Always Improving: Achieving SOC 2 Type II Certification | MDRG

Always Improving: Achieving SOC 2 Type II Certification

Christine Carll

Director of Quantitative Methods

We’re all used to a learning curve when taking on a new challenge at work and the reward is usually having a better process in the long run. Last year, MDRG took on a new challenge – becoming SOC certified – and the reward has indeed been better processes. MDRG passed a SOC 2 Type II audit – and we were recently re-certified.

In layman’s terms, it means that an independent auditor certified that we can be trusted with even the most sensitive information. Some of our healthcare and financial services clients require this certification currently. We believe other clients are not far behind as more information is stored and transferred electronically. You can Google SOC 2 Type II and find out all the gritty details, so I won’t bore you with that. I will, however, describe what it takes for us to maintain that certification.

The Improvements

MDRG went well beyond having complex passwords that need to be changed every 180 days. To name just a few new processes, we now have:

  • Written policies and procedures that cover all aspects of information security from who can access data to how to destroy old equipment
  • Weekly reviews of our written policies and procedures
  • A secure client portal to transfer files
  • Encryption of our backup data
  • Virtual locks on our hard drives so even if they are put into another computer (one without a password), the data cannot be read
  • A sophisticated firewall that allows us to access the internet, but keeps threats out

We had help from IT professionals who set up the firewall and client portal, for example, but it’s been up to us to generate the written policies and procedures, train staff, and change the way we operate. Granted, our operations were not far from being “best practices” before we began the certification process, but all those practices had to be documented and officially implemented. Once we had our new processes (“controls”) in place, an auditor checked our work. That company reviewed six months of server logs, read our security policies, interviewed our IT support, and spent an entire day at our office. The result? We passed – becoming SOC certified! We were thrilled again when we were re-certified! But enough about us, what does this mean to you?

What Does It Mean to You?

It means that when you need us to conduct research using a list of your customers – even a list with personal health information – we have processes in place that are certified as trustworthy and safe. The customer file will never be transferred through email. The file itself will be password protected on our server and only employees with certain privileges will have access to the password. Any vendors we use to field the research will have the same level of security as we do. It means that you can focus on your job and not worry about personal customer information getting into the wrong hands.

Let's Talk!

    This field is for validation purposes and should be left unchanged.