Faced with evolving threats to the integrity of professional and higher-education exams, assessment solution vendors must take steps toward data security and privacy assurance. Credentialing programs and higher-ed institutions want—and deserve—to know whether their vendor has established systems and security controls to safeguard their organization and test-taker data. One of the best ways to provide this assurance is to become SOC 2 Type II compliant.
Meazure Learning’s remote proctoring platform—the ProctorU Proctoring Platform—has recently achieved SOC 2 Type II compliance. This certification is an important indicator of our company’s commitment to maintaining stringent privacy and security standards, confirmed by an external auditor.
In this article, we’ll describe the process and explore how it differs from other SOC certifications. More importantly, we’ll reveal how it benefits users of our remote proctoring platform.
What Is SOC 2 Type II Compliance?
A System and Organizations Control (SOC) audit and the subsequent report examine a service organization’s internal controls and systems relating to security, processing integrity, confidentiality, and data privacy.
In the assessment industry, the SOC report verifies that the organization:
- Has the required security controls to protect the client and test-taker data against known and emerging threats
- Has an alert system to detect exam anomalies and violations across the platform
- Can recover from a security breach or system failure quickly
Of the three types of SOC reports, SOC 2 compliance audits measure a vendor’s formal commitment to data management and security best practices. Meazure Learning was evaluated on three trust service principles (TSP): data security, confidentiality, and customer privacy standards.
Moreover, SOC 2 reporting is broken into two types: SOC 2 Type I and SOC 2 Type II. Both types measure the effectiveness of a vendor’s data governance policies and procedures. However, there are significant differences between the two.
How Do SOC 2 Type I and Type II Differ?
The Type I report details a vendor’s standards at a specific point in time—typically a single day. The audit and subsequent report validates that the vendor’s security systems and policies work as intended at a particular point.
The Type II report is different because it proves that those systems and policies are followed over a longer period of time—typically 6 to 12 months. It confirms that the vendor maintains and adheres to its security standards throughout regular business operations.
Because the Type I audit lasts for a very short period of time, it requires minimal data and documentation. Contrastingly, the extended coverage of the Type II audit requires a significant investment in both vendor time and resources.
What Does a SOC 2 Type II Audit Measure?
The SOC 2 Type II audit evaluates the security of a vendor’s data systems as well as the policies and procedures around how it manages, transfers, stores, and secures data. The vendor must develop documentation around its processes so the auditor can understand how it manages and governs data, maintains client and test-taker confidentiality and privacy, and more.
The SOC 2 Type II audit reviews the following areas during a vendor’s daily operations:
- Infrastructure: The physical and hardware components that support the vendor’s platform and help deliver services
- Software: The operating software and program the vendor uses to process raw data and turn it into usable information
- Personnel: The people involved in the management, security, governance, and operations to deliver services to clients
- Data: The files, databases, transaction streams, and tables the vendor uses
- Procedures: The manual or automated procedures that connect the vendor’s processes
Why Is SOC 2 Type II Compliance Important in Assessment?
As security threats continue to multiply and evolve, professional testing organizations and academic institutions deserve to know how assessment vendors handle their sensitive data. If a vendor is not SOC 2 compliant, an objective auditor has not evaluated and certified the vendor’s controls. That means organizations must rely on the vendor’s word that their sensitive data can be reliably protected over time.
How Does It Benefit Our Proctoring Clients?
Our new certification gives users of the ProctorU Proctoring Platform more confidence and assurance that their critical data is properly secured. Because SOC 2 requirements are publicly available, our clients can better understand how we store, manage, and maintain their data. They can also find details about the tests performed by the independent auditor and the results of those tests. These learnings can help facilitate conversations with our security and compliance experts about current platform capabilities and future improvements.
“Obtaining the SOC 2 Type II compliance certification validates our team’s commitment to upholding rigorous data security processes and controls. Completing the audit required significant time, energy, and coordination across our organization, but it shows that we take our responsibility to protect client data seriously and provides transparency around our efforts to continuously improve the ProctorU Proctoring Platform.”—Shawne Hodges, Senior Vice President of Service Delivery, Meazure Learning
Why Should You Ask Proctoring Providers If They’re SOC 2 Compliant?
Stakeholders should have access to evidence that their assessment vendor has proper internal controls and security systems. To ensure the privacy of their data and prevent future breaches, the stakeholders must have independent assurance that their vendor is storing, managing, and protecting their organization’s sensitive data.
If a vendor has SOC 2 Type II certification, the stakeholders can see how the vendor follows its security standards during daily operations. The certification offers insight into whether the vendor may put an organization’s data and reputation at risk. Assessment leaders can use this knowledge to vet potential vendors and determine whether they adhere to standards around data security, confidentiality, and privacy.
In summary, data security will be increasingly important to address as assessment continues to evolve online. That’s why you need evidence that your assessment solution vendor practices what it preaches. Not only is your data at stake, but your future reputation and the trust of your test-takers are as well.
To learn more about our approach to data security and how we can help you securely deliver and proctor exams, please email us at [email protected].