What Is SOC?
System and Organization Controls (SOC) evaluates service companies in a standardized way to show their compliance efforts and is performed by CPAs (Certified Public Accountant) through an audit process.
A SOC report is the outcome of the audit. These reports allow organizations to evaluate the service company’s commitment to compliance in a standardized way. SOC reports build trust and confidence. The report also enables companies under the service organization’s care to know whether or not the services they are providing are effective and helpful to their users.
But what is a service organization? Service organizations are businesses that offer outsourcing of essential functions used to help run your business. For example, a company that provides financial transaction services for restaurants, banks, and brokers is considered a service organization. SOC reports allow customers of finance transaction companies to know how their services are performed and whether or not anything needs to be fixed within their system.
The Two Types of SOC2 Reports
SOC2 Comes in two different types:
- SOC 2 Type 1 – Point in time evaluation of the service organizations Trust Services Criteria
- SOC 2 Type 2 – The same as SOC 2 Type 1 but tested over a period of time, generally a quarter, to ensure that the system is working.
Here is a more focused look at these types of reports:
SOC 2 Type 1 Report
SOC 2 steps up the game, moving from simple CPA-driven financial principles and moves into other domains of trust called Trust Principles.
What Are the Trust Principles?
Trust principles are as follows:
- Security. How secure is the system against those seeking unauthorized access?
- Availability. How accessible are the services/products that the service organization offers to the user?
- Processing Integrity. Is or will the system meet its proposed duties?
- Confidentiality. Can the data be encrypted in a way where only authorized users can understand its meaning?
- Privacy. How well is the system storing, disposing of, collecting, and using the information in a way that protects it from the eyes of unauthorized users or other systems?
The SOC 2 Type 1 report shows that, at a point in time, the Service Organization had processes and controls in place to cover the TSC Principles tested for in the report.
SOC 2 Type 2 Report
Type 2 report is the same as a Type 1 but is tested through an audit over time. The audit is a systematic and independent examination of the service provider’s ability to manage their client’s data securely and allows them to guard the interests of the client’s organization. It also oversees the protection and privacy of the user’s clients. The American Institute of Certified Public Accounting (AICPA) designed and developed the audit. The Type 2 report shows that the service organization has the processes in place, has tested them over time, and the service company is using them.
SOC 2 Certification
SOC 2 audits are always issued and carried out by outside auditors to ensure that the results have not been tampered with and are fair. This helps to ensure that there is no biased data. These audits, built to illustrate how the service organization is following the five trust principles, allow the user of the service organization to get an outside view. This is vital, as the user needs to feel free to leave the service organization if they are not performing to a standard that meets the user’s needs. Each SOC 2 report is unique to the individual user.
The 5 Trust Principles in Further Detail
To better understand what the service provider is seeking to accomplish for their users, it is essential to know the five trust principles.
Security refers to the system’s ability to keep unauthorized users away from a company’s data. A service organization is responsible for creating a system with access controls to protect the system from theft, abuse, or alteration. Security can be accomplished by IT security measures, such as creating a secure network or the application of firewalls.
Availability is used to show the accessibility of the system, products, or services to the users. When a service organization and a user begin working together, a contract, also known as the service level agreement, creates a minimum acceptable performance level for the system. This is meant to serve as a way for the user and service organization to determine how well they are doing within any given audit period. However, this does not address how well the system functions or how user-friendly it is. This availability only refers to the user’s ability to access security-related functions that protect their data. This is accomplished through monitoring network performance and how available it is at any given time. A service organization’s ability to handle security incidents quickly and thoroughly is critical for this principle.
Processing integrity sets the standard for whether or not a system is achieving its intended purpose. It answers the question, “Is the data being delivered at the right time to the right place?” For any company, it is essential that data processing be complete, thorough, up to date, and promptly handled by authorized personnel only.
It is important to remember that this is not the same as data integrity. If the data contains errors before it was input into the system, it is up to the user, not the service organization, to catch those errors. The service organization is only responsible for monitoring, and handling data once entered into the system.
Service Organizations are designed to ensure that the data placed into their care remains confidential and restricted. In other words, only those who have permission should be able to access any of the data. Therefore, service organizations encrypt data to ensure it cannot be read by prying eyes during the transmission/moving period. Other safeguards such as secure networks, firewalls, and access controls are used to strengthen the defense of the information processed and later stored in the system.
Privacy handles the system’s collection, use, disclosure, and disposal of personal information under the user’s privacy notice. It also uses the criteria set by the AICPA’s general privacy principles. This ensures that the user’s and their client’s information remain protected and secure, keeping it between the parties currently using it for their purposes. Information that generally falls under the privacy principle is as follows:
- Social Security Number
- Data related to sensitive health information
A Team That Cares
When it comes to finding the right IT outsourcing team to keep your data secure, no one is better than Blue Jean Networks. Our team understands the importance of maintaining the trust between you and your clients. We work endlessly to develop new and innovative ways to ensure that your system is up to date, secure, and ahead of the data pirates that are scouring the web. Contact us today to learn more about our services and get a complimentary consultation about setting up a secure and reliable IT team for your company!