ARIN Meets ‘SOC 2’ Industry Standard for Security Compliance

ARIN Meets ‘SOC 2’ Industry Standard for Security Compliance

Information security and data protection, which are critical to defending against threats such as fraud, hacking, and phishing attacks, have always been a top priority at ARIN. From the start, we dedicated significant resources to ensuring the secure design of our systems and the careful safeguarding of our customers’ data.

We have implemented various measures to protect your information and to ensure that your communication with ARIN is trusted, including: following security industry best practices to protect your data that is stored and managed at ARIN; performing third-party security audits on an annual basis; taking a number of steps internally to protect your data; and requiring strong passwords and two-factor authentication (2FA) for ARIN user accounts.

Now, recognizing the importance of cybersecurity to organizations and individuals around the world and the value of Service Organization Control (SOC) 2 as a relevant framework to North America and our customer base, we are pleased to announce that ARIN has successfully completed the SOC 2 Type 1 audit of its Resource Public Key Infrastructure (RPKI) as of December 2022.

What is SOC 2?

SOC 2 is a security framework created by the American Institute of Certified Public Accountants (AICPA) to evaluate the level of data management and security in service organizations. Every SOC certification requires verification of all claims by a third-party auditor.

The SOC 2 certification — which verifies technical, process, and people-related data controls for Software as a Service (SaaS) companies and is designed specifically for service providers storing customer data in the cloud — defines criteria for managing customer data based on five Trust Service Principles (TSP): security, availability, processing integrity, confidentiality, and privacy.

SOC 2 Type 1 defines an organization’s systems and determines whether their operational processes will meet the relevant TSP by evaluating the design of secure procedures and controls at a specific point in time. Significant preparation is needed for the required audit, and ARIN’s SOC 2 Type 1 certification is the result of many months spent across the company defining and agreeing upon our security policies and operational procedures.

What does ARIN’s report cover?

ARIN has successfully completed a SOC 2 Type 1 audit examination for organization-wide controls with a focus on our RPKI product. The relevant policies, procedures and infrastructure were assessed by an independent auditing firm. We reported on two of the Trust Service Principles (TSP) — Security and Confidentiality — the ones most immediately applicable to RPKI.

Certification for security (aka “common criteria”) demonstrates that by implementing reasonable security safeguards within applications, networks, and infrastructure, our organization prevents unauthorized access or disclosure and mission-compromising damage to systems. Confidentiality measures including access control and encryption protect sensitive data deemed confidential by policy or agreement from misuse, manipulation, or abuse.

The SOC 2 Type 1 report will not be made publicly available, but copies will be provided to ARIN customers who request the full report for use in their own security questionnaires.

Why did we complete it?

Pursuing a SOC 2 report is neither a regulatory nor a legal requirement, but it provides verifiable assurance to you, our community, of the strength and quality of data management and security policies. ARIN’s voluntary compliance demonstrates its ongoing commitment to protecting sensitive customer and organizational data from unauthorized access via its infrastructure, tools, and processes. The process of collecting evidence for SOC 2 Type 1 highlighted any gaps in our data security in a systematic way, giving us an opportunity to fix them while preparing for the audit.

What’s next?

Achieving this certification is a significant step in our commitment to securing our customers’ data, and we are happy to have demonstrated SOC 2 Type 1 compliance — but we know the journey is not over. As ARIN continues to fulfill its mission to support the operation and growth of the Internet, we will continue to go through rigorous processes to prove our data and our clients’ data are securely stored and managed. We look forward to completing our SOC 2 Type 2 audit (which tests security controls over a period of time) this year and will notify our community upon its completion.

For more information on ARIN’s security practices, please visit arin.net/security.

Post written by:

Christian Johnson
Chief Information Security Officer

Recent blogs categorized under: Updates


Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.

SIGN ME UP →

Internet Governance •  Public Policy •  Elections •  ARIN Bits •  IPv6 •  Business Case for IPv6 •  Fellowship Program •  Grant Program •  RPKI •  Caribbean •  Outreach •  Training •  Updates •  IPv4 •  Security •  Data Accuracy •  Tips •  Customer Feedback •  IRR

 

Connect with us on LinkedIn!