Check Point’s SandBlast solutions family achieves SOC II Compliance

By Yael Macias, Threat Prevention Product Marketing Manager

If there is one thing that is important when considering a new security vendor it is that they will responsibly handle your data and have adequate systems in place to manage risk and process integrity. This is why Check Point submitted to an audit for SOC 2 Type II Compliance. Ensuring that the sensitive data that our customers trust us to secure is properly managed within our systems is key.

Today I’m proud to say that Check Point’s threat emulation service, which is available for our security gateways (SandBlast Network) and endpoint protection (SandBlast Agent), as well as our platform for Mobile Threat Defense, that powers SandBlast Mobile, are SOC 2 Compliant.

The threat emulation service prevents infections from undiscovered exploits, zero-day, and targeted attacks. The solution quickly inspects incoming files, launches suspicious files into a virtual sandbox, discovers malicious behavior, and prevents discovered malware from entering the network. Some of its key capabilities include:

• Identifying new attacks hidden in Adobe PDF files, Microsoft Office, Java, Flash, and executable files
• Emulating files and documents for threats in a secure sandbox
• Emulating files within SSL and TLS communications
• Preventing malicious files from entering the organization.

SandBlast Mobile, Check Point’s cloud-based solution for Mobile Threat Defense, offers enterprise mobile security to protect against threats to the OS, apps, and network. SandBlast Mobile offers application scanning and cross-platform attack protection, combined with network and device anomaly detection.

So what is SOC 2?

SOC 2 is a report based on Trust Services Principles and criteria from the American Institute of Certified Public Accountants (AICPA). The Trust Services Criteria, upon which an organization’s information systems are evaluated, include:

• Security. Information and systems are protected against unauthorized access and disclosure of information.
• Availability. Information and systems are available for operation and use to meet the entity’s objectives.
• Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
• Confidentiality. Information designated as confidential is adequately protected.
• Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

How does SOC 2 Type II certification work

SOC 2 reports are independent, third-party-issued reports based on the criteria defined by the AICPA. In Check Point’s case, the audit was conducted by a world leading auditing and accounting firm. The audit takes place over a period of three to six months, usually.

There are two types of SOC 2 reports: a Type I report on management’s description of the systems in place and the suitability of the design of controls; and a Type II report on the suitability of the design and operating effectiveness of the controls. It is the responsibility of the auditing firm to build the report by expressing an opinion on the fairness of the presentation of the descriptions, the suitability and the effectiveness of the control measures.

During the audit period, the controls for Check Point’s threat emulation and Mobile Threat Defense services operated effectively to meet the applicable trust services criteria.

Check Point is committed to offering the best security products and services to our customers, so they can have peace of mind that their data is secure, regardless of where it sits. To guarantee that our products meet and exceed industry standards, we submit the systems and processes that power our cyber security solutions to rigorous independent scrutiny. SOC 2 Type II Compliance of SandBlast Agent, SandBlast Mobile and SandBlast Network is further proof that Check Point lives up to its commitment to excellence.