News

Sherlock, a specialized IT services provider at the San Diego Supercomputer Center, part of the School of Computing, Information and Data Sciences (SCIDS) at UC San Diego, has reached a significant milestone. As a trusted partner for those seeking secure and compliant solutions for research and data-driven initiatives, Sherlock has successfully completed what is known as a Service Organization Control (SOC, pronounced “sock”) audit, which assesses how a cloud-based service provider manages sensitive information. Sherlock successfully met all the assessment criteria, demonstrating its commitment to data protection and operational integrity.

There are various types of SOC audits, and the one that Sherlock completed is called a SOC 2, Type 2 assessment. This is a comprehensive, third-party evaluation designed to verify that an organization’s systems and practices align with industry standards for protecting sensitive data. The assessment specifically examines controls against the Trust Services Criteria – security, availability, processing integrity, confidentiality and privacy.

“The successful assessment further strengthens Sherlock’s competitive position in the secure cloud solutions market and reinforces its standing as a leader across the University of California system in scalable, secure and compliant data solutions,” said SCIDS Interim Dean Rajesh K. Gupta.

According to SDSC’s Stack Science Division Director Sandeep Chandra, Sherlock, housed within Stack Science at SDSC, is well-positioned to support partners and projects requiring compliant and secure solutions. “Sherlock services have been through several external assessments over the years, and a successful SOC 2 Type2 assessment demonstrates how our capabilities measure against another, widely recognized, industry standard. As one of the first UC service organizations to successfully complete a SOC 2, Type 2 assessment, Sherlock continues to set the standard for building and deploying robust, compliant and secure solutions for our partners so they can confidently pursue contracts and grants without worrying about data protection,” Chandra said.

Multiple stakeholders who can benefit from Sherlock solutions include:

• Academic community: Sherlock's compliance with industry standards assures researchers that their sensitive data is protected, enabling them to pursue new grants and projects with confidence.
  
  
• Industry partners: Sherlock's certification demonstrates robust security controls, removing barriers to academic collaborations and reassuring partners that proprietary information is protected to commercial standards.
  
  
• Government agencies: Sherlock's SOC 2 compliance makes it a trusted partner for projects with sensitive data, meeting the strict requirements of funding sources.
  
  
• Students and educational programs: Sherlock's achievement provides hands-on experience with compliant systems, benefiting those pursuing careers in regulated industries like cybersecurity, healthcare and finance.
  
  
• General public: This certification reinforces trust that personal information shared with or analyzed by Sherlock-supported research initiatives is appropriately protected.

According to members of the Sherlock team, preparing for an SOC 2, Type 2 assessment within the university setting is a complex, time-intensive process that requires extensive planning and the cooperation and collaboration of every member of the team, which was led by Winston Armstrong, chief information security officer, and Leslie Morsek, Sherlock’s regulatory compliance expert.

“This comprehensive assessment extended beyond Sherlock’s immediate infrastructure and operations to include policies and practices at both SDSC and UC San Diego levels, requiring collaboration with SDSC colleagues and the incorporation of university-wide policies and procedures that our team independently collected and documented,” Morsek said.

According to Armstrong, the journey to SOC 2 compliance began with a thorough gap analysis and readiness assessment to validate existing controls and identify areas needing improvement. This first step also ensured Sherlock’s lifecycle documentation accurately reflected its security practices, policies and procedures.

“What makes a SOC 2, Type 2 assessment particularly demanding is its focus on demonstrating the operating effectiveness of controls over an extended period of time – not just the design of the controls. Our team documented hundreds of controls across the evaluated trust services criteria while maintaining consistent security practices throughout the review period,” Armstrong said.

Reportedly, collecting the evidence was the biggest challenge, requiring the team to gather over 500 distinct pieces of corroboration ranging from lifecycle documents to system logs, monthly vulnerability scans, personnel protocols and more. To manage this task, the team implemented a tracking system to monitor evidence collection and address any identified gaps systematically. According to Chandra, the process continued with a two-week fieldwork period with the auditor, which followed the evidence submission and coincided with the final day of the review period.

“During this phase, our team met regularly with the third-party auditor to address questions and clarify control implementations and evidence submitted. The team also responded to auditor requests for additional evidence to demonstrate continuous compliance,” Chandra said. “The Sherlock team’s thorough preparation, collaborative work ethic and comprehensive security posture resulted in a successful SOC 2, Type 2 assessment with zero findings.”

According to SDSC Director Frank Würthwein, this successful outcome signals that Sherlock meets rigorous industry standards for safeguarding sensitive data, operating with integrity and continuously maintaining a strong security posture.

“It is gratifying for SDSC to be able to include this among Sherlock’s offerings because it means that anyone within an academic institution, a government agency or industry, who relies on secure infrastructure and solutions to conduct research, handle regulated data or develop innovative data solutions, can benefit from this achievement,” Würthwein said.

About Sherlock:

Sherlock has been in the security and compliance space since its creation in 2008, building an impressive track record of successful audits and reviews. The recent SOC 2, Type 2 assessment continues this tradition of excellence and validates the Sherlock team’s dedication to security, privacy and compliance. Sherlock’s current and potential partners can be confident that its infrastructure and solutions not only meet, but exceed, the stringent regulations and protect their sensitive data. For more information, please visit the SDSC/Sherlock webpage.