In today’s data-driven society, information security is at the forefront of most businesses’ minds. Between internal concerns and external vulnerabilities, such as outsourcing business functions to a third-party vendor (e.g. a SaaS or cloud-computing provider) there are a number of ways data can become at risk or exposed. This can leave a business of any size vulnerable to data theft, ransomware, malware, and leaks, but larger enterprise organizations are the most at risk.
If your business is security-conscious and looking to work with a new app or vendor, or simply re-evaluating your current tech stack, you should consider using SOC 2 compliance as a minimum requirement. SOC 2 compliance is considered to be one of the most stringent and industry-accepted auditing standards set forth by the American Institute of Certified Public Accountants (AICPA) to help service providers securely manage data in the cloud. It’s quickly becoming a requirement for SaaS companies who want to stay competitive or those working with enterprise-level clients, many of whom are subject to their own security and compliance controls.
What is SOC 2
Service Organization Control (SOC) 2 or SOC 2, is a set of criteria created by the AICPA for how to assess the systems, processes, and controls in place for a company’s non-financial reporting and customer data management. This auditing procedure is based on five trust service criteria (TSC) and is a loose framework unique to every company, its business practices, and corresponding controls. The five TSCs are security, availability, processing integrity, confidentiality, and privacy.
A SOC 2 certification is gained when an outside auditor has been able to complete an assessment on how a vendor complies with one or more of these TSCs. Once this audit is completed, the vendor will end up with either a Type I or Type II SOC report outlining how their internal controls address risks related to the five criteria.
A SOC 2 Type I certification means that an auditor has assessed the organization’s scope and design of internal control processes as related to relevant TSCs. This report is evaluating controls at a point in time, so consistent performance isn’t being evaluated and is a preliminary step to achieving a Type II certification. Think of Type I as a theoretical baseline, where a company’s controls design is examined and implemented, but they haven’t been “road-tested.”
A SOC 2 Type II certification can be achieved after the auditor has been able to examine the operating effectiveness of these controls over a specified period of time, typically six- to 12- months. This is a step above the Type I report since it confirms the control processes are not only designed well, implemented, but also consistently performed. Think of Type II as the real world, where they’re built right, in place, and proven to work providing even more confidence for customers.
What makes up a SOC 2 Certification
As we said earlier a SOC 2 certification is awarded when an outside auditor has deemed a service provider compliant with one or more of the relevant TSCs mentioned above. Let’s dive into each of these criteria and how they can relate to a business:
- Security: This principle is in reference to an organization’s system resources and how they’re protected against unauthorized access, either physical or logical. Access controls prevent the unauthorized removal, alteration, or disclosure of information along with theft, abuse, or misuse. Ways in which this can be managed are security tools like two-factor authentication, network and app firewalls, and intrusion detection to prevent unauthorized access via security breaches.
- Availability: This principle is referencing the system, service, or product available for operation or use as outlined in a contract or service level agreement (SLA). This is determined by both the provider and customer for an acceptable minimum level and is not in reference to a system’s usability or functionality, but the security criteria that can impact access. Ways in which this can be managed are performance monitoring, disaster recovery, and security incident handling.
- Processing Integrity: This principle is referencing a system that achieves its intended purpose, in terms of delivering the right data at right time, and at the right cost. It must be accurate, complete, timely, valid, and authorized. This doesn’t necessarily equal data integrity, since if there were errors prior to being input to the system that is not the processor’s responsibility. This can be managed through quality assurance (QA) procedures and process monitoring.
- Confidentiality: This principle is based on the consideration that confidential data is protected. This can be data whose access or disclosure is specifically restricted such as, internal pricing structures, intellectual property, or sensitive financial information. This means transmission should include encryption and storage should have access controls, network/app firewalls to protect again unauthorized users.
- Privacy: The last principle touches on the system’s collection, usage, retention, disclosure, and disposal of personal information in accordance with the company’s own privacy notice, as well as, criteria in the AICPA’s generally accepted privacy principles (GAPP). This includes personally identifiable information (PII) like names, addresses, or social security numbers that can be used to identify an individual or other personal data considered to be sensitive such as health records. This is done using access controls, 2-factor authentication, and encryption.
Who needs SOC 2
As stated previously, SOC 2 compliance is one of the most widely accepted auditing standards for data security and management, meaning that many companies will require a report before they can approve the purchase of a new software or service.
The SOC 2 report will show prospects and current customers you’re committed to protecting their client’s and own interests. Some industries that should be SOC 2 compliant are:
- Accounting, cloud computing, CRMs, data analysis, document or records management, financial services, HR, IT security management, medical claims, SaaS vendors (like Justuno!), and more.
Why SOC 2 is important
SOC 2 compliance is necessary for service providers working in highly regulated fields or with clients who are publicly traded companies, to be seen as a viable vendor for hire. This report gives prospects confidence their data is being protected and you aren’t a possibility for introducing vulnerabilities into their systems via integrations.
As data privacy continues to grow in importance and more regulations are introduced, SOC 2 compliance is only going to become more important. Just a few reasons why it’s important:
- Companies can lose out on business without it, or vice versa can gain a competitive advantage over slower to move competitors.
- It’s cheaper than a massive data breach
- It enhances a company’s reputation and trustworthiness
However, SOC 2 isn’t the only kind of SOC report around, there are two others:
- SOC 1: Reports on internal controls of financial reporting for assuring users their financial info is handled securely, and generated for other auditors. This can actually be required for some organizations to comply with, i.e. publicly traded companies.
- SOC 3: Reports on the same 5 TSCs as SOC 2 but is publicly available to anyone with only a highly-level of information since SOC 2 contain highly sensitive infrastructure outlines.
At the end of the day, the type of SOC report you as a company should seek out depends on the services provided and the clientele pursued.
SOC 2 compliance isn’t a requirement for SaaS providers, but its importance cannot be overstated. Whether you’re a business seeking out it’s own SOC reports or a company looking to compare outside vendors, it’s important to understand what a SOC audit is, what to look for in a company’s systems, and how that impacts your own organization.
Justuno is SOC 2 Type II compliant in the TSCs: Security, Availability, and Processing Integrity as certified by Dansa, D’Arata, Soucia LLP in 2021. As a SaaS platform that constantly handles personal data and often sensitive information, it’s important to Justuno that we uphold and maintain the most stringent standards of security, integrity, and privacy.