Cybersecurity Awareness Month is a fitting time to take a step back and reflect on your organization’s security posture.
At Softdocs, security is a top priority all year long. And our security certifications confirm our dedication to keeping your data safe.
If your eyes glaze over at the sight of acronyms like NIST and SOC, we don’t blame you. What do they mean? How do they overlap? Who are they for? Do they even matter? Is this something we need to worry about?
Spoiler alert: they matter.
To help you and your team stay up to speed, here is a jargon-free breakdown of each certification and its impact on your daily work.
Security Certifications: the Basics
Security certifications are formal validations and verifications that prove an organization follows strict standards on data and system protection.
Security certifications are awarded by independent third parties after a detailed audit. They confirm that the company has the right controls, policies, and processes in place to prevent data breaches, maintain privacy, and manage risk. They also assure customers that the company is not taking shortcuts. Compromised security is no security.
Certifications (as well as the effort to undergo the actual certification process, which is lengthy, expensive, and complicated in and of itself) are proof that an organization walks the walk with security.
The "So What" of Security Certifications
Working in the public sector, we are entrusted with the data of students, citizens, staff, and the organizations themselves. A strong security-first posture gives every Softdocs customer peace of mind.
For example, within the SOC 2 audit, the five Trust Services Criteria (TSC) measured are Security, Availability, Processing Integrity, Confidentiality, and Privacy. They directly evaluate our controls for managing customer data.
In detail:
- Security: This ensures systems are protected from unauthorized access, disclosure, or damage. This includes using firewalls, intrusion detection, and access controls.
- Availability: This ensures that the system, product, or service is available for use and operation as agreed upon. For example, the Softdocs cloud systems boast an uptime of 99.9995%.
- Processing Integrity: This means that how the system processes information is complete, valid, accurate, timely, and authorized to meet the organization's objectives.
- Confidentiality: This criterion focuses on protecting confidential information from unauthorized disclosure throughout its lifecycle.
- Privacy: This specifically applies to personal information, verifying it is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies and Generally Accepted Privacy Principles (GAPP).
The SOC 2 framework enables Softdocs to manage risk proactively. We conduct risk assessments throughout the year to stay ahead of threats. We also focus on continuous improvement, whether it’s testing new spam filtering tools or updating staff training.
While security certifications are nice window dressing, we’re focused on practical, proactive security that actually keeps our clients safe.
What Each Security Logo Means
Understanding the nuts and bolts of each security certification gives you a better grasp of the standards we’ve met and maintained. So, let’s take a look at each in detail.
NIST 800-53
NIST 800-53 (National Institute of Standards and Technology Special Publication 800-53) is a comprehensive framework of cybersecurity controls, guidelines, and requirements. There are more than 1,000 criteria. Think of it as a big cybersecurity rulebook.
It was developed to help organizations manage risk and protect sensitive information across a wide range of systems. NIST 800-53 guides our security decisions, giving us confidence that our systems and processes not only meet some of the most rigorous cybersecurity standards in the industry, but actively protect customer data.
SOC 2 Type II
SOC 2 Type II (short for Service Organization Control 2 Type II) is a comprehensive, roughly year-long observation and audit of how we manage customer data.
The “2” distinguishes it from SOC 1, which focuses on financial controls, while Type II means the audit verifies that our controls are designed correctly and that we consistently follow them over time.
As noted above, SOC 2 is based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. It reviews every policy and procedure we’ve put in place over the year — everything from our disaster recovery plan to access controls, antivirus, and anti-malware protocols. Our auditor checks that the policies exist and verify that we actually followed them.
SOC 2 Type II aligns with the NIST cybersecurity framework. To achieve a SOC 2 Type II certification, Softdocs needed to implement over 80 specific controls from the NIST publication.
We work with KirkpatrickPrice, a third-party auditor who conducted a thorough gap analysis and helped us identify opportunities to strengthen our program. After a full year of preparation and review, we successfully completed the SOC 2 Type II audit and received a formal letter of attestation.
In the last seven years of audits, Softdocs has never had an exception.
Bonus! SOC 3
SOC 3 (Service Organization Control 3) is a public-facing summary of SOC 2 Type II.
Because the full SOC 2 Type II report contains detailed and sensitive information about our policies, procedures, and internal controls, it’s only shared with clients or partners under a signed NDA. SOC 3, on the other hand, provides a high-level overview of our compliance and security practices without revealing confidential details, making it safe to share publicly.
This allows organizations like yours to see that Softdocs meets rigorous security standards without exposing the inner workings of our security program.
CJIS
CJIS stands for the Criminal Justice Information Services. CJIS is a division of the FBI and serves as a centralized hub for criminal justice information in the U.S.
CJIS Security Policy is a set of security requirements that any organization handling Criminal Justice Information (CJI) must follow. This includes:
- Access controls and authentication
- Encryption standards
- Audit logging
- Personnel screening
- Physical security
This policy applies to law enforcement agencies, courts, prosecutors, and any vendors or cloud providers that handle CJI data on their behalf.
TX-RAMP Level 2
TX-RAMP (Texas Risk and Authorization Management Program) is a state-level framework designed to ensure that cloud services used by Texas government agencies meet strict security standards. It’s similar in structure to federal programs like FedRAMP and GovRAMP, which are also built on the NIST 800-53 cybersecurity framework.
Softdocs has achieved TX-RAMP Level 2, which means our systems and processes meet the state’s requirements for confidential and high-impact data — information that, if compromised, could have a significant effect on operations, assets, or individuals.
Softdocs’ platform is hosted on Microsoft Azure Government Cloud, which is GovRAMP and FedRAMP certified, giving additional assurance that our infrastructure aligns with federal standards.
Even if your organization is not in Texas, this certification should offer peace of mind to our diligence in upholding security.
Security Beyond Symbols
Security certifications are evidence of the processes, controls, and ongoing vigilance that keep your data secure. They are not just pretty graphics. Each logo reflects Softdocs’ proactive, year-round commitment to security.
Whether you’re a college or university, K-12 district, or government organization, you can have full confidence that our security philosophy isn’t just about compliance and certifications — it’s about doing the right thing for your data, your systems, and the people who rely on them every day.
Tags
