SOC 2 Compliance

computer and a crane

SOC 2 Compliance

Cybersecurity frameworks lay down the guiding principles and best practices that companies must follow to improve their security posture. SOC 2 is one such framework, which applies to companies that store or deal with customer financial data.

What is SOC 2?

SOC 2, aka Service Organization Control Type 2, is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manner.

The framework specifies criteria to uphold high standards of data security, based on five trust service principles: security, privacy, availability, confidentiality, and processing integrity.

SOC 2 Principles Explained

Unlike other compliance frameworks, which have a predefined set of conditions for all companies, SOC 2 requirements are different for every organization. Depending on their own operating models, each organization must formulate its own security controls to become compliant with the five trust principles.

Security

Broadly speaking, the security principle enforces the protection of data and systems, against unauthorized access. To that end, you may need to implement some form of access control, e.g. using access control lists or identity management systems.

You may also have to strengthen your firewalls, by introducing stricter outbound and incoming rules, introduce intrusion detection and recovery systems, and enforce multi-factor authentication.

Confidentiality

Data qualifies as confidential if only a specific group of people should access it. This may include application source code, usernames and passwords, credit card information, or business plans, etc.

To adhere to this principle, confidential data must be encrypted, both at rest and during transit. Moreover, while providing access to confidential data, adhere to the principle of least privilege, i.e. grant the bare-minimum permissions/rights that people need to do their jobs.

Availability

Systems should meet availability SLAs at all times. This requires building inherently fault-tolerant systems, which do not crumble under high load. It also requires organizations to invest in network monitoring systems and have disaster recovery plans in place.

Privacy

The collection, storage, processing, and disclosure of any personally identifiable information (PII) must adhere to the organization’s data usage and privacy policy, along with the conditions defined by the AICPA, in the Generally Accepted Privacy Principles (GAPP).

PII is any information that can be used to uniquely identify an individual, e.g. name, age, phone number, credit card information, or social security number etc. An organization must enforce rigorous controls to protect PII from unauthorized access.

Processing Integrity

All systems must always function as per design, devoid of any delays, vulnerabilities, errors, or bugs. Quality assurance and performance monitoring applications and procedures are crucial to achieve adherence to this principle.

SOC 2 Type 1 vs Type 2

There are two main types of SOC 2 compliance: Type 1 and Type 2.

Type 1 attests an organization’s use of compliant systems and processes at a specific point in time. Conversely, Type 2 is an attestation of compliance over a period (usually 12 months).

A Type 1 report describes the controls in use by an organization, and confirms that the controls are properly designed and enforced. A Type 2 report includes everything that’s part of a Type 1 report, along with the attestation that the controls are operationally effective.

Data Net Supports Businesses that Must Meet SOC 2 Compliance 

Data Net has been providing IT support for CPAs and financial organizations for decades. This means that we are very familiar with SOC 2 compliance and know how to support it from an IT perspective. To get started, give us a call at (760) 466-1200.

 

Network Audit

Our network audit will reveal hidden problems, security vulnerabilities, and other issues lurking on your network.

Sign Up Today!

News & Updates

There has been a good deal of controversy about how personal data has been collected, sold, and used over the past few years. Companies of all types package and sell data to create a valuable extra revenue stream for their business, and while this sh...

Contact Us

Learn more about what Data Net can do for your business.

Data Net
2445 5th Avenue Suite 200
San Diego, California 92101