“Our clients are assured that our web-based tools, information storage solutions, and physical security are protected by comprehensive information security controls, risk management practices, and the prevention of IT architecture security risks,” says Steven Thomas, Certrec IT Director.
FORT WORTH, Texas (PRWEB) August 27, 2018
Certrec Corporation, a leading licensing and regulatory compliance provider for NRC and NERC compliance, announced today it has maintained its ISO 27001:2013 certification for the fifth consecutive year and has successfully completed its second Type 2 SOC 2 examination.
An independent, third-party audit found Certrec to have technical controls in place as well as formalized IT Security policies and procedures. Certrec has implemented several physical security measures and countermeasures that protect it from unauthorized access or compromise, and IT personnel were found to be conscientious and knowledgeable in best practices. The certification and examination demonstrate Certrec’s continued commitment to information security at every level. Compliance with these standards confirms that Certrec’s security management program is comprehensive and follows leading practices.
“We take threats to the availability, security, and confidentiality of our clients’ information seriously,” says Ted Enos, President of Certrec. “We lead our industries in data protection and security by investing in third-party examinations and certifications of our compliance to the most stringent standards and controls,” says Enos.
Several Certrec clients have provided feedback indicating the ISO 27001 certification and Type 2 SOC 2 examination were a key part of their business decision. Certrec’s certification and examination allow clients to qualify Certrec immediately as a secure vendor, relieving them of the burden of conducting an expensive and time-consuming audit and negotiation of security standards and protocols.
“Our ISO certification assures our clients of the quality of our Information Security Management System and of the confidentiality of their data. This certification, combined with the independent Type 2 SOC 2 examination, precludes the customer from having to perform their own expensive security examination,” notes Enos.
Cyber security threats are becoming more prevalent in the industries Certrec supports; therefore, Certrec is committed to maintaining or exceeding current levels of service and to performing the ISO 27001:2013 certification and Type 2 SOC 2 examination each year in the future.
“Our clients are assured that our web-based tools, information storage solutions, and physical security are protected by comprehensive information security controls, risk management practices, and the prevention of IT architecture security risks,” says Steven Thomas, Certrec IT Director.
ISO 27001:2013 and Type 2 SOC 2
ISO/IEC 27001:2013 – Information technology – Security techniques – Information Security Management Systems – Requirements (ISO/IEC 27001:2013), part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001:2013 formally specifies a Management System that is intended to bring information security under explicit management control.
SOC 2 reports are attestation reports that opine on controls at a service organization relevant to the security, availability, or processing integrity of a system (security, availability, and/or processing integrity principles) or the confidentiality or privacy of the information processed for the user entities (confidentiality or privacy principles). Of the five Trust Services principles, Certrec was examined against the following principles for the review period of July 1, 2017, to June 30, 2018:
Security - The system is protected against unauthorized access, use, or modification.
Availability - The system is available for operation and use as committed or agreed.
Confidentiality - Information designated as confidential is protected as committed or agreed.
By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance.
CERTREC
Founded in 1988, Certrec is an engineering and technology-based organization providing regulatory support services in the electric power industry. With more than 1,000 cumulative staff years of direct industry experience (including nuclear, fossil, and renewables), Certrec has developed exceptional capabilities to support regulatory activities emanating from regulatory entities such as the Nuclear Regulatory Commission (NRC), the North American Electric Reliability Corporation and Regional Entities (NERC), the Federal Emergency Management Agency (FEMA), and other regulatory agencies. Certrec's Office of Licensing and Compliance (OLC), Office of Assessment and Recovery (OAR), Office of NERC Compliance (ONC), and Office of New Plant (ONP) services are used by utilities and entities across the United States to help manage the regulatory process to their advantage.
Certrec offers support from highly skilled and experienced industry professionals who possess degrees in a variety of engineering disciplines (Civil, Electrical, Mechanical, and Nuclear). Additionally, Certrec's staff has multiple degreed personnel in physics, communications, a variety of MBAs, and information technology. This highly skilled team of personnel has direct working experience in all regulatory areas of licensing, compliance, and engineering, including nuclear, fossil, and renewable generation and transmission.
For more than 30 years, Certrec has been applying its hundreds of years of industry experience to help clients develop and manage solutions to complex regulatory issues. Combining this direct industry experience with Certrec's Information Technology assets has led to development of technology-based solutions and tools directly targeted to the electric power industry and specifically focused on helping clients manage regulatory issues.
