An Overview of SOC2
In this article, you will discover:
- What’s SOC 2 and its five Trust Services Criteria
- Who needs SOC 2 and how to achieve compliance
- SOC 2 Tools
What’s SOC 2?
SOC 2 (stands for Systems and Organization Controls 2) is a compliance standard developed by the American Institute of CPAs (AICPA) in 2010. It provides guidelines for service organizations to protect customer data from unauthorized access, security incidents and vulnerabilities.
SOC 2 defines requirements to manage and store customer data based on five Trust Services Criteria (TSC):
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
SOC 2 reports are customized to suit the unique requirements of each organization; therefore, each report can be different. For example, a company may want to assert its commitment to integrity and ethical values, while another may want to prove that it has a robust and secure Infrastructure Service System.
Based on their individual business operations, organizations can establish controls aligned with one or multiple trust principles. These internal reports offer crucial insights into how the organization handles its data, serving as valuable resources for regulators, business partners, and suppliers.
There are two types of SOC 2 reports:
- Type I: evaluates a company’s controls at a single point in time, asserting whether the security controls comply with the relevant trust principles.
- Type II: assess the operational efficiency of those controls over a period of time, generally 3-12 months, determining if the security controls functioned as intended.
It’s important to note that SOC 2 is not exactly a security framework because it doesn’t prescribe best practices, and technically, there’s no such thing as “SOC 2 Certification”. It is a voluntary attestation, which is then proven by a third-party auditor. That proof is your SOC 2 report.
SOC 2 Five Trusted Services Criteria Summary
Security
The primary goal of the Security criterion is to ensure the protection of information and systems from unauthorized access, disclosure, or damage. This criterion consists of nine ‘points of focus’ that need to be addressed to meet security requirements:
- CC1: Control Environment
- CC2: Information and Communication
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
Organizations must have control activities in place for each of these points, ideally supported by two to three controls per point to ensure the criteria’s objectives are met, even if one control were to fail.
Availability
The Availability criterion aims to guarantee system availability and information accessibility for users. It encompasses three additional ‘points of focus’:
- A1.1: Manage and predict processing capacity and demand
- A1.2: Authorize, design, develop or acquire, implement, operate, approve, maintain and monitor environmental protections, software, data backup processes and recovery infrastructure.
- A1.3: Test Recovery Plan Procedures
Processing Integrity
Processing Integrity focuses on ensuring that system and information processing is complete, valid, accurate, timely, and authorized to align with the entity’s objectives. There are five additional ‘points of focus’ to achieve the processing integrity criteria:
- PI1.1: Obtain, generate use and communicate relevant information related to processing
- PI1.2: Implement policies and procedures over system inputs
- PI1.3: Implement policies and procedures over system processing
- PI1.4: Implement policies and procedures to deliver output completely, accurately and timely.
- PI1.5: Implement policies and procedures to store inputs, items in processing and outputs completely, accurately and timely.
Confidentiality
Confidentiality’s objective is to safeguard defined confidential information within the system. There are two additional ‘points of focus’:
- C1.1: Identify and maintain confidential information
- C1.2: Dispose of confidential information
Privacy
Privacy ensures the protection of Personally Identifiable Information (PII) from breaches and unauthorized access. This criterion encompasses eight additional ‘points of focus’ that must be addressed:
- P1: Notice and Communication
- P2: Choice and Consent
- P3: Collection
- P4: Use, Retention and Disposal
- P5: Access
- P6: Disclosure to Third Parties
- P7: Quality
- P8: Monitoring and Enforcement
Meeting privacy requirements can be challenging due to the number of points of focus and specific requirements within each.
Why is SOC 2 important?
SOC 2 is a means to prove the company’s commitment to information security and build trust among their customers.
In addition, SOC 2 is widely recognized in the US and can be presented to different US customers to show them your company is compliant with their security requirements.
Who needs SOC 2?
SOC 2 applies to organizations of all sizes and from all sectors that stores, processes, or transmits any kind of customer data. Your company will also need SOC 2 if you’re selling services or softwares to other businesses that are SOC 2 compliant or have sensitive data.
What’s SOC 2 Compliance and how to get SOC 2 Attestation?
While SOC 2 compliance is not a legal requirement like HIPAA or GDPR, it may be required by customers and other stakeholders looking for assurance that you have the necessary systems and controls to safeguard their data.
There are multiple steps involved in a SOC 2 process:
- Determine the scope of your SOC 2 report and the relevant SOC 2 criteria.
- Implement the required controls and test them.
- Hire an independent auditor from an AICPA-accredited firm or independent CPAs (Certified Public Accountants).
- Document evidence.
- Undergo a SOC 2 audit and receive a SOC 2 report.
During a SOC 2 audit, the auditor will assess a company’s security stance related to one or all of the five Trust Services Criteria (TSC). The Security TSC is always included in a SOC 2 audit, while the remaining are optional.
After the audit, the company will receive a report, regardless of whether they passed the audit. Here are the terms auditors use to describe the audit results:
- Unqualified: The company passed its audit (the controls meet SOC 2 requirements).
- Qualified: The company passed, but some controls require attention.
- Adverse: The controls don’t meet SOC 2 requirements.
- Disclaimer of Opinion: The auditor doesn’t have enough information to make a fair conclusion.
Tools & Technologies needed to pass SOC 2 Audit
Achieving SOC 2 compliance often involves utilizing specialized tools and software to address specific application and data security requirements. Below, we outline some key SOC tools and technologies that are essential to be aware of:
Vulnerability scanning
Vulnerability scanning is a process of discovering, analyzing and reporting on security flaws and weaknesses in your computers, networks or applications. Vulnerability scanning needs to be done regularly (at least quarterly) using scanning tools.
There are 5 types of vulnerability scanners:
- Network-based scans: identify possible network security attacks and vulnerable systems.
- Host-based scans: find vulnerabilities in workstations, servers or other network hosts.
- Wireless scans: detect rogue access points and validate that a company’s network is securely configured.
- Application scans: identify vulnerabilities and misconfigurations in web apps.
- Database scans: find weaknesses in database
Ongoing Logging & Monitoring
Logging in information security entails collecting and storing data about system and network activities, such as user logins, logouts, file access, network connections, and system events. Frequent loggings are crucial for investigating and responding to incidents. Below are some recommended logging controls:
- Event logging: Record user activities, exceptions, faults, and information security events and regularly review them.
- Log storage: When managing multiple applications, it can be advantageous to consolidate the generated logs from each application onto a central server.
- Protection of log information: Logging facilities and log information shall be protected against tampering and unauthorized access.
- Log analysis: The logs must be regularly analyzed to promptly detect and investigate unusual behavior and errors.
- Clock synchronization: Configuring all systems with synchronized time and date settings to facilitate traceability across different systems when an incident occurs.
Firewalls
Firewalls are hardwares and softwares that provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can be configured to block data from certain locations (i.e., computer network addresses), applications, or ports while allowing relevant and necessary data through.
Load balancer
Load balancer spreads requests across multiple servers, helps minimize the attack surface and defend an organization against security risks such as distributed denial-of-service (DDoS) attacks, in which hackers send out abnormally large packets to disrupt or crash a web server.
Auto Scaling
Auto Scaling is a cloud computing technique for dynamically allocating computational resources. It helps protect against application, hardware, and network failures by detecting and replacing unhealthy instances while still providing application resiliency and availability.
Tabletop disaster recovery exercises (TTX/TTE)
TTX are group sessions in which team members discuss their role, responses to specific disaster scenarios and how to restore critical business operations in case of a disaster. Tabletop exercises help test out your organization’s Disaster Recovery Plan and Incident Response Plan and identify weaknesses.
Penetration Testing (Pen Testing)
Pen Testing is a security assessment technique where ethical hackers simulate real-world attacks to uncover vulnerabilities and weaknesses in a system or network. More information regarding Pen Testing can be found here.
Network Diagram
Network Diagram visualizes how network components are interconnected or separated from each other. It helps understand the data flow, network segments and security zones, facilitating risk mitigation and security policies enforcement.
Network Segregation (Network Segmentation)
Network segregation is the practice of dividing a computer network into multiple subnetworks in order to improve performance and security. By isolating the network into separate contained parts, network segmentation effectively prevents unauthorized users from compromising the entire network. There are a few ways to segment your network, such as a combination of firewalls, Virtual Local Area Networks (VLANs), and Software Defined Networking (SDN).
Sign up for Agency today and find more about ways to stay SOC 2 compliant.