SOC 2 Assessment: What is it and why does it matter for local government?
With the technology and cybersecurity challenges of state and local government increasing, we know it’s more important than ever to bring resilient, secure, and performant cloud technology to the public sector.
With this in mind, we’re proud to announce we recently completed a SOC 2 assessment for OpenGov’s Budgeting & Planning, Procurement, and technology infrastructure. As your partner, we know the security of your community’s data is paramount. By completing this audit, we can ensure the very best cybersecurity for our mission-critical suites.
Read on for more about the SOC 2 assessment and what this means for your government.
SOC 2 Assessment Meaning
In a nutshell, SOC 2 is an auditing procedure that ensures service providers securely manage your data to protect the interests of your organization and the privacy of its clients.
A SOC 2 report addresses risks associated with the handling and access of data and can be used by a variety of organizations of any size (e.g. SaaS, colocation, data hosting, etc.). Rather than a cybersecurity assessment that evaluates specific technical configurations, a SOC 2 report focuses more on how an organization implements and manages controls to mitigate the identified risks to the different parts of an organization.
SOC 2 Compliance Requirements
In order to pass a SOC 2 examination and receive a letter of attestation successfully—which OpenGov has done—it means an organization is addressing controls in areas such as information security, access control, vendor management, system backup, business continuity, disaster relief, and more.
The SOC 2 audit testing framework is based on the Trust Services Criteria (TSC), which are used to identify various risks (points of focus) an organization should consider addressing. Based on the TSCs the organization selects to be in scope, the third-party compliance and audit firm (in our case, A-LIGN) evaluates whether the organization has the appropriate policies, procedures, and controls in place to manage the identified risks effectively.
What is SOC 2 type 2 vs type 1?
SOC 2 type I and SOC 2 type II both report on the non-financial reporting controls and processes related to Trust Services Criteria. There are many other similarities between SOC 2 Type I and SOC 2 Type II reports, but there is one key difference: Type 1 reviews the design of security processes at a specific point in time, while a Type 2 report assesses how effective those controls are over time by observing operations for six months.
OpenGov completed SOC 2 Type 2 assessment.
What are the benefits of SOC 2 compliance to OpenGov customers?
- As an OpenGov customer, you can trust that our team is following all best practices to securely manage your data to protect the interests of your organization.
- The requirements for cybersecurity in local government are only increasing. You can count on us to inform you of the latest requirements and know we’ll be proactively following them.
- For your own insurance or auditing needs, we can provide our SOC 2 report to easily answer questions. We will make the SOC 2 report available to current or potential customers upon execution of a non-disclosure agreement
Safe and Secure
We hope the steps we have taken help you and your IT teams remain confident in knowing that your data is secure with us. Click here to learn more about our extensive security and reliability practices and comprehensive compliance controls.