Why you need SOC2 compliance as a third party vendor
Márk Félegyházi (CEO, Avatao)
2021 has brought an epidemic of breached client records, compromised credit card numbers, and deleted proprietary data. Security breaches increased more this year than ever before, with data compromises at Colonial Pipeline, Brenntag, and Acer forming some of the largest.
What is SOC2?
As an IT professional you’ve likely developed security protocols in response to increased data theft, extortion, and malware installation protocols. But if your company is a third-party service provider, you need to do more than just create protocols. You also need to communicate your data controls to your clients.
Companies understand the way you handle data security has a direct impact on their bottom lines. This has led to most companies requiring all vendors to have a special compliance certificate called an SOC2. SOC2 audit reports review third party service providers’:
- IT security environment
- Protection and privacy of sensitive data
- Controls over the infrastructure, software, people, procedures, and data used in providing products and services
- Design and operating effectiveness of IT security system controls
- Risks of a business relationship
For your clients, a favorable completed SOC2 audit instills trust in your company. It shows you successfully apply security controls to ensure their data is safe and secure. Your clients will know you securely manage your data and will protect the interests of their organization as well as the privacy of their data. Such a report can help when you are vying for a contract with other vendors or trying to increase customer loyalty and satisfaction.
Additionally, SOC2 reports also help your clients with their own compliance. Newer regulations such as General Data Protection Regulation (GDPR) and the Consumer Privacy Act (CCPA) are driving the need for SOC reporting.
If your clients are public companies, SOC2 reporting helps them comply with the Sarbanes-Oxley requirement.
Who completes an SOC2 and what do they assess?
SOC2 certification is issued by outside auditors in order to maintain objectivity. Make sure these auditors are part of a licensed CPA firm with specialization in Information Security.
SOC2 audits require tracking for about 6 to 12 months. Auditors assess your IT systems and processes as well as their compliance with one or more of the following SOC trust principles:
- Security: both physical and electronic security protocols
- Availability: ability for customers to access data according to their contract
- Processing Integrity: transaction safeguards
- Confidentiality: discreteness of data when stored, transferred, and accessed
- Privacy: how your organization collects and uses customer information
These principles will be described in detail in the next section.
Most security standards like PCI DSS have firm specifications. However, SOC2 reports differ by organization depending on their specific business practices. The only rule is that the SOC2 must measure the compliance of one or more trust principles.
Security measures is one of the most commonly tested trust principles in an SOC2 report. Security entails your protection of system assets against unauthorized access which compromises the availability, integrity, confidentiality, and privacy of proprietary data. Such unauthorized access includes disclosure of information and damage to systems.
Tips on how to improve security:
- Create access controls
- Use IT security tools like
Availability measures the accessibility of the system, products, or services as stated in the contract. Be mindful that this principle does not encompass functionality or usability.
Tips on how to improve availability:
- Monitor network performance and availability, site failover, and security incident handling
- Create Incident Response Plans (IRP)
- Create Business Continuity Plans (BCP)
- Create Disaster Recovery Plans (DRP)
3. Processing integrity
Process integrity addresses whether or not a system delivers the right data at the right price at the right time. Data processing must be:
Note that this principle does not pertain to data errors prior to being input into the system.
Tips on how to improve process integrity:
- Monitor data processing
- Establish quality assurance procedures
In order to maintain confidentiality, your client’s data should be protected and restricted to authorized persons in the organization. This principle will be especially relevant to you if your company handles “confidential” company information. This does not apply to personal data.
Examples of important confidential data include business plans, intellectual property, internal price lists, and financial information.
Tips on how to improve confidentiality:
- Use encryption during data transmission
- Leverage network and application firewalls
- Create rigorous access controls
Privacy addresses the system’s collection, use, retention, disclosure, and disposal of personal information. You should be sure you are in compliance with privacy notices and the AICPA’s generally accepted privacy principles (GAPP) criteria.
Personal identifiable information (PII) includes data that distinguishes an individual. Examples of this data include name, address, or Social Security number. Personal data about health, race, sexuality, and religion also requires additional levels of protection.
Tips on how to improve process integrity:
- Instill controls to protect all PII from unauthorized access
Prepare Your Organization for an SOC2 Audit
Let’s review a few important steps you need to take towards a successful SOC2 audit:
Select Your Principles
Consider what data you house and what you do with that data. Based on this, select the principles to be audited. If you’re having difficulty picking the principles, ask for help from your CPA Firm.
Ask for a Readiness Assessment
If this is your first SOC2 audit, be sure to get a Readiness Assessment before the actual audit. A readiness assessment gives you an opportunity to identify possible gaps in principles so you can improve before the official audit. We recommend partnering with your CPA firm whenever possible for the Readiness Assessment, as this ensures objectivity.
Ensure you have up-to-date and comprehensive written policies and procedures. Make sure these policies and procedures are monitored, enforced, and periodically updated. Your auditor will not only assess the policies and procedures to determine if they address the applicable principles, but also test whether or not they have been communicated and are being followed.
Train Your Teams
The most important part of a successful SOC2 audit is training, and this training should focus on the vital trust principles relevant to your business. Developers, IT, organizational management, as well as internal and external stakeholders should be included in this education. It’s important not to just educate your staff on SOC2 compliance, but also allow them to practice protocols in real-world simulations.
How do I start training my staff? Avatao courses will teach you and your developers how to become SOC2 compliant.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 7 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 9 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?
Copyright © 2021 Avatao