XMission Successfully Completes SOC 2 Certification

From XMission Wiki
Revision as of 14:14, 16 November 2016 by Ehigbee (talk | contribs)
Jump to: navigation, search

XMission Successfully Completes SOC 2 Certification

SALT LAKE CITY, UT - November 16, 2016 - XMission recently completed its first SOC 2 Certification. XMission adds SOC 2 to its annual audit certifications that include SOC 1 (SSAE 16, Type 2) and HIPAA. These certifications relate to XMission's colocation, cloud hosting, Zimbra hosted email, network administration, and support services.

Customers can request copies of XMission's assessment reports, which could make it easier for them to pass their own audits.

According to XMission president and founder, Pete Ashdown, "We've added this demanding audit because it prescribes important controls regarding key sectors of our core business model: internet and hosted services. These three audits together provide a broader spectrum of controls and best practices."

In recent years, XMission has expanded its focus on business products, including colocation, advanced web hosting (with its cloud product), email hosting (with Zimbra), and business telephony. As those products matured, XMission saw the need to become certified, especially as enterprise clients started to look more closely at XMission as a vendor. With the ubiquity of the Internet and businesses relying so heavily on certifications, XMission decided to include the more rigorous and prescriptive SOC 2 audit to further increase customer confidence in XMission's stewardship of their data.

XMission management developed rigorous internal control objectives to support its first-class data center, hosting and networking management services. Businesses can think of internal controls as the processes by which an organization manages its people and systems. It is how a company conducts business, day to day. These controls should be closely aligned with the entity's goals and objectives.

When an outside auditor comes in, they first review the organization's control objectives to determine if they appear to be reasonable and then secondly test their processes and see if the entity reliably meets those objectives over time. Professing best practices isn't enough. XMission chose to have a type 2 audit, which requires an organization to prove the operating effectiveness of its internal controls throughout the audit period.

A Service Organization Control (SOC) 2 Report is performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design and operating effectiveness of a service organization’s controls. The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to the trust principles of security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. It is a report by an external auditor that verifies a company has policies and procedures in place to mitigate various common risks. Note that a type 2 audit verifies that controls were in place over the entire period of the audit, instead of just one moment in time. As well, this audit report is signed and dated at the end of an annual audit to verify that controls were in place during the time period of the audit.

SOC 1 audit reports provide a framework for a service organization to have an outside entity examine their internal controls, which can then be provided to its enterprise clients. Also known as a Service Organization Control (SOC) 1 report, the audit reviewed the suitability of the design and operating effectiveness of XMission’s controls to achieve the related control objectives. Compliance sensitive companies often require SOC 1 certification, which include publicly-traded enterprises, financial firms, and healthcare organizations.

HIPAA compliance assures potential and existing customers that XMission's policies and procedures are sound according to HIPAA guidelines. Any business that deals with Protected Health Information (PHI) requires HIPAA certification.

CPA firm A-lign, who specializes in conducting such audits for IT firms, conducted XMission's audits.

Customers interested in more details about XMission's SSAE 16 report, can visit the following links: SOC 1/ SSAE 16, Type 2 SOC 2 HIPAA