What is SOC2 compliance?
The System and Organization Controls, developed by the American Institute of Certified Public Accountants (AICPA), aims to set a standard for client data management based on the definition of “trust service principles” criteria – security, availability, processing integrity, confidentiality, and privacy.
Who needs SOC2?
The SOC2 report helps identify the level of security of customer data and provides proof that customer data is protected from unauthorized access and remains private. This compliance is relevant to any service provider who stores their customer data on a cloud server, such as banks, investment and insurance companies.
It’s important to note – most companies that meet other cyber standards such as HIPAA, PCI DSS or CE’s do not have to meet SOC2 because there might be an overlap between the two. Therefore IT companies that work in healthcare services might not need the SOC standard. However, hospitals, insurance companies, and financial organizations dealing with payments should check the relevance of the SOC2 standard, due to the sensitivity of information these organizations deal with, additional layers of protection might be needed.
There are 2 types of SOC2 reports:
Type I- describes the vendor systems and whether their designs meet the criteria defined for “trust service principles”
Type II- describes the operational efficiency of the organization’s systems and tests them over a time frame of 6-12 months.
Trust Service Principles
Security – Protection of system resources against unauthorized access by using access control that assists in preventing system exploitation, theft, or unauthorized deletion of information. The use of IT tools such as WAF, 2-step authentication, and intrusion detection systems is essential to meet this criterion.
Availability – The SOC2 emphasizes easy access for customers and service users to systems, products or services, as agreed and signed in the contract by the two parties – the service provider and the customer. This criterion requires monitoring the functioning of the network by identifying and detecting attacks that can disable the service.
Processing Integrity- The processing of information must be accurate, fast, meet deadlines and done only with the permission of users with access. It is important to note that this criterion does not define the quality of the information, and if there is an inaccuracy in the information provided, it is not the role of the service provider to recognize the mistake.
Confidentiality – Encryption, WAF, and strict user-sharing policies help service providers ensure that information sharing with unauthorized persons is restricted.
Privacy -The process of collecting, storing, and deleting personal information in accordance with the contract agreed with the customer and meeting the criteria defined in the GAPP.
Any identifiable information such as name, address, ID number, and even other personal information related to health, race, sex, and religion should be defined as sensitive information. This information requires an additional layer of protection and the information keeper must take strict steps to ensure that sensitive information is not passed on to an unauthorized person.
Things to Know Before Complying with SOC2
It’s important to understand the scope of the audit beforehand. Not every organization or project must meet all the criteria defined in the trust service principles, and without a deep understanding of the audit’s outline, your organization can waste time and resources.
In addition, you must have a thorough understanding of the technical infrastructure of your systems before beginning the coordination process. Identify outdated systems and upgrade them accordingly,. Third-party systems or SaaS products must also meet proper standards.