Document Availability During Scanning & SOC 2 Reporting
Working with a document scanning company that has received its SOC 2 Type 2 Report helps ensure the confidentiality and security of your documents while in their facility. A SOC 2 Type 2 Report also ensures your documents are available to you while in process, and while being stored digitally at the document scanning facility and in cloud document management software.
To ensure that the systems used for processing, storing and hosting your documents and data are available, controls are implemented, tested and audited. Below is a list of some of those controls.
- Business continuity/disaster recovery plan (BCP/DRP)
- A formal plan provides reasonable assurance that redundancy is built into the document scanning company’s servers to minimize system downtime. Redundant servers should be located outside of the geographic area in case of widespread local disruptions. The BCP/DRP must be reviewed and updated annually, or as major system or operational components change. A risk assessment of potential threats and disruptions is performed as part of the annual update to the BCP/DRP and the documented processes are tested with updates implemented if necessary.
- A policy that covers what data is backed up and how often, storage retention, restoration and testing of backups. Backup software solutions should optimally perform on-site replications and enable off-site replication to a backup facility located outside of the geographic area. Backup processes must be monitored to ensure they are completed as scheduled.
- On-site back-up replication
- Incremental backups should occur at least daily and merge with the full backup weekly. Automatic backup verifications should be completed with a bit by bit comparison in conjunction with manual verifications performed on the servers. The backups must be encrypted. Backup restores should be tested and verified weekly.
- Off-site replication
- Local backups should be replicated to an off-site location in a constant synchronization scenario. When changes are detected, data should be replicated until each site matches.
- Client data back-ups
- Scanned images and data created during scanning and final versions of conversion service jobs that have been delivered to you should be backed up, encrypted, digitally stored and available for a pre-determined timeframe.
- Vault storage of data files
- A physical backup of your scanned and indexed documents on encrypted media stored offsite in a Department of Defense (DOD) level secure vault provides an additional level of backup.
- Data center monitoring
- In order to ensure the data center is available, it should be equipped with the following environmental controls: (1) monitored temperature and water sensors, (2) dedicated heating and air conditioning (HVAC) with failover to a second unit on a separate circuit and (3) monitored heat detection and fire suppression that deploys only in the area where sensed and a dry chemical fire extinguisher.
- Guaranteed uptime of hosted document management systems
- Vendors should guarantee uptime of 99.9% in a discrete, 24 hour period in their Service Level Agreements and execute automated monitoring (24/7/365).
- Customer support
- Authorized clients should be provided with a support phone number and/or email contact to assist with any security or availability issues.
Don’t Take Our Word for It
A SOC 2 Type 2 Report is based on an annual audit conducted by a reputable accounting firm. Ask to see a copy of the report to ensure a document scanning company has passed the audit without exceptions. A visit to the document scanning facility is another way to attain peace of mind before you outsource your scanning.