Committed to the highest security principles, Kaspersky has once again completed a Service Organization Control for Service Organizations (SOC 2) Type 1 audit, conducted by an international Big Four accounting firm. The independent assessment reaffirmed that the development and release process of Kaspersky’s antivirus bases are protected against unauthorized changes by security controls.
Developed by the American Institute of Certified Public Accountants (AICPA), the Service Organization Controls (SOC) Reporting Framework is a globally recognized report that confirms that the organization’s security controls are in conformity with AICPA’s Trust Services Criteria (TSC), namely security, availability, processing integrity, confidentiality and privacy. Kaspersky first completed the SOC 2 Type 1 examination in 2019 as part of the company’s Global Transparency Initiative (GTI).
The reassessment, launched in late January 2022, was successfully completed in late April. During the examination, Big Four auditors among other things scrutinized the company’s policies and procedures related to the development and release of antivirus (AV) bases, the network and physical security of the infrastructure involved in this process and the monitoring tools used by the Kaspersky team. The examination also covered how the company communicates the terms and conditions of the AV bases release process to its employees and users and customers.
As a result of the audit, it was concluded that Kaspersky’s internal controls for protecting the development and release process of antivirus bases for Windows and Unix OS systems are suitably designed to meet all five trust categories covered by the TSC. The scope of the current audit has been expanded compared to the 2019 assessment, as Kaspersky has since introduced new security tools and controls. The full report can be provided to our customers upon request.
“We are proud to once again reaffirm the integrity and security of our engineering practices delivering high-class cybersecurity solutions. The security and trust of our customers and partners are a key priority for us. This new independent assessment provides the necessary assurance and verifies the trustworthiness of the solutions and services we offer. The SOC 2 assessment gives a rigorous and, at the same time, useful description of our safeguards to customers and partners about how Kaspersky’s AV bases are developed and distributed. The report is a confirmation of Kaspersky’s commitment to proactively protecting its infrastructure and guaranteeing the security of its customers and partners,” comments Anton Ivanov, Chief Technology Officer at Kaspersky.
The renewal of the SOC 2 Type 1 report falls within a broader range of activities that are part of Kaspersky’s GTI, demonstrating the company’s ongoing commitment to accountability. Kaspersky is among the first in the industry to start operating Transparency Centers, in which the company’s stakeholders can review Kaspersky’s source code, software updates and threat detection rules. It regularly seeks independent third-party assessments of the company’s engineering practices, data services and compliance with existing industry standards. Earlier this year, the company renewed its ISO 27001 certification, an internationally recognized applicable security standard, which was issued by independent certification body TÜV AUSTRIA.
