Service Organization Control 2 (SOC 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It is designed to ensure service providers and third-party vendors are protecting sensitive data and personal information from unauthorized access.
SOC 2 reports cover a period of time (generally 12 months) and include a description of the service organization's system and tests the design and operating effectiveness of key internal controls over a period of time.
Information security and defense in depth are important at any organizations. The rise of outsourcing key business operations (e.g. SaaS products and data center providers) means more third and fourth-party data breaches and data leaks are happening.
And the cost of data breaches and regulatory scrutiny (due to laws like HIPAA and GDPR) has never been higher.
The purpose of SOC 2 is to provide peace of mind for organizations when they engage third-party vendors. This has led to many security-conscious organizations to look for SOC 2 compliance as part of their vendor assessment process to reduce vendor cybersecurity risk.
What is SOC 2 compliance? The Trust Services Criteria (TSC)
SOC 2 compliance is concerned with managing customer data in accordance with AICPA's five Trust Services Criteria (TSC):
- Security: The protection of system resources from unauthorized access. This could include network security, intrusion detection and other security tools that protect against vulnerabilities, ransomware like WannaCry and other types of malware. This criteria is concerned reducing cyber threats and preventing data breaches and cyber attacks.
- Availability: The accessibility of the system, products or services stipulated in contract or by service level agreement (SLA). It does not address system functionality and usability but rather security-related criteria that can affect availability.
- Processing integrity: Addresses whether a system achieves its purpose in a complete, valid, accurate, timely and authorized manner.
- Confidentiality: Addresses whether sensitive data is restricted to specific people or organizations. Encryption, phishing awareness training, SSL certificates, DNSSEC and preventing man-in-the-middle attacks, domain hijacking and email spoofing are fundamental to protecting confidentiality.
- Privacy: Addresses the collection, use, retention, disclosure and disposal of personally identifiable information (PII) and how it aligns with the organization's privacy notice and criteria set out in AICPA's generally accepted privacy principles (GAPP). All PII must be protected from exposure, both accidental and deliberate. Examples of PII data include phone numbers, names and social security numbers.
Unlike stricter security standards like PCI DSS, SOC reports are unique to each organization.
This means organization controls can be designed, in line with specific business practices , to comply with one or more of the trust services principles.
These internal reports provide regulators, business partners, suppliers and your organization with important information about how your service providers are managing sensitive data.
What are the different types of SOC reports?
There are two types of SOC reports:
- Type I: Describes a vendor's system and organization controls and whether they are suitable to meet relevant criteria.
- Type II: Details the operating effectiveness of the systems outlined in Type I.
A common misconception is to confuse SOC types with SOC standards. Each SOC standards, of which there are three (SOC 1, SOC 2 and SOC 3), can have a SOC report of Type I or Type II.
What are the different SOC standards?
The American Institute of CPAs (AICPA) have developed three SOC standards:
- SOC 1: Evaluates, tests and reports on the effectiveness of the service organization's internal controls which related to user entities' internal controls over financial reporting. A SOC 1 report is equivalent to a Statement on Standards for Attestation Engagements (SSAE 16) report.
- SOC 2: Evaluates, tests and reports on the systems and organization controls related to storing information but is not significant to financial reporting or financial controls. SOC 2 was preceded by SAS 70.
- SOC 3: Reports on the same details as a SOC 2 report but is intended for a general audience. They are shorter and do not include the same details as a SOC 2 report but are shared openly, often on a company's website with a seal to indicate compliance.
What is a SOC 2 certification or attestation?
A SOC 2 certification is issued by an independent CPA firm and assesses the extent to which a vendor complies with one or more of the five trust principles based on the service organization's controls and processes.
SOC 2 reports consist of:
- The opinion letter
- Management's assertion
- Description of the system
- Description of tests of controls and results of testing
- Other information
Why is SOC 2 compliance important?
Outsourcing and in turn, third-party risk and fourth-party risk have never been higher. Every organization is outsourcing parts of its operations, often to multiple suppliers. Those suppliers are then outsourcing part of their operations to other suppliers.
This is why SOC 2, third-party risk management and vendor risk management are so important. Vendor risk needs to be managed carefully with vendor questionnaires, security ratings and industry benchmarking. You can read our white papers on third-party risk management and vendor questionnaires to learn more.
The most important thing to understand is customers don't care whether data breaches and data leaks are the result of your mismanagement of their data or your vendor's mismanagement. They just care that their data was exposed or sold on the dark web. Consider making SOC 2 compliance part of your information security policy and cyber security risk assessment process.
SOC 2 compliance is one way to determine whether your vendors are managing data in a secure manner. Along with looking for SOC 2 compliance, consider investing in a tool that can automatically monitor your vendors security performance and automate security questionnaires. Better yet, look for a tool that is CVE compatible. And look for shared assessments that allow your organization to obtain a detailed report about your service provider's controls and verify that the information in the report is accurate.
Digital forensics isn't always going to give you anything useful and even if it does policing cyber attacks can be hard due to their distributed nature.
It's far better to prevent a data breach than try to clean one up after the fact. As many organizations have found out, once data is exposed it's very hard to put the genie back in the bottle.
How UpGuard to prevent data breaches and data leaks
There's no question that cybersecurity is more important than ever before. That's why companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data and prevent data breaches.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
UpGuard Vendor Risk will continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture.