ARIN Achieves Compliance with SOC 2 Type 2 and PCI DSS Security Standards
October 2023 was a big month at ARIN. We hosted an amazing ARIN 52 Public Policy and Members Meeting, finished a record-breaking ARIN Elections cycle, and now I can officially say that ARIN also successfully completed its Service Organization Controls (SOC) 2 Type 2 audit for our Resource Public Key Infrastructure (RPKI) and demonstrated compliance with the PCI DSS (Payment Card Industry Data Security Standard) for ARIN Online.
Each of these are tremendous achievements for ARIN and for our community because they are testaments to ARIN’s efforts to safeguard our systems, services, and customer data.
Both SOC 2 and PCI DSS are security frameworks that evaluate the technical, process, and people-related data and security controls in organizations, but which organizations might employ the frameworks and why can differ between the two.
SOC 2 is a security framework created by the American Institute of Certified Public Accountants (AICPA) to verify Software as a Service (SaaS) companies and is designed specifically for service providers storing customer data in the cloud. An organization that is seeking to certify a specific product, service, or combination of them is well-suited for the use of SOC 2. It provides an organization with the flexibility to focus on the security controls that are most important to the operation of the audited system — RPKI in this case — and not spend resources on the ones that are not applicable.
SOC 2 audits come in two forms: Type 1 and Type 2. While both assess the same trust service principles (security, availability, processing integrity, confidentiality, and privacy), they differ in terms of scope and duration.
The SOC 2 Type 1 audit, which ARIN completed in December 2022 for RPKI, evaluates the design and implementation of an organization’s controls at a specific point in time. It assesses whether the controls are suitably designed to achieve their intended objectives. In essence, it provides a snapshot of an organization’s control environment at a particular moment.
The SOC 2 Type 2 audit, which ARIN completed 31 October 2023 for RPKI, goes a step further. It assesses not only the design of controls but also their effectiveness over a specified period. This typically involves testing and monitoring these controls to ensure they are working as intended. A Type II audit provides a more comprehensive and continuous view of an organization’s commitment to data security.
To learn more about ARIN’s SOC 2 journey, read this blog post from early 2023.
PCI DSS is an industry-specific security framework adopted by the Payment Card Industry Security Standards Council (PCI SSC) and is required by organizations that accept payments via credit or debit card. Changes in ARIN’s banking and payment system in January 2023 made it necessary to demonstrate compliance with PCI DSS’s security framework, which was successfully completed 12 October.
PCI DSS features 12 high-level requirements designed to provide a solid foundation for data security. These requirements cover various aspects of security, including network architecture, access control, encryption, vulnerability management, and security policies, among others. Adherence to these standards helps organizations mitigate the risk of data breaches and fraud, thereby enhancing customer protection and ensuring the confidentiality and integrity of sensitive information.
And Now What?
ARIN has implemented various measures to protect your information and to ensure that your communication with ARIN is trusted, including: following security industry best practices to protect your data that is stored and managed at ARIN; performing annual third-party security audits; taking steps to protect your data; and requiring strong passwords and two-factor authentication (2FA) for ARIN user accounts. Now we can add “demonstrating compliance with SOC 2 and PCI DSS” to that list.
It’s valuable to have a third party verify our efforts and attest to the steps we’ve taken to demonstrate and improve security, but we don’t intend to rest on our laurels. Our next steps include improving the efficiency and effectiveness with which we execute our security goals and engage with our auditors. We understand the critical importance of securing your data, and we’re focused on consistently improving what we do and how we do it.
For more information on ARIN’s security practices, please visit our Security page.
Recent blogs categorized under: Updates
GET THE LATEST!
Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.SIGN ME UP →
Blog CategoriesGrant Program • Public Policy • IPv4 • Updates • Security • RPKI • IPv6 • Data Accuracy • Elections • ARIN Bits • Business Case for IPv6 • Fellowship Program • Caribbean • Internet Governance • Tips • Customer Feedback • Outreach • Training • IRR