Tackling SOC 2 in 2022? Start Here
A primary risk when organizations migrate to the cloud is the potential for breaches of sensitive information stored in systems the organization does not directly control. This includes personally identifiable information (PII), financial or business records and protected health information. Various regulatory frameworks, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and the Health Insurance Portability and Accountability Act govern customer data privacy in the digital sphere.
SOC 2, however, is widely held as the standard for data security for cloud-based service providers.
This article will introduce the SOC 2 framework and explore best practices for compliance, also explored in strongDM’s comprehensive SOC 2 guide for Trust Services Criteria, SOC 2, compliance recommendations and best practices.
What Is SOC 2?
The System and Organization Controls (SOC) 2 report is an evaluation and reporting framework developed by the American Institute of CPAs (AICPA). It is used by auditors to evaluate a service organization’s internal controls against the Trust Service Criteria, also developed by the AICPA. A completed SOC 2 report can be used by any organization to evaluate the risk of outsourcing a service to a provider of cloud computing models such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). Any organization that provides these services and stores customer data in the cloud are encouraged to seek a SOC 2 report.
The TSC and SOC 2 reports are philosophy-based frameworks rather than compliance checklists. Though they determine criteria that should be met (security policies, procedures and access controls), it is up to the service organization to design and write the controls they will be evaluated against, allowing the organization to account for their structure, objectives and industry.
That said, compliance with TSC and a SOC 2 report are generally the minimum requirements used when evaluating the security controls of a cloud-based service provider.
What You Need for SOC 2 Compliance
A SOC 2 report evaluates a service organization against three to five trust services criteria to ensure the security of customer data and systems in the cloud. These criteria are:
- Processing integrity
Unlike other compliance standards, such as those specified by the PCI Security Standards Council, the TSC does not require its adopters to comply with all five service criteria. Instead, it provides the freedom to design security controls to best fit their service objectives. For example, suppose a cloud provider stores but does not process client information in its data centers. In this scenario, the processing integrity requirement would be irrelevant.
SOC 2 Types
To comply with the Trust Services Criteria framework, independent auditors must assess organizations according to the AICPA’s specific professional standards. The auditor can prepare two different auditing reports — Type I and Type II — to measure an organization’s adherence to the Trust Services Criteria. In both types of reports, the service organization prepares a system description and inventory of controls and provides these to the external auditor.
SOC 2 Type I
A Type I report focuses on determining whether the system description and inventory of controls presented by the service organization to the auditor are accurate and that the controls are suitably designed to meet the requirements of the Trust Services Criteria.
SOC 2 Type II
A Type II report includes the same assessments of the system description and suitability of the controls design as the Type I report but also goes much further to report on whether the presented controls were operated effectively throughout the observation period (typically one year). A service organization will have to gather and present evidence to the auditor to prove that not only did the control exist, but that the organization actually performed the actions described in that control.
SOC 2 Trust Service Criteria
To obtain a favorable SOC 2 report, your policies, controls and processes must fulfill the following Trust Services Criteria:
The security category includes all required access controls, processes and procedures to prevent unauthorized access to protected resources (data and systems). Firewalls, intrusion detection and prevention systems, antimalware tools and multifactor authentication are essential security measures that safeguard customer data in the cloud.
For example, an organization may install a network detection and response solution to continually monitor interactions between its on-premises network and cloud environment. This approach ensures that threat actors, such as advanced persistent threat and ransomware operators, cannot easily access, modify or delete cloud data — even if they successfully gain access to one of the organization’s endpoint devices.
Physical security is also an element of the security criterion. Compliant measures ensure the safety of cloud IT infrastructure and data centers from various risks, including theft, sabotage and natural disasters. Typical physical security controls include security guards, biometric authentication and surveillance cameras to protect buildings from unauthorized access.
The availability criterion addresses the security and operational requirements that ensure uninterrupted client access to systems and data. For example, network performance-monitoring tools, incident response and data recovery plans are all critical for supporting availability.
Different organizations may require multiple solutions to meet the availability criterion. These might include:
- Installing a network monitoring solution, such as Nagios Core, OpsGenie or Datadog, to monitor network performance continually.
- Implementing a failover solution to instantly replace critical systems, data and devices in case of failure or cyberattack.
- Implementing a backup and recovery strategy to speed up the recovery from cybersecurity incidents, such as ransomware attacks.
“Processing integrity” means ensuring that the data-processing system performs its task as required and without unauthorized party interference, delay or manipulation.
For example, a cloud provider might implement several encryption techniques to retain the integrity of the stored data and prevent unauthorized access.
The confidentiality criterion ensures that all types of private data, such as client data, trade secrets and proprietary information (such as program source code), remain confidential. This data should only be accessible to authorized parties according to the relevant laws, contracts and service-level agreements.
When a cloud provider stores and processes confidential client information, it should prepare a plan for securing this data. For example, a typical control could use an identity and access management solution to govern employee access permissions to protected resources.
A Basic Auditing Plan
Any service provider or organization that processes or stores data on behalf of a customer can work toward meeting the Trust Services Criteria and obtain a SOC 2 report. The following is a sample approach.
In the first phase, the auditing firm or in-house team gathers information. The auditors might start by creating an employee questionnaire. The questionnaire should try to gain a holistic view of company structure and function. This may include, but is not limited to:
- Business processes
- System infrastructure types and locations (on premises or in the cloud)
- Security, governance and engineering policies
- Types of security controls to prevent unauthorized access to digital assets
- Presence of an incident response plan in the event of a data breach or security interruption
Validating the Efficacy of Current Processes
Once the auditors gain insight into company processes and security protocols, they must verify that these functions adhere to the company’s official documentation. This involves asking for evidence that processes were performed according to spec, policies were adhered to and controls were operated as written and intended.
The auditors review the evidence provided by the organization, compare it to the documentation they originally received and compare both of those to the Trust Services Criteria to assess whether the organization really does meet the standards the AICPA has set.
During this phase, the company should address and remediate any discovered gaps identified by their audit team so they can meet the Trust Services Criteria going forward.
Finally, the auditing firm issues a concluding report that contains an assessment of the company’s security controls and processes regarding the relevant Trust Services Criteria.
Formulate Your Own Compliance Strategy
In contrast to the Payment Card Industry Data Security Standard and GDPR standards, compliance with the Trust Services Criteria is not mandatory, nor is obtaining a SOC 2 report. However, adhering to this additional standard demonstrates to your potential clients that your business assigns the utmost importance to the security, confidentiality and availability of their data.
Now that you know more about the Trust Services Criteria and the SOC 2 reporting framework, and have seen a sample implementation, you can formulate a compliance strategy that suits the needs of your organization.