SOC2

The increased awareness and adoption of cloud technology is simultaneously leading organization and CSPs to come up with assurance over the management and security of sensitive data. In order to satisfy stakeholders’ demands for assurance around internal controls intended to address touch-points relevant to Information security AICPA has developed the Service Organization Control (SOC) reporting framework. To support their risk assessments, user entities and business partners may request a SOC 2® report from the service organization.

 

 

Why is SOC2 required?

SOC 2 reports permits cloud providers to communicate particulars about their services and the appropriate fit of the blueprint and operating efficiency of their controls, majorly

• Organizations that need to demonstrate how they process transactions and/or data on behalf of their customers
• Organizations that need to demonstrate how their security controls operate
• Organizations that need to demonstrate how their controls related to system availability function
• Organizations that need to demonstrate how their controls related to data privacy or confidentiality operate

 

All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives.

 

Description criteria:
The description criteria are used by management when preparing the description of the service organization’s system and by the service auditor when evaluating the description.

Trust services criteria:
Service organization evaluates if the design and operating effectiveness of controls provides reasonable assurance that its service commitments and system requirements were achieved based on the trust services criteria relevant to the trust services category or categories included within the scope of the examination. The trust services criteria are classified into the following five categories: Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

 

Is Tata Communications SOC2 compliant?

Tata Communications is committed to SOC2 standard for its Managed cloud services. Managed Cloud Services: IPC (IZO Private Cloud) is an enterprise cloud platform, offers a flexible, scalable and reliable cloud environment. It provides a flexible platform that allows end-users to create the appropriate combination of compute, network, security, storage, and traffic management services that can meet business needs, & have the flexibility to grow with business. The IPC service is available on two models within Tata Communications’ data centers. It includes Virtual Private Cloud (VPC), Dedicated Private Cloud (DPC) and Virtual Private Data Center (VPDC). MCS services are offered to customers from the GSMC facility in Chennai. Service Operations Team provides 24×7 monitoring and support for network intrusion detection and protection devices across a variety of platforms and technologies. The Service Operations Team in turn consists of Level 1(L1), Level 2 (L2) and Level 3 (L3) Engineers who manage the day to day operations of GSMC and analyze and resolve issues. Operations Engineering Team consists of competency leads also referred to as Technology Leads who are Service Organization Controls and Procedures covers control objectives for:

• Information Security
• Access Security
• Physical Security
• Facilities and Equipment Security
• Incident Management
• Problem Management
• Change Management
• Backup and Restoration
• Manage Third Party Services
• Software Licensing
• Manage Operations
• Human Resources

 

IZO Private Cloud	In-Scope services
Compute	Cloud services, Virtual Services, Auto Scaling
Network	VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV
Storage/Backup	Block, File and ICS (Object) backup Scheduled data backup and data restoration
Database	Managed Oracle, MS-SQL, DB2 or MySQL database administration
Middleware	Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance
Hypervisor	VMware, Hyper-V and KVM
Load balancer	Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance
Security	SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth

 

Review all of our global compliance programs