SOC 2 Compliance

SOC 2 Compliance

Service Organization Controls (SOC) 2 is a technical audit that requires organizations to adhere to information security policies and procedures. Most specifically, SOC 2 focuses on technology-based service organizations whose business stores customer data in the cloud or service organizations that have technology-based access to customer data through managed service agreements.

SOC 2 Preparation & Audit Reporting

Technology organizations and cloud computing vendors face many compliance challenges today. Understanding why and learning how to navigate the framework of Service Organization Controls (SOC) 2 compliance is an essential process for organizations to be competitive in the market. SOC 2 compliance includes a complex set of requirements that must be reviewed and meticulously addressed. The overall process, without pre-assessment preparedness, can be daunting.    

SOC 2 compliance is part of the American Institute of CPAs (AICPA) Service Organization Control platform, which ensures that computer systems maintain security, availability, processing integrity, confidentiality and customer data privacy. These areas of focus are categorized into SOC Trust Services Criteria.

SOC 2 is a technical audit that requires organizations to adhere to information security policies and procedures. Most specifically, SOC 2 focuses on technology-based service organizations whose businesses store customer data in the cloud or service organizations that have technology-based access to customer data through managed service agreements.

What does SOC 2 require?

First and foremost, SOC 2 requires organizations to provide persistent monitoring for suspicious activity that is unusual or unauthorized across all environments. Most often, suspicious activity occurs at the system configuration level and user access points. However, it is equally critical to monitor everyday malicious activity, such as a phishing scam or an unauthorized access request and unknown malicious behavior like a zero-day attack. To determine the whereabouts of new threats, organizations must have a normal behavior baseline in their cloud environments. When abnormal activity skirts the baseline, it is easier to detect.

SOC 2 requirements are broken down into 5 components: Security, Availability, Processing Integrity, Confidentiality and Privacy.

Security: Every SOC audit includes the security component. It focuses on the standard criteria of protecting customer data and systems used to create, store, use, process or transmit data. Tools and policies that are typically in the security component include:

  • Intrusion detection and intrusion detection systems (IDS)
  • Firewalls and other network and application security measures
  • Multi-factor authentication tools and potentially client certificates
  • Penetration tests and vulnerability assessments
  • Implementing computer use policies
  • Digital and physical access controls

Availability: Availability is defined as how capable an organization’s system is in monitoring and maintaining infrastructure, software, and data. Components in this category include:

  • Disaster response and recovery
  • Secure data backups
  • Performance and incident monitoring and response

Processing Integrity: This principle focuses on delivering the right data at the right price at the right time. Data processing should not only be timely and accurate; it needs to be valid and authorized. SOC 2 compliance requirements in this category include:

  • Create and maintain records of system inputs
  • Define processing activities

Confidentiality: An organization must restrict access to private data, so only specific people or organizations with a need to know can access and view it. Confidential data is defined as sensitive financial information, business plans, healthcare information, credit card information, customer data in general or intellectual property. SOC 2 compliance requirements in this category include:

  • Digital and physical access controls
  • Network and application firewalls
  • Cryptographic solutions

Privacy: This principle determines if the organization adheres to the client’s privacy policies and the generally accepted privacy principles (GAPP) from the AICPA, and considers methods used to collect, use, and retain personal information and the process for disclosure and disposal of data. SOC 2 compliance requirements include first and last names, social security numbers and other identifiable contact information. The AICPA outlines privacy criteria as:

  • Notice and communication of objectives
  • Choice and consent
  • Collection
  • Use, retention and disposal
  • Access
  • Disclosure and notification
  • Quality
  • Monitoring and enforcement

InfoSystems’ team of cybersecurity professionals is immersed in compliance regulations and has a deep knowledge of how to keep your organization’s data safe and secure. Our experts can help prepare your organization by conducting a SOC readiness assessment. The readiness assessment can identify gaps in advance of a full SOC 2 audit. InfoSystems partners with Assure Professional to jointly perform SOC 2 audits and produce the AICPA-compliant reporting and attestation. Assure Professional, LLC is a non-traditional, innovative provider of audit services to service organizations, full investment cycle services to private equity and venture capital firms, affordable accounting and tax services, as well as a designated HITRUST assessor.

InfoSystems’ cybersecurity principals are simple.

Be your trusted compliance and risk program advisor

Deliver cost-effective technology to reduce enterprise-wide risk

Provide expert services to complement internal IT teams

Detect and respond to threats on your organization's behalf

Bring information security leadership to businesses of all sizes

NEWS + EVENTS

HAVE A PROJECT YOU'D LIKE TO DISCUSS?