SOC 2 Certification Requires An Anonymous Reporting Tool
Effective compliance and ethics programs have been a necessary, government-mandated business practice for now over two decades. The COVID-19 pandemic and the resulting shift in workplace cultures have further accelerated the pressure.
A new control has been announced that companies seeking SOC2 certification must comply with, related to the anonymous reporting of security and privacy concerns. In short, every company that wants to become SOC2 certified - most typically companies that are handling sensitive customer data- must have an anonymous reporting tool in place so that employees can speak up to alert the company of a potential security issue or privacy concern, without fearing retaliation.
In an ideal world, an anonymous or confidential reporting feature would be built into or with a comprehensive code of business conduct and ethics. Such a program would be ingrained into a company’s culture, led by upper management, and be designed to prevent and detect criminal conduct. The program would also be maintained via regular refreshers, company-wide communications, and overall workplace culture.
However, for companies with limited resources looking for a first step, an anonymous reporting tool of software can make SOC2 compliance much easier to achieve. It's important however to be thoughtful when deciding what kind of system to set up to hear about and respond to these concerns. Some companies for example choose systems that are too simple, such as establishing an internal email alias that people can report issues to. The problem with this type of solution is that the person reporting the issue is not granted anonymity, so employees rarely feel comfortable reporting issues or even providing honest feedback. On the other hand, 74% of employees recently surveyed share that they would be more likely to report issues if they could do so completely anonymously.
Whistleblower hotlines are another solution that is often considered. Unfortunately, most people who notice security issues, or have helpful feedback, may not necessarily consider themselves whistleblowers. And more often than not whistleblower systems are clunky, intimidating, and not designed for reporting security or privacy concerns. Additionally, most whistleblower systems don't have strong follow-up communication processes, and companies are often left with segmented or incomplete reports and no way to follow up with the person who initially reported the issue and resolve the issue.
AllVoices was built as a solution to address these gaps that outdated software and internal systems hold. We thought about the employee or former employee who is nervous to submit a report using their real name or email address but has an important insight to share that could benefit the security practices - or any aspect of their company.
Our user experience is simple, mobile-friendly, highly secure, and has a robust follow-up mechanism in place, all while protecting the identity of the employee if they do not wish to share their identity.
We have built a partnership with Vanta to ensure that Vanta customers know about our service and can implement AllVoices easily and quickly in order to meet the SOC2 requirement of having a truly anonymous reporting tool. Learn more at allvoices.co/vanta and get your company signed up today!