Many construction industry firms have invested heavily in cyber security measures to protect infrastructure and critical information. Security and privacy are a main concern for the construction industry as threats have significantly increased. According to security audit firm A-LIGN, 73% of organizations have experienced data leakage and data spillage in the last 12 months. However, security risk extends beyond the firm. The software applications used by a firm, now called the software supply chain, may also introduce security issues.
Hidden Vulnerabilities: the Software Supply Chain
Although cyber security is a top priority for most AECO firms, there are hidden vulnerabilities that often go undetected. Third party software providers are an extension of the firm and may be a weak link in the security chain. If software providers do not take appropriate measures to protect their customer's data, sensitive information may be exposed or leaked.
Issues with software chain security continue to grow. The National Institute of Standards and Technology (NIST), issued an executive order in May 2021 acknowledging the increasing number of software security risks throughout the software supply chain. “Federal departments and agencies become exposed to cybersecurity risks through the software and services that they acquire, deploy, use, and manage from their supply chain (which includes open-source software components). Acquired software may contain known and unknown vulnerabilities as a result of the product architecture and development life cycle.”
This is not just a problem for the Federal Government. It is a problem for all industries. Software providers for the construction industry often store sensitive information on cloud-hosted servers including building plans and specifications. In addition, electronic information is transferred between external project team members numerous times a day. Data that is “in transit” is at risk if it is not encrypted. Also, ensuring that information is being sent to the correct authorized party is a key security factor. This is where Multi-authentication (MFA) security adds a layer of security so that information does not fall into the wrong hands.
But how do you know if your software provider is protecting your information? Enter SOC 2 certification.
What is SOC 2?
Construction firms can extend their security by verifying the security measures and practices of their software providers. Similar to NIST security standards, SOC 2, developed by the American Institute of Certified Public Accountants (AICPA), audits and documents the effectiveness of a software provider’s internal processes and cybersecurity controls. It is a rigorous auditing procedure that ensures software providers securely manage and protect customer data. There are three levels of SOC certification: SOC 1, SOC 2, and SOC 3. While SOC 1 focuses on financial controls and financial reporting, SOC 2 and SOC 3 focus on a company’s IT, operational, and organizational controls.
Customers and stakeholders use SOC 2 and SOC 3 reports to gain confidence and place trust in an organization’s systems. However, the SOC 2 report includes the details of the processing and controls tests performed by the independent auditor and results of those tests.
The SOC 2 certification has become the de facto standard. It is a U.S. security certification that defines criteria for managing customer data.
The SOC 2 certification audit covers five specific Trusted Service Criteria including security, availability, processing integrity, confidentiality, and privacy.
Five Principles of SOC 2
Security Organization Imperva outlines the five specific principles of SOC 2:
- The Security principle refers to protection of systems against unauthorized access. This includes providing access controls and other security measures such as multi-factor authentication (MFA) to ensure only authorized individuals have access to information.
- Availability ensures a system is meeting performance expectations with regards to availability or uptime. This is an assessment of whether proper controls are in place to operate, maintain, and monitor system availability. Security incident handling is also a critical component of this principle.
- Processing integrity looks at system processing to ensure the system is delivering complete, valid, accurate, timely and authorized data.
- Confidentiality is defined as restricted access to a specific group of individuals or organizations. Encryption is an important control for protecting confidentiality during data transmission. Safeguards such as network and application firewalls, and access controls are also used to protect information from being accessed by unauthorized parties.
- The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice. In addition, there are other criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Compliance vs. Certification
The terms “compliance” and “certification” are often used interchangeably. But there is a difference. Certification means that an independent third party has physically evaluated, tested, and certified the product or service to be in conformance with all the requirements of the standard. SOC 2 certification requires a independent auditor’s assessment and testing of the five specific trust principles outlined above.
A software provider may adhere to the trust principles and state that they are in compliance. However, “compliance” is not audited and verified by an independent authority. Compliance is basically a self-audit.
Newforma Achieves SOC 2 Certification
Newforma has recently achieved SOC 2 certification in order to better protect customer data and privacy.
The certification of Newforma’s policies, procedures, and infrastructure controls went through an extensive review process over a three-month time period by the independent, third-party certified auditor A-LIGN.
Security and privacy concerns continue to be a top priority for construction industry and many firms are looking for software providers to be more transparent regarding security and privacy. In addition, federal government, infrastructure, and classified projects are requiring evidence of security controls in order to win project bids.
“Newforma customers can be assured that their data, passwords, and access are secure and protected”, states Johnathon Kinville, Newforma’s Director of Security. “Newforma continues to lead the AECO software market for security best practices.”