Service Organization Control (SOC) reports were first introduced in 2011.
While there are three types of SOC reports, SOC 2 is the report that is most pertinent to technology and cloud computing entities in 2018. SOC 1 deals with financial transactions and SOC 3 is a public document that summarizes the SOC 2 report for public consumption.
What are SOC 2 reports?
The five criteria that comprise a SOC 2 report are: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
IT security tools such as network and web application firewalls, two-factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.
The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.
This principle involves security-related criteria that may affect availability. Monitoring network performance and availability, site failover, and security incident handling are critical in this context.
3. Processing Integrity
The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.
Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.
Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.
SOC 2 Auditing
SOC 2 provides flexibility to the data provider on just how they’d like to meet the criteria. This makes SOC 2 reports unique to each company; providers review the requirements, determine which are relevant to their business, then write controls to satiate those requirements. SOC 2 auditing is simply an auditor’s opinion of how well the company’s controls are fitting the requirements. Being that auditing is more subjective in this case, the auditor’s reputation is imperative.
The importance of SOC 2 compliance
SOC 2 is extremely important and relevant right now because the public is especially interested in trusting data providers with confidential information. A clean SOC 2 report indicates that the organization can be trusted to provide compliant and secure hosting.
For organizations looking to outsource data storage or finance information, SOC 2 compliance is a must. If you are seeking a vendor that is unwilling to share their SOC 2 reports, consider finding a new vendor.