SOC 2 Compliance

SOC 2 Compliance opens up new opportunities for small and medium sized companies. The attestation helps you provide services to the largest organizations around the United States.

Increasingly, businesses are looking for ways to outsource critical functions in an effort to reduce cost. But beyond cost management, outsourcing can also lessen burdens on in-house staff, freeing employees to focus on more important projects. Yet as these business functions and their associated data shift over to third-party SaaS or cloud computing providers, companies are faced with a growing risk of data theft and extortion along with costly liability should there be a data breach. So how can they protect their reputation, their integrity, and the security of their customer’s sensitive data while still reaping the benefits of outsourcing?

 

The SOC 2 audit is one important step toward offering that assurance to businesses who use cloud or SaaS providers. The SOC 2 audit is a service organization control compliance standard that evaluates policies and processes in place to protect a client’s data when it’s transmitted, stored, and managed in the cloud. The audit also looks to see that controls are in place for ensuring system and data availability. Service organizations earning SOC 2 compliance meet an elevated level of trust criteria.

 

What is SOC 2 compliance?

 

SOC 2 compliance is an esteemed designation offered to organizations that pass the SOC 2 auditing procedure. This audit is conducted by outside, impartial auditors and was developed by the American Institute of CPAs, or AICPA.

 

To earn SOC 2 certification, a service organization must meet the following five trust service principles.

 

Security. SOC 2 auditors will assess policies, processes, and controls that have been put in place to protect systems from unauthorized access. Access controls might include intrusion detection, firewalls, or two-factor authentication. These security measures are intended to prevent system breach, hacking, and unintended disclosure or alteration of data stored in the system.

 

Confidentiality. Auditors will also evaluate safeguards that have been put in place to protect confidential data during storage. Confidential data might include intellectual property, proprietary business data, legal documents, transaction details, or engineering plans—essentially any information restricted to a certain person or group. Controls can be put in place by a cloud or SaaS service provider to block unintended access to any confidential data while it’s being transmitted or stored in the system. This might include firewalls, encryption, or access controls along with policies for identifying confidential data, retaining it for a set period of time, and erasing or destroying that data after the retention period has expired.

 

Privacy. How a service provider safeguards personally identifiable information is also part of an SOC 2 audit. Personally identifiable information encompasses any details that might identify an individual. For example, this might include their name and address, their race, sexual orientation, religion, or social security number. It also encompasses sensitive health records, credit details, and financial information. SOC 2 auditors assess the system’s ability to maintain privacy of that personally identifiable information during storage, transmission, use, and disposal. Auditors will also look to ensure an organization meets the promises set forth in its privacy policy and that it complies with AICPA’s own generally accepted privacy principles.

 

Availability. SOC 2 compliance requires that a service provider’s product or solution operates at the minimum performance levels promised in their service level agreement or contract. This covers both network availability and incident handling. Some areas an auditor might investigate include a company’s handling of security incidents or its disaster recovery processes. Controls in place to safeguard availability might include detection measures, environmental protection procedures, or routine testing of back-up system integrity.

 

Processing integrity. Finally, auditors evaluate how well a system achieves its intended objective. This means not only its ability to deliver the right information in a timely manner but also that the data is complete, valid, authorized, and that it accurately reflects the data a user entered originally into the system. Processing integrity might be compromised if, for example, there are duplicates when processing or if there are errors or inaccuracies in transactions that were submitted into the system.

 

SOC 2 Type 1 vs SOC 2 Type 2

 

SOC reports, short for Service Organization Control, were designed by the AICPA. There are two types of SOC 2 audit reports that a service provider can obtain, Type I and Type II. Both analyze controls that a service organization has in place to adhere to five trust service principles, specifically security, availability, process integrity, confidentiality, and privacy.

 

SOC 2 Type I Overview

 

The SOC 2 Type I audit investigates that a company has internal controls in place for managing customer data based on five trust service principles as of a specified calendar date. It also looks to ensure those controls are designed appropriately to meet the service provider’s objectives. You can think of Type I as a snapshot in time.

 

SOC 2 Type II Overview

 

While the SOC 2 Type I audit investigates that a company has controls in operation as of a specified date, the SOC 2 Type II audit delves further to investigate the operational effectiveness of those controls—assessing whether or not they performed as promised over a period of time spanning at least six consecutive calendar months.

 

The Benefits of SOC 2 Compliance

 

SOC 2 Type I and Type II compliance gives companies like SaaS providers, data centers, managed service organizations, banking and financial firms a powerful advantage over their competition. SOC 2 certification demonstrates that you value data security and have gone the extra mile—passing an independent audit to prove it.