As part of our continued dedication to information security and the safety of our customers’ data, HireVue completed its first SOC 2 Type 2 Report in December 2017.
What was involved in obtaining HireVue’s SOC 2 Type 2 report?
A SOC 2 Type 2 report presents HireVue’s clients with the results of an independent audit in the form of an assertion from a third-party auditor. This assertion illustrates that HireVue has implemented appropriate controls to protect our Video Intelligence Platform. Specifically, the Type 2 designation states that the auditor not only identified that the controls are in place, but that they were operating effectively over a period of time.
To begin this process and prepare for the audit, HireVue underwent a gap assessment and scoping exercise to identify the applicable trust service principles (TSPs) and the related criteria that HireVue would be audited against. HireVue included the TSPs’ security, availability, and confidentiality, the related criteria, and controls as the context for this audit.
The audit process took into consideration a review of the components used to provide HireVue’s services as well as the controls implemented to protect supporting systems, including:
- Infrastructure: the cloud environment and related resources.
- Software: the core application and supporting systems for monitoring and maintaining the system.
- People: the individuals involved in the governance, operation, and use of the system.
- Procedures: the policies, procedures, and standards that govern the appropriate use of the system.
- Data: transaction streams, files, databases, tables, and output used, processed by, or stored within the system.
To demonstrate the depth of the audit, these are several examples of controls that underwent inspection:
- Newly hired team members are subject to background checks.
- Team members are subject to recurring information security training.
- Team members must acknowledge the Employee Handbook, which describes the responsibilities and expected behavior with regard to information and information system usage upon hire and annually thereafter.
- A risk assessment (environmental, regulatory, and technological) is performed on at least an annual basis.
- Penetration testing is performed on at least an annual basis. A remediation plan is developed and changes are implemented to remediate identified vulnerabilities.
- Ongoing automated network and application vulnerability scanning is taking place and identified vulnerabilities are remediated.
- Data is encrypted in transit and at rest.
- Databases housing sensitive customer data are encrypted at rest.
In-House Certification vs. Hosting Vendor Certification
Many of the big-name cloud hosting providers have obtained their own SOC 2 report for their offered services. A company that sells software-as-a-service and hosts its resources in the cloud might choose to claim SOC 2 compliance by using the report their hosting provider has obtained. However, the designation of SOC 2 certification/validation would not extend to the services offered by that company, as those services were not reviewed in the scope of the cloud providers report.
This is a crucial distinction to make.
While it’s great that the underlying cloud infrastructure has been reviewed against information security standards, this provides no context of security for the system being hosted.
If information security is a priority, you need to ask your vendor for their reporting as it pertains to their in-house controls.
HireVue can now demonstrate to its clients that not only is our hosting platform SOC 2 Type 2 validated, but the HireVue Video Intelligence Platform running on those systems is validated as well.
What it Means for HireVue Customers
HireVue has chosen to continue to be subject to ongoing SOC 2 Type 2 audits as part of our continued effort to demonstrate that HireVue is dedicated to protecting our customers’ data. In addition to this process, HireVue has a dedicated information security team to implement and monitor our security controls.
As previously mentioned, the SOC 2 Type 2 report is a third-party validation of HireVue’s controls. When we tell you that your data is secure, you don’t need to take our word for it! This third-party report is available under NDA for all interested customers and potential customers.
SOC 2 Type 2 Certification is an activity that HireVue will continue to maintain. We are also exploring other certification opportunities such as ISO 27001 and FedRAMP to further prove the robustness and stability of the systems we have in place.
About the Author
Scott Snelgrove, CISSP, is HireVue’s Information Security Compliance Specialist. With over 12 years of experience in information security and penetration testing, he supports the development of HireVue’s Information Security policies, procedures, and controls. Find him on LinkedIn.