Collegis Education Achieves Service Organization Control (SOC) 2 Type 2 compliance

Collegis Education is proud to announce it has successfully achieved the Service Organization Control (SOC) 2 Type 2 compliance — the result of a rigorous audit that validates Collegis as a trusted higher education managed service provider. Specifically, the compliance validates Collegis Education’s security practices, policies, procedures and operations meet the SOC 2 standards for security, availability, processing integrity, confidentiality and privacy.

Mark Relf, IT security and compliance analyst at Collegis Education, led the compliance effort for Collegis. He walked us through what this significant milestone means for Collegis and its current and future partners.

What is SOC 2 compliance?

Mark Relf: The Service Organization Control (SOC) compliance is designed to help organizations, like Collegis, that provide information system services to other organizations, instill trust and confidence in their service delivery processes and controls.

SOC compliance is achieved after successfully completing a thorough audit by an independent CPA who delivers the results in a SOC 2 report. The SOC 2 report is based upon a series of Trust Service Principles, which create a standard for compliance. Collegis regularly operates appropriate security controls to either meet or exceed these principles.

Why did Collegis pursue SOC 2 compliance?

Relf: As a managed service provider, we want our partners and potential partners to know we treat all data entrusted to us with the utmost care. The SOC compliance shows we have strong security measures and controls in place across our organization. We also wanted to differentiate ourselves in the market.

Higher education institutions are concerned about the security of their student data and want to avoid the fallout of a data breach or loss or misuse of their school’s data.  We know data security is important to higher education institutions and SOC compliance is one key way for us to show colleges and universities what measures we have in place to keep their data secure.

What steps did Collegis have to take to earn compliance?

Relf: There is a misconception that an organization only has to take a test to be SOC compliant. This was a rigorous process that took 10 ½ months to complete and impacted everyone at Collegis. Each employee took part in the audit which included participating in a series of in-depth security training sessions and providing information for the audit.

Collegis also brought in an outside firm to conduct external penetration testing to see where we might have some security holes. It turned out that our employees already had a strong security mindset — before we even conducted the internal training. Our employees know what to do and take pride in it. Collegis has been conscientious of having sound information security practices in place for years but the path to SOC 2 compliance brought us to the next level.

What’s next?

Relf: This is not a one-and-done certification. The SOC 2 compliance requires us to audit our security controls regularly and also pursue continuous improvement, whether that’s creating additional controls or security measures as well as keeping our employees up to date on security risks or viruses. As all members of the team become increasingly aware of our surroundings, the IT security becomes less intrusive and more accepted.

To learn more about SOC 2 compliance, visit the American Institute of CPAs website.