ADCG’s Guide – SOC2 Compliance
To help your organization guard against data loss or breach, we have compiled the following guide on the industry’s leading data assessment standard: Service Organization Control (SOC 2).
SOC 2 outlines a set of voluntary compliance standards established by the American Institute of Certified Public Accountants (AICPA) that a vendor can use to manage sensitive data, such as financial or medical information, on premises and in cloud environments.
An organization being deemed SOC 2-compliant is a major value-add. In fact, according to CPO Magazine, “many B2B enterprise buyers might not even want to have a serious sales meeting until they know your company can demonstrate security best practices through a SOC 2 audit.”
According to this article by The News Stack, SOC 2 has two types of compliance standards — Type I and Type II. Type I “ensures that security and compliance commitments are met through the development of infrastructure, software, processes, data and controls that an organization has put in place.” Type II “takes things a step further” by using a qualified third-party auditor evaluating and validating controls over time, as well as the “effectiveness of organizational security.”
According to The News Stack, achieving either type of compliance “is a lengthy and challenging task.” The CPO Magazine article notes that Type 1 audits last between two to three weeks and could cost an organization between $10,000 and $20,000. Meanwhile, Type 2 audits could take between six months and a year and might cost between $20,000 and $30,000.
Though both types will ensure compliance with the security frameworks’ minimum requirements, this article makes clear that “[a]chieving SOC 2 Type 2 compliance is a critical confirmation that your implemented security and compliance program is working.”
In this Security Boulevard article, one company, Swimlane, outlined its experience with the audit process. First, the auditors thoroughly review system documentation, including your organization’s policies and procedures. The auditor will then interview “key personnel in the organization” to verify that the policies and procedures are being properly followed. Finally, the auditors conduct an on-site inspection of your organization to examine your hardware and software configuration.
Under Type II, The News Stack states that the auditor ensures your organization “meets all applicable requirements in one or more of the following trust principles: security; availability; processing integrity; confidentiality; and privacy.” Although each of these principles plays a role in protecting your organization, security is the only principle that is mandatory for an audit. As such, your organization is responsible for implementing measures that ensure security, such as “authorization, authentication, management, and identification,” and measures that will prevent data theft, such as “system and data manipulation, unauthorized access, misuse of software and many more security threats.”
The measures deployed by each organization may vary as the criteria for SOC 2 are “generally broad and flexible,” so long as the standard is being met. The CPO Magazine article suggests the following steps to expedite the process and ensure efficiency:
- Complete readiness assessments in your organization to “identify opportunities to improve your compliance processes and controls.”
- Assign an internal team dedicated to preparing for the SOC 2 audit
- On your internal team, impose documentation requirements and assign a dedicated team member with decision-making authority to “work as a liaison to manage communication between the SOC 2 auditor and your company’s technical teams.”
- Hold your internal team to maintaining a progress time frame and budget;
- Select a reputable CPA firm that is familiar with SOC 2 audits to assist your internal teams and auditor in achieving compliance.
* * * * * * *
For ADCG’s Breach Report and more news updates discussing: new KLAS report shows healthcare organizations tightening security; how cure periods work under new state laws; federal court rules on remote proctoring practices; and Pennsylvania proposes new privacy bill, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Andrew Grosso, former Assistant US Attorney and whistleblower expert, joins Jody Westby on our Privacy and Cybersecurity podcast this week to discuss the Twitter, Facebook and other tech company whistleblowers, the impact whistleblower cases can have on companies and their privacy and security programs, the impact on governance of tech companies, and protections afforded these whistleblowers. New episodes are generally released on Thursdays, here. They can be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!