The increased awareness and adoption of cloud technology is simultaneously leading organization and CSPs to come up with assurance over the management and security of sensitive data. In order to satisfy stakeholders’ demands for assurance around internal controls intended to address touch-points relevant to Information security AICPA has developed the Service Organization Control (SOC) reporting framework. To support their risk assessments, user entities and business partners may request a SOC 2® report from the service organization.
Why is SOC2 required?
SOC 2 reports permits cloud providers to communicate particulars about their services and the appropriate fit of the blueprint and operating efficiency of their controls, majorly
- Organizations that need to demonstrate how they process transactions and/or data on behalf of their customers
- Organizations that need to demonstrate how their security controls operate
- Organizations that need to demonstrate how their controls related to system availability function
- Organizations that need to demonstrate how their controls related to data privacy or confidentiality operate
All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives.
Description criteria:
The description criteria are used by management when preparing the description of the service
organization’s system and by the service auditor when evaluating the description.
Trust services criteria:
Service organization evaluates if the design and operating effectiveness of controls provides
reasonable assurance that its service commitments and system requirements were achieved based on
the trust services criteria relevant to the trust services category or categories included
within the scope of the examination. The trust services criteria are classified into the
following five categories: Relevant to Security, Availability, Processing Integrity,
Confidentiality or Privacy.
Is Tata Communications SOC2 compliant?
Tata Communications is committed to SOC2 standard for its Managed cloud services. Managed Cloud Services: IPC (IZO Private Cloud) is an enterprise cloud platform, offers a flexible, scalable and reliable cloud environment. It provides a flexible platform that allows end-users to create the appropriate combination of compute, network, security, storage, and traffic management services that can meet business needs, & have the flexibility to grow with business. The IPC service is available on two models within Tata Communications’ data centers. It includes Virtual Private Cloud (VPC), Dedicated Private Cloud (DPC) and Virtual Private Data Center (VPDC). MCS services are offered to customers from the GSMC facility in Chennai. Service Operations Team provides 24×7 monitoring and support for network intrusion detection and protection devices across a variety of platforms and technologies. The Service Operations Team in turn consists of Level 1(L1), Level 2 (L2) and Level 3 (L3) Engineers who manage the day to day operations of GSMC and analyze and resolve issues. Operations Engineering Team consists of competency leads also referred to as Technology Leads who are Service Organization Controls and Procedures covers control objectives for:
- Information Security
- Access Security
- Physical Security
- Facilities and Equipment Security
- Incident Management
- Problem Management
- Change Management
- Backup and Restoration
- Manage Third Party Services
- Software Licensing
- Manage Operations
- Human Resources
| IZO Private Cloud | In-Scope services |
| Compute | Cloud services, Virtual Services, Auto Scaling |
| Network | VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV |
| Storage/Backup | Block, File and ICS (Object) backup Scheduled data backup and data restoration |
| Database | Managed Oracle, MS-SQL, DB2 or MySQL database administration |
| Middleware | Managed Middleware service is offered on
applications including JBOSS; TOMCAT; Apache Application maintenance |
| Hypervisor | VMware, Hyper-V and KVM |
| Load balancer | Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance |
| Security | SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth |
ABOUT SOC2
The increased awareness and adoption of cloud technology is simultaneously leading organization and CSPs to come up with assurance over the management and security of sensitive data.
Contact us
Contact us to learn how we can help you unleash collaboration, creativity, and commercial innovation.