What is SOC 2 Compliance?
Customer data that’s stored and processed in the cloud presents unique security challenges. When that data is handled by third-party service providers, it becomes even more difficult to protect.
The System and Organization Controls (SOC) standards were created to help businesses ensure that their customer data remains secure. Compliance with SOC 2 standards is not mandatory, but by successfully passing a SOC 2 audit, enterprises are able to ensure their customers that their data is safe.
SOC 2 compliance increases the trust companies can have in their service providers, and can show credibility and dependability in a crowded field.
What are the Types of SOC Compliance?
The original SOC standards, now known as SOC 1, were generated by the American Institute of Certified Public Accountants (AICPA). SOC 1 focuses more on financial data and reporting requirements.
SOC 2 grew out of the need for more information security and protection of customer data. SOC 2 compliance focuses less on the financial reports, and more on how businesses manage their data. SOC 3, a newcomer to the space, is an adaptation of SOC 2 standards with more easily understandable reporting for a general consumer.
Within SOC 2 compliance, there are two types:
- Type I indicates a successfully passed SOC 2 audit at a single point in time. The Type I report reviews each of the five principles of compliance and confirms that they’re in place and designed well.
- A company would need to pass a number of Type I audits to qualify for a Type II SOC 2 rating, which shows consistent compliance over 12 months. In addition to reviewing the presence of the five principles, the Type II audit validates whether the measures in place are effective and sustainable.
What are the Five principles of SOC 2 Compliance?
The SOC 2 standards are built surrounding five main areas of data management:
- Security — This is where identity and access management tools are put into place, like two-factor authentication, data encryption, firewalls, and other data protection elements. From password management to employee pass keys to enter office buildings, access to customer information is on a strictly need-to-know basis.
- Privacy — By ensuring that PII data is encrypted and only visible to those who need to access it, customer privacy is an important element of the SOC 2 program. Depending upon a business’s location, GDPR and CCPA compliance may be included in this section. This also includes a review of adherence to the terms and conditions and privacy policies provided by a company to its customers.
- Availability — While there’s no standard requirement for your systems to be available, the SOC 2 audits use your company’s service level agreements as the guideline for whether your systems are available. Availability standards also include having disaster recovery and incident response plans in place.
- Confidentiality — Like privacy, confidentiality standards ensure that customer data is stored, maintained, and accessed in ways that ensure its security. Confidentiality may be expanded to cover non-personal data, such as intellectual property or information protected by NDAs.
- Processing integrity — The AICPA defines processing integrity as “system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.” Auditors might look at QA processes, and policies for resolving errors once reported or discovered.