What your Business Needs to Know about SOC 2
SOC 2 (System & Organization Controls) is designed to help organizations demonstrate and validate how they protect sensitive customer data. In this blog post, we’ll explain why SOC 2 matters and its core elements.
What is SOC 2?
SOC 2 is an objective, third-party attestation that examines if service organizations are following security best practices. Instead of companies creating their own processes and questionnaires, they can follow criteria that allows them to review, assess, and validate a common set of security and operational controls. SOC 2’s primary focus is to help establish trust between organizations to protect customer data. While many enterprise customers are starting to require their services and SaaS vendors to provide their SOC 2 report before working with them it isn't a law or regulation, it's a common framework that businesses can use to establish trust.
How Does it Work?
SOC 2 involves every employee in your company adhering to security policies and procedures. The process begins with your organization identifying the scope of your audit. To achieve SOC 2 certification your business must implement the Trust Services Criteria (TSC) that includes five categories of control:
Security: The core part of your audit is focused on looking at the effectiveness of the policies and procedures your organization uses to prevent and respond to security issues. It is designed to establish a company-wide security program and works as a blueprint for your organization's ongoing security strategy. Some of these requirements include basic policies and procedures that employees need to follow related to information security, security checks, onboarding and passwords. The security review requires your organization to identify and protect systems and tools that keep your services running like data protection, encryption, backups, software updates, monitoring etc. Security Awareness Training must also be provided.
Privacy: Privacy addresses the secure collecting, storing, and handling of personal information, like name, address, email, Social Insurance Number, or other identification info, purchase history, criminal history, etc. The privacy criteria tests whether you effectively protect your customers’ personal information.
Availability: This category requires that information and services are available for operation and use to meet the organization’s objectives.
Confidentiality: Confidentiality addresses controls for identifying, protecting, and destroying information designated as confidential. Examples of this information may include business plans, financial or transaction details, legal documents, etc.
Processing Integrity: This addresses processing errors and how long it takes to detect and fix them. It also makes sure that any system inputs and outputs are free from unauthorized manipulation. This criteria helps businesses make sure their services are delivered in an accurate, authorized, and timely manner.
What are the SOC 2 Controls?
While there are many controls associated with each of the five TSCs, here’s a list of the most common ones:
Control Environment: Controls related to a commitment to integrity and ethical values.
Communication and Information: Controls related to the internal and external use of reliable information to support the functioning of internal controls.
Risk Assessment: Controls related to the identification and assessment of risk relating to objectives, including fraud.
Monitoring Activities: Controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct responsible personnel.
Control Activities: Controls related to the control activities that contribute to the mitigation of risks and establishment of policies and procedures.
Logical and Physical Access Controls: Controls related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives.
System Operations: Controls related to the use of detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities and susceptibilities to newly discovered vulnerabilities.
Change Management: Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives.
Risk Mitigation: Controls that Identify, select, and develop risk mitigation activities for risks arising from potential business disruptions.
What’s the Difference between SOC Type 1 and 2 Reports?
The Type 1 report assesses your compliance at a single point in time. Typically, this involves checking to see that you’ve identified and documented the controls you have in place, as well as provide sufficient evidence that your controls are functional at that point in time.
The Type 2 audit tests not only your compliance program but also the operating effectiveness of controls over time. Usually, a Type 2 audit assesses your compliance over a six to 12-month review period, with your first audit typically lasting up to six months.
A SOC 2 audit report describes a service organization’s controls and whether they stand up to scrutiny. It’s issued by a CPA firm. It’s meant to be read, understood, and evaluated by other compliance and security professionals.
SOC 2 is designed to help organizations establish and maintain a trusted security program designed to protect customer data. Security-focused organizations need to ensure the vendors they choose to work with have appropriate security controls in place for protecting their customers' data. vCIO, Jeff Nantais is a certified SOC 2 Readiness Expert. Jeff can help you prepare by reviewing your current state of IT against the best practices and requirements that will be assessed during the SOC 2 audit process. Contact us to learn more about Nucleus' vCIO services.