What SOC2 Should Mean To You

System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

Privacy

The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).

Personal Identifiable Information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access. Failing to protect such sensitive data results in heavy fines.

Security

Security refers to the protection of information and systems from unauthorized access. This may be through the use of IT security infrastructure such as firewalls, two-factor authentication, and other measures to keep your data safe from unauthorized access. You can look at our articles on Technical and Physical Safeguards to give you a more indepth look on what that looks like.

Processing Integrity

Processing Integrity ensures that systems perform their functions as intended and are free from error, delay, omission, and unauthorized or inadvertent manipulation. This means that data processing operations work as intended and are authorized, complete, and accurate.

The processing integrity criteria tests, associated with the SOC 2 audit, set out to assess that there are no errors in processing. If there are any errors, it also assures timely correction.

The criteria also focuses on inputs and outputs to the system, ensuring they are accurate throughout the processing of any actions within the system.

Confidentiality

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.

Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.

Availability

Availability is whether the infrastructure, software, or information is maintained and has controls for operation, monitoring, and maintenance. This criteria also gauges whether your company maintains minimal acceptable network performance levels and assesses and mitigates potential external threats.

Who Does it Apply To?

SOC 2 can apply to any technology service provider or SaaS (Software as a Service) company that handles or stores customer data. Third-party vendors, other partners, or support organizations that those firms work with should also maintain SOC 2 compliance to ensure the integrity of their data systems and safeguards. It is important to note that SOC 2 compliance is not required but is voluntary certification that many companies pursue to further exemplify their commitment to managing customer data well.

What Does Being SOC2 Compliant Mean For Your Company

Being SOC2 compliant means that your firm knows what normal operations look like and are regularly monitoring for malicious or unrecognized activity, documenting system configuration changes, and monitoring user access levels. That you have tools in place to recognize threats and alert the appropriate parties so they can evaluate the threat and take necessary action to protect data and systems from unauthorized access or use. Also, you have the relevant information on any security incidents, so you can understand the scope of the problem, remediate systems or processes as necessary, and restore data and process integrity.