The Internet Crime Complaint Center (IC3) has received more than 7.3 million complaints since its inception in 2000. As businesses rely more on technology and data, and as fraudsters continue to phish, spoof, and compromise the business emails of many, the need for robust security measures is greater than ever.
This is especially true for companies working in the real estate industry, where instances of wire fraud have increased at a rate of 145% year-over-year. To effectively safeguard nonpublic personal information (NPI), title companies rely on the constantly evolving guidelines set forth by the American Land Title Association (ALTA) Best Practices.
In addition to adhering to these practices themselves, title companies must also ensure that their software partners exhibit an equal commitment to information security and hold them in the same regard. While a software partner may have the necessary information security standards in place (e.g., establishing a Written Information Security Plan [WISP]), title companies need to ascertain whether all security measures required by ALTA Best Practices are being actively implemented. Therefore, title companies should vet software partners for alignment on security practices.
In order to discern the extent of a software partner’s commitment to implementing necessary security measures and dedication to enhancing its information security practices, look for two critical assessments: Statement on Standards for Attestation Engagements 18 (SSAE 18) SOC 2® and International Organization for Standardization (ISO) 27001. By seeking out SOC 2 reports and/or ISO 27001 certifications, businesses can be confident that the software partner upholds the highest standards of security and constantly strives to safeguard valuable data.
SSAE 18 SOC 2: The AICPA’s auditing procedure for information security controls
SOC 2 (Service Organization Control 2) is an auditing procedure developed by the American Institute of Certified Public Accountants (AICPA) that ensures that a service provider’s information security controls align with the AICPA’s Trust Services Criteria. SOC 2 reports provide an independent assessment of a company’s ability to protect customer data and ensure system availability. Although a software partner may obtain a SOC 2 report, it’s important for title companies to do their due diligence and read and evaluate the SOC 2 report. The report is not “pass or fail”; it provides transparency into the organization’s security practices, highlighting any potential vulnerabilities or deficiencies. This information helps businesses make an informed decision about whether the vendor is a suitable and trustworthy partner.
Two types of SOC 2 reports are Type I and Type II. Type I reports evaluate the design of a company’s controls at a specific point in time, while Type II reports assess the design and operating effectiveness of those controls over a specific period (usually six months). SOC 2 Type I and Type II assessments measure a company’s internal controls over security, availability, processing integrity, confidentiality, and privacy. These principles ensure customer data is secure, available when needed, and processed accurately and consistently.
A SOC 2 Type II assessment is a more intensive process than a Type I assessment due to the longer testing period, rigorous evaluation of controls, demonstration of control effectiveness over time, and the requirement for continuous improvement and remediation. A Type II report more accurately reflects an organization’s commitment to maintaining effective security and privacy controls.
Some basic requirements for attaining a SOC 2 report include:
- Trust Services Criteria: Organizations undergoing assessments must demonstrate compliance with the previously mentioned principles that align with the AICPA’s Trust Services Criteria.
- Written Policies and Procedures: Organizations must have written policies and procedures in place that outline their information security controls and practices. These policies should address areas such as access controls, data classification, incident response, risk management, and employee training.
- Security Controls Implementation: SOC 2 assessments evaluate whether organizations have implemented a wide range of security controls to protect sensitive data and systems. These controls may include logical access controls, network security, encryption, monitoring systems, change management processes, and physical security measures.
- Risk Assessment and Management: Organizations must conduct regular risk assessments to identify potential risks and vulnerabilities to their systems and data. They should establish processes for risk management, including risk mitigation strategies and ongoing monitoring of risk levels.
- Monitoring and Incident Response: Organizations need to implement mechanisms for monitoring and detecting security incidents. They should have an incident response plan in place that outlines the steps to be taken in the event of a security breach or incident, including notification procedures and remediation measures.
- Third-Party Vendor Management: SOC 2 assessments identify whether organizations evaluate and manage the risks associated with their third-party service providers. This includes conducting due diligence assessments, ensuring that vendors have appropriate security controls in place, and monitoring their performance.
- Documentation and Audit Trail: Organizations must maintain proper documentation of their information security controls, policies, procedures, and audit logs. This documentation serves as evidence of their compliance with SOC 2 requirements and supports the audit process.
The specific requirements of SOC 2 may vary depending on the nature of the organization’s services, the industry it operates in, and the specific objectives of the audit.
ISO 27001: A framework for information security management systems
ISO 27001 is a globally recognized information security standard that provides a framework for an information security management system (ISMS). The standard outlines best practices for implementing security controls, risk management, and continuous improvement. ISO 27001 focuses on the confidentiality, integrity, and availability of information.
The components of ISO 27001 include risk assessment and treatment, security controls, policies and procedures, training and awareness, and monitoring and measurement. The standard emphasizes the importance of risk management and the need to evaluate and improve the ISMS continually.
Some basic requirements for achieving ISO 27001 certification include:
- Management Commitment: Top management must demonstrate a clear commitment to information security by establishing an ISMS policy, assigning roles and responsibilities, and providing necessary resources for its implementation and maintenance.
- Risk Assessment and Treatment: Organizations must conduct a systematic risk assessment to identify and evaluate potential risks to the confidentiality, integrity, and availability of information. Based on the risk assessment, appropriate risk treatment plans should be developed and implemented to mitigate or address identified risks.
- Information Security Policies: Organizations need to establish and maintain a set of information security policies that define their objectives, responsibilities, and rules for protecting information assets. These policies should align with the organization’s overall business objectives and comply with relevant legal and regulatory requirements.
- Asset Management: An inventory of information assets must be established, including identification of their ownership, classification, and appropriate protection measures. This helps ensure that information assets are properly managed and protected throughout their lifecycle.
- Access Control: Organizations must implement access controls to ensure that only authorized individuals can access specific information and resources. This involves defining user access privileges, implementing authentication mechanisms, and monitoring access activities.
- Incident Management: Organizations should establish an incident management process to effectively detect, respond to, and manage information security incidents. This includes reporting incidents, conducting investigations, implementing corrective actions, and learning from security incidents to prevent their recurrence.
- Employee Awareness and Training: Organizations must provide awareness and training programs to employees to ensure they understand their information security roles, responsibilities, and best practices. Regular training helps promote a security-conscious culture and enhances the organization’s overall security posture.
- Compliance with Legal and Regulatory Requirements: Organizations must identify and comply with applicable legal and regulatory requirements related to information security. This includes data protection laws, privacy regulations, and industry-specific compliance obligations.
- Monitoring and Measurement: Regular monitoring and measurement of the ISMS performance are essential to ensure its effectiveness. This involves conducting internal audits, management reviews, and performance evaluations against defined objectives and controls.
- Continual Improvement: ISO 27001 emphasizes the importance of continual improvement in information security practices. Organizations are required to regularly review and update their ISMS to address changing risks, technological advancements, and business requirements.
These requirements provide a framework for establishing and maintaining an effective ISMS. It’s important to note that ISO 27001 is a flexible standard, allowing organizations to tailor its implementation to their specific needs and context while meeting the overall requirements of the standard.
Differences between SOC 2 and ISO 27001
While both SOC 2 and ISO 27001 focus on information security, there are a few key differences between the two.
- Assessment Type: SOC 2 is an assessment focused on compliance and auditing that results in an attestation report. As previously mentioned, SOC 2 does not follow a strict “pass or fail” approach. It states whether a company has internal controls and the effectiveness of those controls. It’s up to the title company to review and evaluate the report to determine if the software partner is an appropriate and dependable vendor. Alternatively, ISO 27001 is an audit focused on security management that results in a certification.
- Scope: SOC 2 is limited in scope to a software partner’s controls related to the AICPA’s Trust Services Criteria, while ISO 27001 covers the entire information security management system.
- Accreditation Process: SOC 2 is conducted by AICPA through audits performed by qualified independent CPAs. However, international accreditation bodies, like the ANSI National Accreditation Board in the US, carry out ISO 27001 certification.
Note that the choice of accreditation bodies and certification bodies may differ based on the country or region where the assessment is pursued. It is crucial for organizations to choose accredited and reputable bodies for SOC 2 and ISO 27001 assessments to ensure the assessors’ credibility and validity.
Commonalities between SOC 2 and ISO 27001
Despite their differences, SOC 2 and ISO 27001 have some commonalities in their focus on information security and their objectives.
- Security Controls: Both emphasize the implementation of effective security controls to protect sensitive information. They require organizations to establish and maintain robust security measures, such as access controls, data encryption, incident response procedures, and monitoring systems.
- Risk Management: Both SOC 2 and ISO 27001 emphasize the importance of risk management. They require organizations to assess risks, identify vulnerabilities, and implement appropriate measures to mitigate those risks. Regular risk assessments and ongoing monitoring are key components of both assessments.
- Compliance and Auditing: SOC 2 and ISO 27001 involve compliance and auditing processes. They require organizations to undergo assessments by independent third-party auditors to verify their adherence to specific criteria and standards. Compliance with the defined requirements is essential for achieving and maintaining compliance with these standards.
- Continuous Improvement: Both standards recognize the need for continuous improvement in information security practices. Organizations are expected to regularly evaluate their controls, policies, and procedures to identify areas for improvement and take appropriate actions to enhance their security posture. This emphasis on continuous improvement ensures that organizations adapt to evolving threats and maintain effective information security measures.
- Confidentiality, Integrity, and Availability (CIA): Both SOC 2 and ISO 27001 focus on the CIA triad of information security. They require organizations to protect the confidentiality of sensitive data, maintain the integrity of information, and ensure its availability when needed. This holistic approach to information security aligns with industry best practices and standards.
Benefits of working with a software partner with both SOC 2 and ISO 27001
Choosing a software partner with both a SOC 2 report and ISO 27001 certification can benefit title companies in several ways. It shows a commitment to information security, which is increasingly important in today’s business landscape. These assessments can also help title companies meet customer and partner requirements and improve their security posture, reducing the risk of data breaches and cyberattacks.
Furthermore, software partners that go through these rigorous assessments can help title companies comply with real estate industry standards such as the ALTA Best Practices. Working with a software partner that has a SOC 2 report and ISO 27001 certification can act as a proxy to show that they follow many of the same standards due to these assessments.
|ALTA Best Practices Requirements||By having a SOC 2 report in good standing and ISO 27001 certification, software partners demonstrate that|
|Pillar 2 requires that wire transfer verification service providers “be vetted to understand any risk of use, security protocols, and the providers’ protection of consumer data.”||They have effective security protocols in place to protect consumer data that have been vetted|
|Pillar 3 requires title companies to “select service providers and third-party systems whose information security policies are consistent with Company’s WISP.”||They have a WISP in place|
|Pillar 3 requires title companies to “Establish, and periodically test, a written business continuity and disaster recovery plan outlining procedures to recover and maintain information, business functions, and business processes in the event of a disruption or compromise of systems or facilities, including continuity of operation for Consumer Settlements, and timely notification of parties in case of any delays.”||They have a disaster plan in place as well as continuously test the disaster recovery procedures|
|Pillar 3 requires title companies to “Establish, and periodically test, a written incident response plan designed to promptly respond to, and recover from, a cybersecurity incident.”||They have a cybersecurity incident plan for cybersecurity incidents as well as continuous testing of the response plan|
|Pillar 3 requires title companies to “Periodically review the Company’s security controls and the Company’s WISP and make appropriate changes to address emerging threats and risks to the Company’s information systems and NPI.”||They continuously review and make changes to security measures and the business’s WISP as the business landscape and risks evolve|
Importance of SOC 2 and ISO 27001 for businesses handling NPI
Qualia is SOC 2 Type 2 compliant and ISO 27001 certified. We align our internal security policies with ISO 27001 framework and regularly assess our security and compliance using automated and manual evaluations.
By selecting a vendor that possesses both a SOC 2 report and ISO 27001 certification, title companies put in place the protections needed to secure sensitive information in today’s digital landscape. These assessments, if a software partner is found to have adequate security controls, demonstrate that they have implemented robust information security processes and protocols to uphold industry standards. With such a partnership, title companies can proceed with confidence, knowing that their chosen software partner is equally invested in safeguarding their valuable data. In an era where data breaches and cyber threats are ever-present, choosing a security-focused software partner is essential for title companies in the real estate industry.