Global, Transparent, Trusted: Kaspersky successfully passes independent SOC 2 audit

Kaspersky has successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit. The final report, issued by one of the Big Four accounting firms, confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. In addition, the company is announcing new developments of its Global Transparency Initiative.
The Service Organization Controls (SOC) Reporting Framework is a globally recognized report for cybersecurity risk management controls, developed by the American Institute of Certified Public Accountants (AICPA) to inform customers about effective design and implementation of security controls. Being a responsible and transparent company for its customers, Kaspersky has chosen this standard to demonstrate the trustworthiness of its product and the company’s commitment to the AICPA Trust Service Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The examination completed under the SSAE 18 standard (Statement of Standards for Attestation Engagements) includes internal controls over regular automatic updates of antivirus databases, created and distributed by Kaspersky for its products operating on Windows and Unix Servers. In its final report, the Big Four independent auditor identified the suitability of the above-mentioned controls and their appropriate operation on a specified date.

“The security of our products is certainly one of our top priorities. We are proud to have completed this independent assessment which provides our customers with the assurance of the security of our products, and confidence in our R&D processes and controls. This audit marks one more step in our efforts to demonstrate the company’s transparency,” noted Andrey Efremov, Chief Technology Officer at Kaspersky.

Further developments of the Global Transparency Initiative:

-Bug Bounty Program: Kaspersky has been working continuously on the development of its Bug Bounty Program. Recently the company paid a $23,000 bounty – the biggest reward in the history of the program to date – to researchers from the Imaginary team for the discovery of a security issue in Kaspersky that could potentially allow third-parties to remotely execute arbitrary code on a user’s PC with system privileges. The bug was promptly fixed. Kaspersky thanks the Imaginary team for the report and their assistance in improving the company’s products.

-Safe Harbor for vulnerability researchers: The company now supports the Disclose.io framework which provides Safe Harbor for vulnerability researchers concerned about negative legal consequences of their discoveries. Kaspersky understands that external experts provide valuable assistance by finding and reporting vulnerabilities in its products and is ready to provide additional guarantees for fair treatment of vulnerability reports.

-Transparency Centers: The recently announced Transparency Center in Madrid is officially open to Kaspersky’s customers and partners, as well as government stakeholders, starting from June. As is the case at the Zurich facility, the company offers source-code reviews and tailored security briefings on the company’s data processing practices and functioning of its products.

-Threat intelligence support for law enforcement agencies: Kaspersky, the first among cybersecurity vendors, announced an advanced free service for Law Enforcement Agencies (LEAs). A unique and tailored approach developed to maximize their efforts in tackling borderless cybercrime, it consists of three components:
·Threat intelligence Reporting
·Threat Data Feeds
· Automated Security Awareness Platform (Kaspersky ASAP)