Skip to content
Achieving a SOC 2 Type II examination is a reflection of how seriously we take security, accountability, and the trust our customers place in us. We sat down with NCI President Ben Carlsrud for a Q&A-style conversation about what SOC 2 Type II is and why it matters. In this interview, he shares insight into the ongoing commitment behind this examination, and how this accomplishment reinforces our promise to lead by example—doing the right things internally so we can continue delivering the right outcomes for our customers.
So what exactly is SOC 2 Type II, and how is it different from other certifications? To start the conversation, we asked Ben to walk us through what the certification represents, why NCI pursued it, and how it sets a solid foundation.
Q: What is SOC 2 Type II?
A: SOC stands for System and Organization Controls for Service Organizations. And from a high-level overview, SOC 2 Type II is an audited process that validates an organization’s internal controls over security, processes and procedures.
https://www.fortinet.com/resources/cyberglossary/soc-2-compliance
Q: What does it mean for our customers?
A: It means you’re working with a partner who stands behind what they recommend. We’re a technology provider, and we talk security a lot. People come to us asking: “How do you secure this? What are your processes? What do you do internally? How do you manage your day-to-day?” This certification will reinforce how we’re advising you. We’re not just throwing words at you, we’ve also gone through audits to validate our processes and procedures. We as an organization believe if we’re going to provide good services and advice to you, we should be doing those things within, too.
For our customers in regulated industries that are routinely audited by third parties, (finance, heath care, legal firms, etc.) this will make that process much easier while being audited. Before we were SOC 2 Type II, we would need to explain to that customer (who would then need to relay to their auditor) that from a technology standpoint, we don’t have any customer data, and therefore, it’s not required of us, etc. Now, when their auditors request a vendor list, and their respective SOC 2 Type II certifications, we can simply reply with our certification. In the end, this takes a load off our customers’ minds, checks the box off their audit list, and helps them move faster through their audit.
Q: Is SOC2 – Type 2 a one-time thing or continuing investment?
A: It’s an ongoing process. As long as we want to maintain this certification, it will be a forever endeavor. Annual audits require on-site observation of our practices and procedures. Continuous work is needed for internal disaster planning, regular testing or simulations, password protection policies, acceptable use, and staff training, and pen testing. And in the world we live in, technology and security are constantly evolving, so our tools and documentation must be regularly updated.
Q: Is there anything else you want to add regarding this achievement?
A: As a as a trusted partner to you, these were things that we’ve had in place for a while. We did not have to make wholesale large changes to achieve this certification. We had to do a better job of documenting changes and holding onto certain pieces of information. For the most part, it was smoothing off some edges and polishing some things up. And now, we have the peace of mind knowing if something bad does happen, the right things are in place to recover very quickly. We’ve got a solid foundation in place to be in business for the next 20 years.
Contact us to learn more about how our team can help you stay ahead of the curve.
