Organizations are facing a growing threat landscape, making it increasingly difficult to protect valuable company and user information. A single data breach could cost a company millions, not to mention the reputation hit and loss of customer trust. With this increase in data breaches and hacks over the past few years has forced most organizations to dedicate more resources and put more focus on their information security efforts. Whether it is your own data or you are a business that an organisations has trusted with their valuable data, SOC 2 is the most popular form of cybersecurity audit used by a growing number of organisations to prove they take cybersecurity seriously. In this article we will discuss SOC 2, which is a security framework that helps organizations better protect customer data from unauthorized access, security incidents, and other vulnerabilities. It was designed to provide auditors with guidance for evaluating the operating effectiveness of an organization’s security protocols.

What Does SOC 2 Stand for?

SOC 2 stands for Systems and Organization Controls 2. The SOC 2 security framework covers how companies should handle customer data that’s stored in the cloud. A Service Organization Controls (SOC) 2 audit examines your organization’s controls in place that protect and secure its system or services used by customers or partners. At its core, the AICPA (American Institute of Certified Public Accountants ) designed SOC 2 to establish trust between service providers and their customers.

SOC 2 is based around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. These 5 Trust Services are made up of 64 individual requirements that are audited and examined. 

For an organization to receive a SOC 2 certification, it must be audited by a certified public accountant. The auditor will confirm whether the service organization’s systems meet one or more of the trust principles or trust service criteria.

Security: This principle enforces that every organizational system needs protection from unauthorized or outside access. All Security controls, whether it is technical, physical or logical must adequately prevent potential system intrusion, unauthorized deletion, theft, software misuse, disclosure of data and device manipulation. An auditor might check for two-factor authentication systems and web firewalls. They’ll also look at things that indirectly affect cybersecurity and data security, like policies determining who gets hired for security roles.

Availability: This principle focuses on how organisations ensure that the systems that store company data and provide services are made navailible at all times to users. Typically this will involve both the Service provider and customer/ user designing a service level agreement (SLA) or contract that explicitly agree on the minimum acceptable performance level of the system. It also requires organizations to invest in network monitoring systems and have disaster recovery plans in place.

Processing Integrity: This principle asks the question, Does the organisations systems that are used to store, process and retrieve information work the way they are supposed to? For example, this type of review determines if the system delivers the right data at the right time, ensuring that the system processes are complete, accurate, timely and licensed. Quality assurance and performance monitoring applications and procedures are crucial to achieve adherence to this principle.

Confidentiality: This principle examines your organization’s ability to protect confidential information throughout its lifecycle from collection, to processing and disposal.  Confidential data must be protected against unauthorized access until the end of a predetermined retention period of time, then destroyed. The principle of confidentiality covers business-to-business relationships, internal price lists, intellectual property, financial information forms and other sensitive data shared between businesses. Encryption, phishing awareness training, SSL certificates, DNSSEC, and preventing man-in-the-middle attacks, domain hijacking, and email spoofing are fundamental to protecting confidentiality.

Privacy: The principle focuses on how a system collects, uses, retains, discloses and disposes of customer information and how it aligns with the organization’s privacy notice and criteria set out in AICPA’s generally accepted privacy principles (GAPP). For instance, if an organization says it warns its customers any time it collects data, the audit report needs to show how the company provides the warning, whether through its website or another channel.

SOC 2 audits evaluate a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy, often referred to by the acronym “SAC 2.” These audits are conducted by independent third-party auditors who assess the organization’s systems, policies, and procedures to ensure they meet the SOC 2 criteria.

There are two main types of SOC 2 reports:

1. Type I Report: This report evaluates an organization’s use of compliant systems and processes at a specific point in time.
2. Type II Report: This report assesses the effectiveness of the organization’s controls over a specified period, usually a minimum of six months.

What is the difference between SOC 1, SOC 2 and SOC 3?

The American Institute of CPAs (AICPA) has developed three SOC audit standards:

• SOC 1: This Report is mainly focused on assessing controls for financial reporting. The goal of the SOC 1 report is to show that your organization has internal controls in place to handle your customers’ financial information.
• SOC 2: This report is focused on assessing controls for security and compliance. This aim of this report is to prove that security and compliance controls are implemented and demonstrate that these internal controls are in line with AICPA’s five Trust Services Criteria outlined above.
• SOC 3: Reports on the same details as a SOC 2 report but is intended for a general audience. This report basically provides only the service organization’s auditor report on whether the system achieved the trust services criteria used in SOC 2.

Where to Start with SOC 2 Compliance?

To start preparing for your SOC 2 examination, begin with the 12 policies listed below as they are the most important to establish when undergoing your audit and will make the biggest impact on your security posture. 

1. Information Security Policy
2. Access Control Policy
3. Password Policy
4. Change Management Policy
5. Risk Assessment and Mitigation Policy
6. Incident Response Policy
7. Logging and Monitoring Policy
8. Vendor Management Policy
9. Data Classification Policy
10. Acceptable User Policy
11. Information, Software and System Policy
12. Business Continuity and Disaster Recovery

The general cycle for SOC 2 reporting and execution begins with readiness and preparing for the SOC 2, then performing some kind of internal assessment in compliance with SOC 2 requirements. Below is a list of some of the key requirements to give you a guide.

• Establish an Information Security Program – Reviewed/Updated at least annually.
• Create, Maintain, and Promulgate Policies and Procedures – Reviewed/Updated at least annually.
• Third-Party Risk Assessment / Vendor Reviews – Based on the organization’s policies/procedures, but at least annually.
• Conduct a Risk Assessment of the In-Scope Environment – Based on the organization’s policies/procedures, but at least annually.
• Mitigate Identified Risks – Ensure documented mitigation plans exist for applicable risks. Ensure mitigation plans are implemented.
• Establish and Maintain a Compliance Evaluation Program – Based on the organization’s policies/procedures, but at least annually.
• Document and Update In-Scope Control Activities – Reviewed/Updated at least annually.
• Establish a Logical Access Management Program – Based on the organization’s policies/procedures, but at least annually.
• Establish a Physical Access Management Program – Based on the organization’s policies/procedures, but at least annually.
• Establish and Maintain an Information Asset Inventory – Reviewed/Updated at least annually.
• Establish and Maintain a Data Classification Matrix – Reviewed/Updated at least annually.
• Define and Maintain System Configuration Standards – Reviewed/Updated at least annually.
• Conduct Vulnerability Scans and/or Penetration Testing – Based on the service organization’s policies/procedures, but at least annually.
• Create and Maintain a Security Incident Response Plan – Reviewed/Updated and tested at least annually.
• Perform Logging and Monitoring of the In-Scope Environment – Based on the service organization’s policies/procedures, but at least annually.
• Establish and Maintain a Change Management Program – Ensure change records exist for all in-scope components during the defined time period.

Conduct a SOC 2 Type 2 Certification Audit

If you’ve followed the steps above carefully and worked with a compliance advisor, this final stage should be relatively straightforward. The audit, though, is not done just one time. Companies must undergo periodic audits (usually every year) to retain their SOC 2 accreditation. Holding a SOC 2 certification isn’t a guarantee that an accredited company is now protected against cybersecurity threats. Therefore, companies must be consistent in following their policies and procedures as well as practicing the industry’s best practices

Related