clients' assets and data.

Q & A

Why did Safeheron choose SOC 2 certification?

SOC 2 covers internal controls over information systems, the gold standard for providing that assurance. The AICPA also has two other SOC reports they issue: SOC 1 and SOC 3. SOC 1 is about controls over financial reporting while SOC 3 covering information security just like SOC 2 does, but SOC 3 is just a summary report of an organization’s cybersecurity program. As an MPC-based self-custody technology provider, Safeheron values user data security and privacy as core, therefore, we have prioritized SOC 2 certification.

What are the criteria for SOC 2 certification?

The SOC2 Type I report of Safeheron covers security, confidentiality and privacy.

SOC 2 certification focuses on the controls that are relevant to the Trust Services Criteria (TSC), security, availability, processing integrity, confidentiality and privacy, which are established by the American Institute of Certified Public Accountants (AICPA).

Among the 5 criteria, security is the must and confidentiality should be included. Most SaaS companies typically select the security, availability, and confidentiality criteria.

Criteria Description
Security Information and systems are protected against unauthorized access (both physical and logical), unauthorized disclosure of information.
Availability Information and systems are available for operation and use as committed and agreed. It refers to accessibility of system, products or services as the firm committed.
Processing Integrity System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality Information designated as confidential is protected to meet the entity’s objectives.
Privacy Personal information is collected, used, retained, disclosed, and disposed of in conformity with entity’s objectives.

What are the differences between SOC 2 Type 1 and Type 2 certification?

Safeheron has attained SOC 2 Type I certification, and has proceeded with SOC 2 Type II auditing.

SOC 2 Type I reports evaluate a company’s controls at a single point in time. It certifies the proper design and architecture of security controls.

SOC 2 Type II reports assess how those controls function over a period of time, generally 3-12 months. The reports appraise whether the security controls a company has functioned as intended.

SOC 2 Type I certification is the first phase for Safeheron SOC2 certification, how long did it take to secure the certification?

The whole process, from auditing to being certified, takes 5 months.

How to prepare for a SOC 2 audit?

Preparing for and completing a SOC 2 audit mainly falls on a Chief Information Security Officer (CISO) and their team. Before the audit starts, the organization needs to take gap assessments and fill in the needed controls to get audit-ready.

Generally, the preparation can be as follows:

Gap Assessments Assess the gap between the current internal system and SOC 2 criteria, and fill in the controls needed.
Technical Controls Implement the needed controls accordingly to improve security and ensure compliance.
Policies and Procedures Adjust internal policies and procedures to be audit-ready.
Create Contents These contents will be key documentationfor a SOC 2 audit, including policies, procedures and reports.
Risk Assessment Risk assessments are mandatory for SOC 2 compliance, which shall be effectively performed and write the report afterwards.
Vendor Evaluation Manage and Evaluate and manage vendors effectively to ensure SOC 2 compliance.
Internal Audit Promptly identify issues through internal audits and take necessary measures to ensure SOC 2 compliance.
Employee Training Conduct employee training and record training and its effectiveness. The training should cover aspects such as company's security policies, procedures, controls, risk identification, emergency response, as well as the relevant requirements of SOC 2 compliance. The effectiveness of the training should be assessed and improved through examinations, questionnaires, feedback, etc., to ensure that employees comply with SOC 2 criteria.
Emergency Plan Plan emergency schemes and test the feasibility and effectiveness of these plans. The emergency plans should cover various scenarios that may affect the company's SOC 2 compliance with clearly defined person in charge, response processes, communication channels, recovery procedures, etc. Regular drills and assessments should be conducted to enhance the company's emergency response and recovery capabilities.

What Safeheron Has Prepared

As a self-custody security infrastructure, Safeheron focuses on optimizing internal security controls and enhancing security protection based on the existing security architecture and controls. Such as:

  • Utilize data breach detection tools to protect all end users from sensitive data leakage.
  • Employ antivirus protection software to protect all end users, ensuring endpoint protection against viruses and malware.
  • Utilize endpoint management software to restrict the software installation. The system automatically removes and blocks software not on the whitelist, so that setting a certain limit on installation for end users against malware (eg.phishing App) installation.
  • Safeheron's security team reviews and updates all internal security regulations to ensure comprehensive auditing and effectiveness before implementation.
  • Safeheron conducts kinds of disaster recovery drill and retrospective meetings, such as drills and retrospective meetings of unresponsive key system managers, backup data recovery, sensitive data backup and recovery.
  • Safeheron's security team promotes information security training and conducts regular information security exams involving all employees.

In addition to security controls, Safeheron standardizes company management and processes, such as drafting comprehensive security policy documents, regularly conducting risk management and compliance assessment, and implementing stringent safety requirements and compliance standards with vendors and partners.

In terms of financial management, Safeheron establishes strict financial control and reporting processes and conducts internal audits to ensure the effectiveness and compliance of financial procedures and operations.

Furthermore, Safeheron's preparation also includes organizing and filing financial records and documents, as well as regularly undergoing external audits and compliance reviews.

What is a SOC 2 Type I audit process like?

For Safeheron, the audit was a mixture of remote work and on-site audit.

What are the common challenges to getting a SOC 2 Type I certification? During its audit, what problems did Safeheron encounter and how were they solved?

For most companies, a major challenge for completing a SOC 2 audit lies in administrative controls. Some companies can make mistakes where certain policies or procedures are not carried out correctly, or some times, the controls aren’t in place at all. Such as:

Access Control Review access control management for all key systems, including permissions, account statuses, and tiered access.
Change Control Document changes to software, configurations, networks, or customer requests.

Another challenge lies in technical security controls. While many companies implement technical security controls since their inception, there are still some controls haven’t be fully implemented according to SOC 2 compliance. Such as:

Software Development Lifecycle (SDLC) To enhance software security and reliability, companies need to standardize and optimize the software development process and manage the whole software lifecycle in accordance with SOC 2 compliance.
System Logging and Monitoring System logging is a common practice for many companies, however, actually monitoring what goes into the logs can be what some companies overlook. To mitigate potential issues, SOC 2 certification requires companies to continuously monitor their infrastructure and applications to promptly detect any inconsistencies.

Safeheron has established and continuously improved its internal security system since its inception. Being audited for SOC 2 Type I certification helps us identify and address any gaps, enahnce existing controls, and adapt security designs as needed, while always guaranteeing the effective implementation of internal security controls.

What are the main sections in the SOC 2 Type I report?

A SOC 2 report has 5 main sections as the following:

Section Description
Auditor’s Report Written by auditors, this section highlights whether or not your organization “passed” the assessment, which is categorized as either qualified or unqualified.
Management Assertion This section acts as a precursor to System Description, allowing your organization to state that you prepared and implemented your system descriptions.
System Description This section includes important information regarding the people, processes, and technology that support your product or service, serving as an overview of your organization’s systems and controls in place.
Description of Criteria This section lists all your controls that were evaluated, an index where you can easily find the most relevant information from your audit. For Type I reports, this section only indicates the auditor’s evaluation if the controls were designed properly within a specific period of time.
Other Information (optional) This section is where your organization can provide additional information relevant to your audit, for example, a response to any exceptions found during the SOC 2 report.

What impact does obtaining SOC2 Type I certification have on enterprises, especially blockchain companies?

Security and compliance are essential prerequisites for the development of numerous enterprises, especially in the infancy of the blockchain industry where security and compliance are also in their early stages.

SOC 2, the most recognized information security compliance standard that comprehensively reflects a vendor's security capabilities, ensures that service providers can effectively manage user data in a secure manner, safeguarding the interests of organizations and user privacy.

For Safeheron, obtaining SOC 2 Type I certification is a significant milestone. As an MPC-based self-custody infrastructure, we walk the talk with our technology, utilizing proprietary technology and fully embracing the open-source community. By continuously advancing security certifications, we not only prove our ability to implement security measures and maintain compliance but also demonstrate our unwavering commitment to secure customer data security and privacy.

The SOC 2 Type I certification further showcases Safeheron's original aspiration to maintain highly compliant and secure standards. Safeheron remains committed to becoming the premier self-custody security infrastructure for digital assets in the industry, empowering customers with complete control over their private keys and assets, while also enhancing security and efficiency.

References

Crypto firms build confidence through SOC 2 reporting, Deloitte
How to get a SOC 2 certification: A comprehensive guide., Rob Black
Breaking Down SOC 2 Reports: How to Prepare and Review Each Section, Kyle Cohlmia