SOC 2 Report
1. Purpose
With the progress of IT, we can enjoy greater convenience, but at the same time, companies are exposed to various threats such as information leakage, tampering, destruction, and loss. SYSCOM GLOBAL SOLUTIONS INC. handles confidential information of customers while using Data Center and Public Cloud and providing IaaS implementation support and operational assistance. In supporting the valuable business of our customers using IT, we consider it a social responsibility to appropriately manage and operate these information assets. To fulfill this responsibility and maintain the confidentiality, integrity, and availability of information assets, we have built and operated internal processes in compliance with SOC2 to implement systematic information security measures.
2. About SOC2
SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.
SOC 2® - SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
・Oversight of the organization
・Vendor management programs
・Internal corporate governance and risk management processes
・Regulatory oversight
3. In Scope Service
・SYSCOM Data Center IaaS Implementation Services and Support Operations in the U.S.
・Public Cloud IaaS Implementation Service and Support Operations in the U.S.
4. Leadership and commitment
Under the guidance from SOC2, Executive Management is committed to the establishment of an effective Information Security Management System (ISMS).
The firm’s commitment is demonstrated by:
・A documented ISMS Policy with clearly defined and fully supported objectives.
・An ISMS that is operational and socialized within the processes, systems, and people within the current approved scope.
・Allocating the resources needed to establish, maintain, and continually improve the ISMS.
・Clearly communicating top management’s commitment and support of the objectives, implementation, and continual improvement of the ISMS to the entire firm.
・Monitoring the implementation and promoting continual improvement of the ISMS and the objectives by which the ISMS is assessed.
・Supporting those persons responsible for monitoring and measuring the InfoSec controls selected for implementation within the ISMS.
・Supporting the development of vendor relationships, contracts and agreements that align with the approved ISMS outcomes described within the ISMS objectives and policies developed by the ISMS Management Team and endorsed by the Management Team.
・Encouraging a culture of information security as a firm’s core value in practice at SYSCOM and creating policies that require personnel and select interested parties to conform to the policies and procedures derived from this ISMS and report opportunities to correct and improve it.
5. Organizational roles, responsibilities, and authorities
Top management has established the ISMC (Information Security Management Committee) and authorizes that body to:
・Assign roles and responsibilities to specific people and business units within SYSCOM, and to routinely collect reports as necessary to monitor ISMS performance.
・Determine ISMS-related personnel qualifications and competencies.
・Support ISMS-related personnel to maintain contact with special interest groups and authorities to enable their success in managing the ISMS.
・Allocate InfoSec responsibilities to managers.
・Ensure HR policies support personnel actions that may become necessary in the event of a security incident deemed to be a result of an infraction of the established ISMS-related policies and procedures.
6. Compliance with Laws and Social Ethics
SYSCOM will faithfully comply with laws, regulations, and contractual security obligations related to information security, such as the protection of personal information.
7. Information Security Risk Assessment and Treatment Plan
SYSCOM has determined that a risk-based approach to information security works best for the organization and will conduct a risk assessment at least once annually. The ISMC may initiate additional interim risk assessments as deemed necessary and will define the scope of each as needed.
・Risk assessments are conducted per the SYSCOM Risk Management Methodology. The ISMC will review and approve needed changes to the methodology at least once annually.
・SYSCOM will plan actions to reduce risks in necessary processes when the current risk exceeds the risk threshold accepted by top management.
・A risk treatment plan is documented per the SYSCOM Risk Management Methodology. The ISMC will review and approve needed changes to the methodology at least once annually.
8. Education and Training
SYSCOM will continuously provide education and training to ensure that security operations are carried out in accordance with policies and procedures, recognizing the importance and benefits of being compliant with SOC2.
9. Incident Management and Prevention
SYSCOM will take necessary preventive measures to prevent information security incidents from occurring, and in case of any incidents, we will promptly investigate and analyze the root causes and take corrective actions to prevent recurrence.
March 1st, 2023
Seishi Sato
President & CEO
SYSCOM GLOBAL SOLUTIONS INC.