Compliance at the heart of security: A conversation with our Director of Compliance and Operations
At Softdocs, our customers’ data security and privacy are the highest priorities for everyone on our team. To accomplish this goal of being the best in our space at achieving these priorities, we have made compliance an area of focus for our organization, and we strive to always demonstrate to our customers that no other company is better suited to keep their data protected.
To that end, Terri McKinney, Director of Compliance and Operations at Softdocs, is tasked with overseeing our compliance roadmap and ensuring our team is set up to consistently achieve our goals in this regard. We got to sit with Terri to talk about Softdocs’ approach to compliance and security in general.
Q. Terri, to kick things off, tell us why our customers should care about what you do?
A. Educational institutions are more vulnerable than ever when it comes to cybersecurity. Today’s IT departments are managing more data than they have ever dealt with – student records, staff information, faculty records, etc. The IT departments are already overburdened with the day-to-day operations of schools. They need help with managing the security-related threats that cybercriminals pose. I assist with making sure that our internal infrastructure and cloud infrastructure are as secure as they can be so we can protect our most important asset – your cloud environments and data.
Q. There is a lot of talk about SOC 2. Would you start by describing what SOC 2 is?
A. SOC 2 is an auditing procedure developed by the American Institute of CPAs. SOC 2 defines criteria for managing customer data based on five “trust service principles.” A SOC 2 audit assesses the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place. These principles are:
- Security – A measure of how securely a system, and its resources, are protected against unauthorized access.
- Availability – A measure of the accessibility of the system, with its related products and services, to the customer as per the service level agreement (SLA).
- Processing integrity – Whether the data processing is complete, valid, accurate, timely, and authorized.
- Confidentiality – If the contents of the system, its access, and disclosure are restricted to a specified set of persons or organizations.
- Privacy – Manner in which the system’s collection, use, retention, disclosure, and disposal of personal information are handled.
Q, How did Softdocs make the decision to demonstrate SOC 2 compliance, and how do our clients benefit from it?
A. As Softdocs continued to grow, we formed a Security Team that includes team members from Operations, Internal IT, Cloud Operations and Development. This team was tasked with developing policies and procedures that control and strengthen our business operations. We partnered with KirkpatrickPrice to provide our audit services and audit us every year. We just finished the audit for 2022. I’m happy to report that we have no exceptions for the fourth year in a row!
Complying with SOC 2 helps us deliver improved information security practices. SOC 2 guidelines help an organization better defend itself better against cyber-attacks and prevent breaches in security which means our clients' data is more secure. The certification helps educational institutions feel comfortable knowing that we can be trusted with their data because of our adherence to solid data security practices.
Q. Other than the audit itself, how does Softdocs accomplish better compliance?
A. We have a range of individual systems, policies, procedures, and processes that we have implemented to comply with SOC 2 criteria. It’s my responsibility throughout the year to ensure that we’re adhering to everything we have implemented. We conduct routine smaller audits to ensure that we are meeting our compliance guidelines.
Security is ingrained in our culture and how we do business to provide our customers with a secure infrastructure. I am also responsible for working with our Security Team to meet regularly to discuss cybersecurity topics, industry news, and best practices. Further, we proactively conduct disaster recovery and business continuity testing, penetration testing, and risk assessments.
Q. How do we develop our compliance calendar and checklist?
A. We start with research and reading publications, online forums, and news articles. We focus heavily on the latest events that have transpired in the IT sector in general and the education market. We look at all potential threats being talked about, large and small, and include them in our consideration. We also solicit inputs from our clients and partners in this process. All these inputs become the starting point for our discussion, and we review them and build out the roadmap that will dictate our priorities and areas of focus for the next few quarters.
Q. Regarding compliance, what sets Softdocs apart from the competition?
A. It’s the people. We have a team of phenomenal people that really want to do the best for our customers and are focused on what our customers need, often going above and beyond by addressing topics that our customers might not even be aware of. Our culture and our values of collaboration drive the way we work with each other to build better solutions for our customers.
As educational institutions grow larger and gather more data from their employees and students, they become bigger targets for cybercriminals. Compliance is the tool that we use to ensure we’re doing everything we can to protect the data of these customers. We thank Terri McKinney for keeping us on top of this important mission.