SOC2

The American Institute of Certified Public Accountants (AICPA), Service Organization Control Type 2 Report (SOC2) validates how the effectiveness of a company's operational controls.The following component systems are reviewed: infrastructure, software, data, people, and procedures. Prior to issuing the certification to Zix, a third-party reviewed key features of Zix’s security program. The report is provided in our Diligence Kit.

Security: that the reviewed system is protected against unauthorized access, use, or modification to meet the entity’s commitments and system requirements.

Commitment to Competence

• Competence levels for particular positions are considered and required skills and knowledge levels are included in written position requirements.
• Candidates are assessed to determine whether they possess the perquisite level of competence to hold the position.
• Background checks are performed by a third party investigate agency in accordance with provisions of the Fair Credit Reporting Act for all prospective employees.
• New employees are required to complete security and confidentiality training upon hiring in addition to undergoing background checks that are conducted by a third party.
• Existing employees are required to complete security and awareness training on a recurring basis.
• Training courses are provided to new and existing employees in order to maintain and advance the skill level of personnel.
• Training materials are subjected to review and approval on a quarterly basis and when changes to confidentiality related procedures occur.
• Performance evaluations are completed regularly, and results are retained in employee’s personnel file.
• Terminated employees’ access is communicated and removed in a timely manner. 

Application Controls

• Privacy statements documenting description of services, information sharing and disclosure, security, user requirements and information collection and use practices.
• Media disposal procedures addressing the secure disposal of hardcopy and electronic media.

Board of Directors and Audit Committee Participation

• A board of directors has oversight over management activities and meet on a quarterly basis.
• An internal audit team is in place to guide the activities of the internal audit program and results of self-assessments.
• Steering Committee monitors operations to help ensure activities are in accordance with IT governance, risk and compliance requirements.
• Steering Committee reviews and approves corporate policies and procedures.
• IT security administrator performs a system security and availability review on a quarterly basis. 

Physical Security

• Limited access for identified systems to individuals with job responsibilities requiring access.
• Badge access card requirements, coupled with biometric device authentication, for access to data center infrastructure.
• Data center entrances monitored by operations personnel.
• Facility activity monitored by surveillance cameras monitor.
• Facility access controlled by badge access.

Information Security

• Personnel supporting services are assigned specific roles and responsibilities, with Data Center, operations, security and network management roles having more rigorous requirements. 
• Policies and procedures for classification, labeling, and handling of data.
• Users with access to client systems must sign acknowledgement forms.
• Access is restricted to individuals with job specific responsibilities.
• Users must authenticate themselves via user account, passphrase, and a second authentication factor (2FA).

Data Communications

• Firewall configured to filter unauthorized traffic.
• Events analyzed for intrusion detection.
• Network vulnerability assessments and external scans performed on regular basis.
• Logs and events monitored by the Security Operation Center (SOC).

Availability: The system is available for operation and use to meet the entity’s commitments and system requirements.

Environmental Integrity

• Redundant air conditioning units inspected on a regular basis by a third party.
• Redundant Uninterruptible Power Supply systems inspected on a regular basis by a third party.
• Back-up power systems.
• Fire detection and suppression controls, including a FM200 system, inspected by a third party on a regular basis.

Computer Operations

• Procedures for identifying and mitigating risks in the production environment.
• Redundant infrastructure for key components, such as ISP and load balancing.
• Mirroring of customer account data to alternate hot side locations.
• Documented audit and restoration of applicable backup data regularly performed.

Incident Management and Monitoring

• Procedures for responsibilities, security levels and escalations.
• Commercial support ticketing system managed incidents and responses.
• Consistent monitoring for availability and incidents.
• Root Cause Analysis for incidents.
   

Business Continuity: The entity has policies and procedures for business continuity and recovery, including for pandemic risk. 

 The Zix program adopts recommendations from the Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, published by National Institute of Standards and Technology (NIST). Zix procedures include:

Disaster Recovery Plan (DRP)

• Immediate Response
• Emergency Response.
• Initial Notifications.
• Initial Damage Assessment.
• Incident Declaration.

Recovery Process

• Recovery Organization.
• Recovery Coordination Team.
• Business Crisis Management Team.
• Operations Recovery Team.
• Information Systems Continuity Team.
• Client Services Continuity Team.

Pandemic Preparedness Plan (PPP)

• Planning.
• Preparedness.
• Response.
• Recovery.

Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s commitments and system requirements. 

Systems Maintenance

• Standard server builds for installing hardware and software.
• Patch management procedures.

Change Management

• Formal documentation of changes to system configurations, software, hardware, network components and maintenance.
• Emergency response and resolution procedures, supported by automation tools. 
• Specialized tools for change request, customer contact, user support and problem tracking.
• Segregation of duties to ensure organization for development, quality assurance, and staffing.
• Change request documentation for requests, authorization testing and approval of changes, supported by a commercial tracking system workflow.
• Development and test environments are physically separated from the production environment.
• Regular meetings to discuss production issues.

Confidentiality: Information designated as confidential is protected to meet the entity’s commitments and system requirements. 

Application Controls

• Privacy statements documenting description of services, information sharing and disclosure, security, user requirements and information collection and use practices. 
• Media disposal procedures addressing the secure disposal of hardcopy and electronic media.

Control Environment

• Maintain a control environment that reflects the importance of controls, with an organizational structure, separation of job responsibilities, and documentation of relevant policies and procedures. 
• Integrity and Ethical Values
• Integrity and ethical values are key elements of the control environment. 

The SOC2 third-party review also covered:

Risk Assessment

• Assessing sufficiency of corporate policies, procedures, and systems.
• Identifying potential risks.
• Determining the level of severity for identified risk factors.
• Identifying potential sources of risk and recommending mitigations.
• Monitoring and evaluation the operating effectiveness of existing controls considering changes in the company and surrounding circumstances.
• Monitoring the regulatory environment.

Monitoring

• Management oversees the quality of its internal control performance, using regular “key indicator” reports and supporting third-party monitoring solutions.
• Formal policies and procedures designed to ensure compliance, and redress violations and suspected violations. 

Information and Communication

• Policies and procedures are communicated through orientation training, ongoing training, and other messaging such as emails and meeting presentations.
• Description of Complementary User Entity Controls
• Maintenance of complementation control considerations, that include additional requirements such as parameters for password use.