Ensuring ePlan Review Security: Compliance with SOC 2 and Beyond

When it comes to city and citizen data, there’s no overemphasizing the need for robust and evidentially secured solutions. Jurisdictions need no-fail data and systems security measures and solutions, period.  

Security as a prerequisite is nothing new, and at the Center for Digital Government’s annual Envision Summit, where IT leaders in government from across the country attended, CIOs agreed that security remains the highest priority. 

Yet leaders also concluded that jurisdictions need more effective ways to manage projects to avoid costly delays, wasted resources, and friction between stakeholders. Going digital with electronic plan review is an effective way to do so, but cities, towns, counties, and states considering an electronic plan review solution must scrutinize vendor security before investing.  

As the global leader in ePlan review, Avolve is experienced in adopting the highest standards of digital security and complies with a host of regulatory bodies across the world. 

How ePlan Review Ensures SOC 2 Compliance

Critically, Avolve is compliant with the rigorous industry standard SOC 2 security framework required by today’s state and local government jurisdictions to meet their vendor security standards. Below we look more closely at this compliance framework and discuss how it contributes to Avolve’s unwavering approach to ePlan review security. 

Why is SOC 2 Compliance Important?  

This auditing procedure examines a company’s ability to securely manage data to protect customer privacy and interests. Companies who [do well] are issued an SOC 2 report, which examines five key elements.  

1. Privacy: Scrutinizes the organization's adherence to established principles for collecting, using, retaining, and disclosing personal information. This ensures that personal data is managed in line with relevant privacy regulations and individual consent. 
2. Security: Speaks to the effectiveness of the measures the organization takes to safeguard sensitive data from unauthorized access or breaches. This examines the organization's physical and digital security controls to prevent unauthorized intrusions. 
3. Availability: Assesses the organization's ability to ensure that its services and data are consistently accessible and functional according to established agreements or expectations. This pertains to minimizing downtime and disruptions. 
4. Processing integrity: Examines the accuracy, completeness, and reliability of the organization's data processing operations. Doing so aims to ensure that data is processed correctly, maintaining its integrity throughout the process. 
5. Confidentiality: Reviews the organization's practices for protecting sensitive information from unauthorized access or disclosure. This addresses the protection of classified or sensitive data.

Adhering to the tenants required to achieve SOC 2 is just a sliver of how Avolve ensures the highest level of ePlan review security, providing reassurance to its customers. 

Other Practices Avolve Implements to Ensure Security: 

• NIST SP 800-53: Avolve strictly adheres to NIST SP 800-53. Also known as “Security and Privacy Controls for Federal Information Systems and Organizations," NIST SP 800-53 is a framework by the National Institute of Standards and Technology (NIST) in the U.S. It provides a comprehensive set of controls that organizations can use to enhance the security and privacy of their information systems and data. Following this framework is often a requirement for various certifications.  
• Google Cloud Platform and Microsoft Azure servers: Avolve opts for GCP and Azure as they are widely viewed as the most robustly secure servers on the market. Thanks to significant investments in security research, compliance with industry standards, and rapid response to emerging threats, among other top qualifications, GCP and Azure help Avolve ensure the highest level of ePlan review security.  
• Frequent vulnerability penetration testing: Regular penetration testing helps us identify weaknesses, test our incident response management, and measure our security controls in place. It also supports us in patching any software vulnerabilities discovered internally or in our ePlan review security, while building trust with our customers who can be sure that we’re regularly testing for weaknesses.  
• Mandatory security training for all employees and contractors: Avolve mandates quarterly security training for all employees, contractors, or anyone who has access to our systems. We use this training to introduce best practices and new topics, policies, and procedures that cultivate mature awareness of cyber-attack threats. 

Jurisdictions need ePlan review solutions that enable more efficient workflows while safeguarding city data. Avolve’s compliance with the SOC 2 framework, alongside its other security practices, ensures that Avolve has in place the utmost security as a trusted supplier.