SOC 2 Type 2 Compliance and Certification
What does SOC stand for?
SOC stands for System and Organization Controls and represents a set of compliance standards developed by the American Institute of CPAs (AICPA) – a network of over 400,000 professionals across the globe. SOC Audits aim to examine the policies, procedures, and internal controls of an organization.
There are 3 SOC Audits & Reports:
- SOC 1 – Reports on the processes and controls that influence the organization’s internal control over financial reporting (ICFR). SOC 1 is also a standard assessment report required by user entities to comply with Sarbanes-Oxley Act (SOX).
- SOC 2 – Designed for service organizations and reports on non-financial controls. Focuses on five key trust services criteria (formerly called trust services principles), or TSCs. SOC 2 outlines the standards that are necessary to keep sensitive data private and secure while it’s in transit or at rest.
- SOC 3 – SOC 3 is similar to SOC 2 in terms of the audit criteria. The main difference is in the reporting – SOC 2 is tailored for sharing with specific organizations, whereas SOC 3 reports are more applicable for general audiences and therefore made publicly available.
There are 2 Types of reports for SOC 1 and SOC 2:
- Type 1 Report – Applicable when the service organization has not been in operation for a sufficient length of time to enable the service auditor to gather sufficient appropriate evidence regarding the operating effectiveness of controls, hence is “point in time”. The Type 1 Report is also for service organizations that have recently made significant changes to their system and related controls and do not have a sufficient history with a stable system to enable a type 2 engagement to be performed.
- Type 2 Report – Applicable for service organizations that have a long running stable system capable of demonstrating the effectiveness in the design of controls over a defined period of time retrospectively, normally no less than 6 months and not longer than 12 months.
Who does SOC 2 Apply To?
SOC 2 applies to any organization wanting to effectively demonstrate to associated organizations controls associated regarding Security, Availability, Confidentiality, Processing Integrity and Privacy or any combination of these as part of third-party relationships. It is also applicable to organizations that store its customer data in the cloud as well as Third-party service providers such as cloud storage, web hosting and software-as-a-service (SaaS) companies.
What is SOC 2 Compliance?
SOC 2 focuses on non-financial reporting of internal controls and systems. By complying with SOC 2 organizations protect the confidentiality and privacy of data that’s stored in cloud environments. Additionally, SOC 2 compliance helps service providers show that the privacy, confidentiality, and integrity of customers’ data is a priority.
SOC 2 defines criteria for managing customer data based on 5 “Trust Service Criteria” (TSCs):
Security is included in all SOC Audits. It covers common criteria related to protecting data and systems. The Security TSC aims to ensure information and systems are protected against unauthorized access, disclosure, and damage.
The Availability TSC addresses accessibility and aims to assess the data that customers receive and how readily available it is. It also reviews accessibility for operations, monitoring, and maintenance of data.
3. Processing Integrity
The Process Integrity TSC ensures systems are processing the data as authorized and assesses the accuracy, completeness, validity, and timeliness of the data. It also validates that systems are achieving the goals and purposes that they were designed to achieve.
This TSC aims to ensure “confidential” data remains protected and secure. It encourages encryption for in-transit data as well as client certificates and personal authentication certificates.
This TSC addresses how data is collected, used, disclosed, retained, and disposed of. It aims to ensure the confidentiality and security of personally identifiable information (PII). PII includes name, social security numbers, contact information, addresses, etc. It is required that organizations demonstrate that they protect and handle personal information securely.
What are the SOC 2 Common Criteria?
Each of the 5 SOC 2 TSCs are comprised of nine specific sub-categories:
- Control environment (CC1)
- Communication and information (CC2)
- Risk assessment (CC3)
- Monitoring of controls (CC4)
- Control activities related to the design and implementation of controls (CC5)
- Logical and physical access controls (CC6)
- System operations (CC7)
- Change management (CC8)
- Risk mitigation (CC9)
What SOC is NOT
SOC is not certification. SOC 1 and SOC 2 are ATTESTATIONS of the controls as defined being either functioning or not nor as designed.
What is SOC 2 Attestation?
SOC attestation is a type of audit report that attests to the trustworthiness of services provided by a service organization.
What is a SOC 2 Report?
There are 2 types of SOC 2 reports:
- SOC 2 Type 1 – Outlines management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.” This report evaluates the controls at a specific point in time.
- SOC 2 Type 2 – Focuses not just on the description and design of the controls, but also actually evaluating operational effectiveness. The report evaluates controls over an extended period of time to ensure the effectiveness of the controls (potentially taking several months).
How do Managed Service Providers (MSPs) comply with SOC 2?
MSPs are generally required to comply with either SOC 1 or SOC 2 examinations depending on the services they render or scope of the services.
MSPs that handle, process, transmit or store financial data should have a SOC 1 performed.
MSPs that offer broader services than just financial should have a SOC 2 performed based on the TSCs required.
By gaining SOC attestation, MSPs enable their clients to inherit controls based on the relationship; for example, a Data Center Provider’s Clients will automatically inherit controls that address physical and environmental security of the infrastructure.
How to lower cost for SOC 2 audit?
You can lower cost of a SOC 2 audit by:
- Partnering with existing SOC 2 Type 2 Attested MSPs.
- Identifying the most appropriate TSCs that are relevant to your business.
- Scope Reduction – architect the network to reduce scope.
For assistance with end-to-end SOC 2 attestation, please contact us at ControlCase and we would be happy to provide details and a quote TODAY!