MetCredit is SOC2 Certified
SOC stands for “system and organization controls,” and the controls are a series of standards designed to help measure how well a service organization conducts and regulates its information. The purpose of SOC standards is to provide confidence and peace of mind for organizations when they engage third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place. MetCredit’s SOC audit has been conducted by Auditwerx.
What Does the SOC 2 Audit Examine?
SOC 2 looks at the systems used to deliver the services, and the controls over those systems. These systems include Infrastructure, Software, People, Data and Procedures. Demonstrating proficiency across these criteria is an attestation to the privacy and security controls:
- Security: Systems are protected against unauthorized access, both physical and logical
- Availability: the system is available for operation and use as committed or agreed
- Processing Integrity: system processing is complete, accurate, timely, and authorized
- Confidentiality: information designated as confidential is protected as committed or agreed
- Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)
What Does SOC Compliance Mean for MetCredit Customers?
SOC 2 Type 2 compliance assures MetCredit customers that we have best-in-class safeguards and procedures in place to ensure the security of their information, including the following policies, plans and processes.
- Employee Security Policy
- Business Continuity Plan
- Change Control Policy
- Cryptographic Controls Policy
- Incident Management Plan
- Data Retention and Disposal Policy
- Quality Assurance Policy
- Password Policy
- Patch Management
- Procedure for Incident Handling
- Technology Equipment Disposal Policy
- Disaster Recovery Plan
- Vendor Management Process
MetCredit’s Risk Assessment Process
MetCredit has a cross functional risk assessment process that utilizes management and staff to identify risks that could affect the Company’s ability to meet contractual obligations. Risk assessment efforts include analyses of threats, probabilities of occurrence, potential business impacts, and associated mitigation plans.
MetCredit employs a formal risk assessment process and an established Operating Risk Policy. The Operational Risk Policy is reviewed and reassessed on an annual basis by the Senior Management Team. Company resources understand their responsibility in reducing the risk of compromise and exercise appropriate security measures to protect systems and data. The risk management process employs a risk analysis that includes the following risk areas:
- Compliance
- Reputational
- Transaction
- Environmental
- Regulatory
- Technology
Trust Services Criteria and Related Controls
The security, availability, confidentiality, processing integrity and privacy categories and applicable trust services criteria were used to evaluate the suitability of design and operating effectiveness of controls. Criteria and controls designed, implemented, and operated to meet them ensure the system:
- Security – is protected against unauthorized access (both physical and logical).
- Availability – is available for operation and use.
- Confidentiality – designates personal information as confidential.
- Processing Integrity – processes all transactions in an accurate and timely manner.
- Privacy – protects personal information against unauthorized use or disclosure.
For more information about MetCredit’s services and how we protect our clients, please contact us.