9 Things You Should Know About SOC 2 Data Security
January 23, 2023
Background: How secure is your data?
Data is the lifeblood of your organization. Malicious or accidental disclosure or loss of your data — especially Personally Identifiable Information (PII) such as Social Security numbers, driver’s license numbers, or email addresses — can cause catastrophic consequences. Lawsuits, fines, erosion of public trust, loss of business, and more.
Outsource the risk of catastrophic data loss
What is SOC?
Why should you care?
The Bottom Line
You can minimize the significant risks of catastrophic data loss by insisting that any software partner that helps you manage mission-critical data should be SOC 2 compliant. Demand it, and you’ll sleep easier at night knowing you’ve done everything possible to secure your mission-critical data.
Simply put, partnering with SOC 2 compliant software partners provides peace of mind in a world where the threats against your data intensify daily.
PART 2: SOC 2 101 — An Executive Primer
If you’re interested in learning more, read on for the 9 things everyone involved with customer data should know about SOC 2.
Where did SOC originate?
SOC was developed by the American Institute of Certified Public Accountants (AICPA) in 2009 to help assure organizations that service organizations, such as software vendors, proactively employ rigorous data management processes and controls that keep their customers’ data safe and secure.
What is SOC 1 versus SOC 2?
SOC 1 focuses on internal controls related to financial reporting. SOC 2 focuses on information and IT security controls. SOC 2 compliance is the relevant requirement for organizations choosing a software partner to help them manage customer data. The AICPA organizes SOC 2 controls according to the 5 Trust Services Criteria. More on these below.
What is Type 1 versus Type 2?
A SOC 2 Type 1 audit evaluates software vendor’s SOC 2 compliance at a single point in time. A SOC 2 Type 2 SOC audit evaluates the vendor’s compliance over a period of time. Certemy is certified for the more rigorous Type 2 standard that most organizations demand from their software partners.
What are the 5 Trust Services Criteria?
SOC’s Trust Service Criteria (TSC) serve as the control criteria used by auditors when assessing a software vendor’s controls for information and systems security. The 5 TSC are as follows. Of the 5 criteria, Security is the most critical criterion for security-conscious organizations.
- Security – The vendor’s system is protected against unauthorized access, both physical and logical.
- Availability – The vendor’s system is available for operation and use as committed or agreed.
- Processing Integrity – The vendor’s system processing is complete, accurate, timely, and authorized.
- Confidentiality – The vendor’s system protects client information designated as confidential as committed or agreed.
- Privacy – The vendor’s system collects, retains, discloses, and destroys personal information in conformity with the commitments in the vendor’s privacy notice and the criteria set forth in Generally Accepted Privacy Principles (GAPP).
What are the basic requirements for SOC compliance?
The most critical requirement of SOC 2 is that software vendors need to develop data security policies and procedures that are written out and followed by everyone in the vendor’s organization. To achieve SOC 2 compliance, a software vendor must document these policies and procedures for an independent auditor and demonstrate that everyone follows them. The auditor reviews this information following the SOC guidelines and only certifies software vendors that meet the stringent requirements set out by the SOC standard.
What needs to be monitored?
Proactive monitoring for data security threats is a major part of the SOC standard. The most important things a SOC-compliant software vendor needs to monitor include any unauthorized, unusual, or suspicious activity related to a specific client’s data. This type of monitoring usually focuses on system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access.
What alerts are needed?
SOC-compliant software vendors set up alerts to detect unauthorized access to customer data plus any other abnormal behavior related to a client’s data. To avoid false alarms and unnecessary responses to those alarms, software vendors must employ an alarm system that alerts only when unusual activity is detected beyond what is typical for the operating environment, according to documented policies and procedures.
Who must comply with SOC requirements?
SOC 2 compliance has become mandatory for most large or security-conscious organizations when selecting a software vendor that stores and processes that organization’s valuable and sensitive client information in the cloud.
How often must a SOC-compliant software vendor be recertified?
Once certified, software vendors must pass a SOC recertification audit every 12 months. Regular recertification assures organizations that their software partners continue to maintain the exacting SOC data security standards at all times.
Certemy helped us intake an entire field of counselors in a very short period and allowed us to achieve a goal that would have otherwise been unachievable. The software has already paid for itself, and we plan to move the rest of our certifications to Certemy very soon.
One-Platform for Compliance (Staff, Equipment & Facilities)
Schedule Free Audit
Learn how much you could save with automated workflows related to license and certification verifications.