Protecting customers' data is a concern for all organizations regardless of industry or size. Most organizations outsource key aspects of their business to third-party vendors such as Software-as-a-Service (SaaS) solutions or cloud hosting providers (i.e. Amazon Web Services). As companies continue to share the responsibility of protecting sensitive data, there is increased importance and scrutiny on the cybersecurity practices implemented at these organizations.
Third-party assessments are a common way in which organizations prove their cybersecurity practices to vendors, customers, and prospects. SOC 2 examinations have become one of the de facto standards for organizations to prove how there are securely managing their customers' data to protect their interests and privacy. For most organizations conducting business with a SaaS provider, a SOC 2 examination is a minimum requirement. SOC 2 reports are common for other service organizations as well such as law firms, marketing agencies, accounting firms, healthcare organizations, and more.
SOC 2 is a reporting framework developed by the American Institute of Certified Professional Accountants (AICPA) intended to meet the needs of a broad range of customers or vendors that require information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. SaaS or other service organizations utilize these reports to assist with:
- Vendor due diligence
- Demonstrating security as a differentiator
- Internal corporate governance and risk management processes
- Proving security to a regulatory body or governing authority
SOC 2 examinations involve a Certified Professional Accounting (CPA) firm assessing an organization's information security and privacy control environment. The assessment includes a description of the controls, the tests performed to assess them, and the results of these tests.
Trust Services Categories
One of the first decisions an organization has to make when pursuing a SOC 2 examination is which Trust Services Categories (TSC) will be in scope. These five categories outline the controls and topics the service organization will be evaluated against. In a SOC 2 examination, all organizations must include the Security TSC whereas the availability, processing integrity, confidentiality, and privacy TSCs are optional. The TSCs are described below:
Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
Availability. Information and systems are available for operation and use to meet the entity's objectives.
Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.
Confidentiality. Information designated as confidential is protected to meet the entity's objectives.
Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.
Types of SOC 2 Reports
In a SOC 2 examination, organizations can undergo a SOC 2 Type 1 or SOC 2 Type 2 examination. A Type 1 examination is a report on the controls at a service organization at a specific point in time, whereas, a Type 2 examination is a report on the controls at a service organization over a period of time. The period of time evaluated in a SOC 2 Type 2 examination is typically between 3-12 months.
How often are these examinations performed?
A SOC 2 Type 1 examination is generally only performed once. The common scenario for Type 1 examinations is when organizations are undergoing the SOC 2 process for the first time and need a SOC 2 report as soon as possible. After the Type 1 is completed, the Type 2 reporting period immediately begins. For example, if an organizations' Type 1 report has a report date of December 31, 2019, the Type 2 reporting period would begin January 1. A SOC 2 Type 2 examination is an annual activity for organizations.
Potential and existing customers want to know that organizations have taken all necessary measures to protect the sensitive data processed by the service. SOC 2 examinations, facilitated by an independent CPA firm, enable the service organization to demonstrate the safeguards in place that are relevant to the security, availability, processing integrity of the systems used to process sensitive data and the confidentiality and privacy safeguards in place to protect the data. These reports allow organizations to demonstrate security as a differentiator, accelerate the vendor due diligence process by undergoing one audit to respond to multiple customer requests and, most importantly, assess the information security risks your organization is facing.