Information security is crucial to Paypa Plane. We have the requirements of our banking partners, legal obligations and, above all, the need to protect our customer's data entrusted to us. To do that, we are pleased to announce that in late 2022, we attained a SOC 2 Type 1 for Security and are on the way to our Type 2.
SOC 2 is a framework of System and Organizational Controls developed by the Association of International Certified Professional Accountants (AICPA) relevant to security, availability, processing integrity, confidentiality or privacy of information.
How did we achieve it?
1. Information Assets & Access Controls
Information assets are the things that store the information needed for our application to work. That sounds simple but a large part of the controls focuses on this alone. Each of these assets requires an owner, a list of users with approved access and their levels, a record of what types of data it contains, how critical that asset is, the backup plan if that asset fails, how long that asset ca be unavailable before action is needed amongst many other things.
Access controls are in place to protect control access to information assets. A single sign-on system with multi-factor authentication is used to access critical information assets. This means all logins to a system are managed centrally (and revoked centrally if needed). Smart access rules are used to look for strange login behaviour, eg. stop logins from other countries. This means that a malicious actor would need to get a username and password, access the multifactor authenticator, and know what smart access rules are in place and how to get around those rules before they could access an information asset. Any critical functions are further restricted, requiring an approval process with rationale for the access and are provisioned on a limited time basis to perform a task.
Any system used to access an information asset becomes a vector for someone to attack. Mobile Device Management (MDM) and end-point protection is used to reduce this risk. It can be used to enforce updates, ensure logins/passwords are used correctly and remote wipe in the event of a theft.
2. Change Management Controls
Paypa Plane is still scaling, which means we are still building. Like building anything there are safe, best practice peer-reviewed ways to do it. These controls address how we can safely make changes to our system without creating weaknesses or providing access to someone who shouldn’t be there. For us building software, this means protecting our code, and making sure that changes to it are planned, approved, and checked before becoming part of the live software again.
3. Detection, Monitoring & Resiliency Controls
Despite every effort being used to control access to information assets & build robust systems with best-practice change management, things can still go wrong. Anything from a computer resource not working to bad actor having access to a system can cause problems.
To combat this, there are controls that relate to systems generating logs. Logs are sent to a central monitoring system which can process these logs and raise alarms as needed. If there is an alarm, we have to use an incident response process to limit any impacts and communicate with any interested party. This is further tested with regular penetration and vulnerability testing designed to test what can go wrong in a controlled setting.
4. Controls to make it all work
There are many more controls outlined in SOC 2 that make this all work. Hiring the right people and providing the proper training, getting buy-in and oversite from the board and upper management. Effectively communicate inside the company, with customers and regulatory bodies. Build policies, assess competencies, be accountable and encrypt everything. Perform risk assessments across the entire company, identify what can go wrong before it does, quantify what those risks are and apply resources to address it.
The threat landscape and cybercrime industry is a fast-moving business. Bad actors are very quick to adapt and exploit any weakness. Continual improvement of our information security system is fundamental to its success. There is no end point to information security because there is no point where threat actors stop adapting. For us at Paypa Plane, our SOC 2 Type 1, with our SOC 2 Type 2 underway, are stepping stones to an endless journey to a more secure future.