Compliant File Sharing

The Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS PUB 140-2), commonly referred as FIPS 140-2, is a US government computer security standard used to validate cryptographic modules. FIPS 140-2 was created by the NIST and, per the FISMA, is mandatory for US and Canadian government procurements. Many global organizations are also mandated to meet this standard. FIPS 140-2 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice.

Torozo was tested and validated against the rigorous FIPS 140-2 encryption compliance standard. 

ISO 27001 certification demonstrates that your organization has invested in the people, processes, and technology (e.g. tools and systems) to protect your organization’s data and provides. an independent, expert assessment of whether your data is sufficiently protected. The company expect to complete its ISO 27001 Certification by mid 2022. 

ISO/IEC 27018:2019 is an information security code of practise for cloud service providers who process personally identifiable information for their customers. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls. It details privacy requirements and security control enhancements for privacy to be implemented by cloud service providers.
 
It is complementary to ISO 27017:2015, Security Control for Cloud Services, and to ISO 27701:2019, Privacy Information Management, both of which also extend ISO 27001:2013.
 
As an extension to ISO 27001, ISO 27018 provides guidance on 16 ISO 27002 controls, as well as providing 25 new privacy and security controls:

• The requirement to cooperate with PII controllers
• The maintenance of PII principals’ rights
• Compliance with fundamental privacy requirements, such as data minimisation and accuracy
• The principles of transparency and accountability
• Additional security controls
• Requirements for sub-contracted processing

The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.

This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks referring to clauses 5-18 in ISO/IEC 27002: 2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002, and it also features seven new controls that are not duplicated in ISO/IEC 27002. These new controls address the following important areas:

• Shared roles and responsibilities within a cloud computing environment
• Removal and return of cloud service customer assets upon contract termination
• Protection and separation of a customer’s virtual environment from environments of other customers
• Virtual machine hardening requirements to meet business needs
• Procedures for administrative operations of a cloud computing environment
• Enabling customers to monitor relevant activities within a cloud computing environment
• Alignment of security management for virtual and physical networks

The Service Organization Control (SOC) 2 Type II examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities, and tested those controls to ensure that they are operating effectively.

SOC 2 is based on Policies, Communications, Procedures and Monitoring. The specific Trust Service Principles explained below must be met in order to successfully achieve certification.

Security: The system has controls in place to protect against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely and authorized.
Confidentiality: Information that is designated as “confidential” by a user is protected.

The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time. 

Type II Certification consists of a thorough examination by a third party firm of an organization’s internal control policies and practices over a specified period of time. This independent review ensures that the organization meets the stringent requirements set forth by the AICPA and CICA. When trusting an application with highly sensitive and confidential information, such as passwords, documents and secure images, obtaining high level certification is imperative.

The Company has started its SOC 2 Type II certification process and expects certification by the end of Q3 2022