What SOC 2 compliance means to your company - and why that might be too narrow a goal.
GOT A CONTRACT THAT HINGES ON SOC 2 COMPLIANCE? MAYBE THAT'S TOO NARROW A GOAL.
As today’s organizations grow, they serve more customers, or they serve other companies that do. Either way, this growth often mandates putting in place controls to comply with reporting on how they handle customer data—including SOC 2 controls. In fact, SOC 2 compliance is often an absolute requirement when a major industry player goes looking for a service provider. Some of these larger organizations want to move very quickly—they just want to see certification of SOC 2 compliance from potential vendors so they can move on to the next deal.
But compliance is more than a checklist and a piece of paper. For example, software company SolarWinds has an ISO 20001 Certification, yet a poorly set password resulted in one of the most egregious global data security breaches the world has ever seen. Is that what you want for your SOC2 certification—it looks good until you have an “incident”?
Security-conscious customers can’t afford to trust their data to an organization that “claims” SOC 2 compliance. They need certainty. Completing a SOC 2 compliance checklist may get you there, and you might find an auditor that will give you a passing grade for meeting the bare minimum of requirements. But should simple SOC 2 compliance be your goal? We’d argue no. Your goal should be to create a real-world, pragmatic security program that not only results in SOC 2 compliance but is based on common security standards like NIST 800-53 and also meets the other common requirements and standards.
But before we go too much farther, let’s talk a bit about what SOC 2 is and why it’s so important.
WHAT IS SOC 2 AND WHY IS IT SO IMPORTANT?
The System and Organization Controls for Service Organizations (or SOC 2) was developed by the American Institute of CPAs (AICPA). It’s an auditing procedure used by service providers to prove they are properly handling the client data that’s been entrusted to them based on five principles—security, availability, processing integrity, confidentiality and privacy. Having a SOC 2 means that your security assertions have been verified by a third party.
SOC 2 compliance is applicable to all service providers since they all have not only their own data to keep secure but the data of their customers, and SOC 2 measures whether or not they have the controls in place to do that. Since every company is different, compliance with SOC 2 standards means the controls each company puts in place can also vary. Of course, this means that there is no “one size fits all” checklist to follow, not one set of controls that fits every company. The extent of a company’s SOC 2 compliance is established by independent auditors and regular audit reports.
A larger company can leverage its staff of accountants and other internal auditors to implement and monitor the controls it puts in place for SOC 2. However, compliance is crucial for any service provider, not only for the sake of the customers whose data is being handled but also for the company’s ability to win large-scale contracts with other enterprises and government entities.
WHAT IS REQUIRED FOR SOC 2 COMPLIANCE? AND WHAT IS IN A SOC 2 AUDIT REPORT?
The AICPA defined SOC 2 in terms of five broad categories related to handling customer data (referred to as trust service principles):
Security: This principle considers the steps you’re taking to protect your systems from unauthorized access. It looks at things like access controls, firewalls, intrusion detection and prevention.
Availability: This principle considers availability at a system level and looks at things like SLA-promised uptime, incident-handling protocols, network performance monitoring procedures, and network redundancies.
Processing integrity: This principle tries to answer the question, “Does your network deliver the data it says it will when it says it will?” Data processing and quality control procedures are critical in assessing processing integrity.
Confidentiality: This principle looks at how well you are restricting access to the data in your system and its safety once it’s accessed. Auditors here will consider things like how well the data is encrypted during transit as well as standard network safety tools and access controls.
Privacy: The final principle looks at your collection, use, and storage of personal information and whether or not you are complying with your posted privacy notice and the criteria put in place by AICPA. This also includes the handling of some personally identifiable information that, because of its sensitivity, requires additional levels of protection.
When you start a SOC 2 audit engagement, you have to choose which trust service principles you are going to audit against. Almost all audits include Security, which is also referred to as the Common Criteria. Some companies elect to do additional subsets, like Privacy, Availability and Confidentiality. Others do all of them. Some of the areas are more involved than others. For instance, meeting the Privacy requirements tends to be a heavier lift than Confidentiality. Sometimes contracts specify which criteria are required.
There are two types of SOC 2 audits. Both examine the effectiveness of the controls a service provider puts in place to address the selected trust service principles. The difference between the two is the time period that the auditor examines. A SOC 2 Type 1 looks at the controls at a given point in time or on a specific date. A SOC 2 Type 2 report examines that effectiveness over a given time frame, typically six or 12 months. This involves substantial evidence collection and can detect improvement or degradation in performance.
While either SOC2 report will prove valuable, the rigor involved in a SOC2 Type 2 report holds more weight because it does involve a detailed review of evidence over the audit window to confirm that controls have been implemented. That can be appealing for larger firms that deal with sensitive personal data—like those in insurance, finance, and healthcare—since it clearly signals they can trust you with their data and their customers’ data.
WHAT PREVENTS COMPLIANCE WITH SOC 2 (AND OTHER SECURITY STANDARDS)?
The fact is, most small companies simply don't know how to achieve SOC 2 compliance, much less the plethora of evolving data security and privacy standards.
Rather than approaching security comprehensively, they take an ad hoc approach. They address concerns as they present themselves—installing anti-virus software in response to a machine becoming infected, or they send out an online course on phishing scams after someone clicked on a suspicious link from a suspicious sender. All of those things are important, but they are only addressing single issues in a reactive manner. While breaches can be difficult to prevent, protecting your data network needs to be proactive practice.
This approach to data security is difficult for smaller organizations for a couple of reasons. First, IT and security are not synonymous things. Just because someone is in IT doesn’t mean they are qualified to champion an organization’s security efforts. But too often, it’s the already-overworked IT teams that get saddled with yet another responsibility that they don’t have time for. Second, if there’s anything that security needs, it’s time. Building out an actual security program, one that can pass compliance muster, isn’t something that happens overnight. It takes time and resources to learn, develop, implement, and maintain a plan that checks the right boxes for that company? One that hardens systems in all the ways that matter and stays up to date with the latest applicable standards. It’s an intimidating problem.
IT’S NOT ABOUT NEEDING A PARTICULAR CERTIFICATE. IT'S ABOUT THE NEED FOR A BROAD SECURITY PROGRAM.
Obviously, SOC 2 compliance is important if you’re to protect your customers and grow your business. The problem with approaching security and privacy as just a SOC 2 compliance project is that it is too limiting. For one thing, SOC 2 is not a “once and done” thing but a long-term commitment—and the standard will undoubtedly evolve over time. Not only that, but most companies require you to perform the actual audit on an annual basis.
At SecurityProgram.io, we know all about SOC 2 and bringing our customers into compliance as quickly as possible. But we’ve built our SecurityProgram.io (SPIO) compliance management software platform to help companies independently build their own legitimate security and privacy programs that meet all the emerging industry standards and customer requirements.
Let's help you build a foundational security program, then when these security compliance mandates come along (SOC 1, SOC 2, NIST, CMMC, ISO 27001—the list goes on and is growing) you don't have to worry about yet another one-off project.
MEET OUR CLIENTS
The team at Brighthive builds a data integration platform to help states build better and more integrated services for their citizens. The platform is open, but the data it processes is sensitive—including personal information.
When Brighthive started working with SecurityProgram.io, they quickly reached a level of maturity that allowed them to continue their engagement with state governments that used a tailored version of NIST 800-53 controls to evaluate their IT partners.
As time passed and their engagements with states deepened, Brighthive was asked to complete a SOC 2 audit. Using SPIO and with the support of our team, they prepared for the audit, selected an auditor, performed a gap assessment, and have completed the SOC 2 Type 1 audit. Their SOC 2 Type 2 is underway.
The thing that Brighthive helps to highlight is the benefit of the structure and supporting collaboration as needed.
“Securityprogram.io has helped us to prepare for complex security review processes. We have a security team at our disposal for less than the cost of a full-time security professional.” -- Tom Plagge, the CTO at Brighthive
REACH SOC 2 COMPLIANCE IN RECORD TIME WITH SECURITYPROGRAM.IO
Take the first step. See for yourself how securityprogram.io can provide both a platform to run your SOC 2 compliance program and a Virtual CISO to help you do all the work (not to mention facilitating compliance with other applicable standards for your industry). So, next time a customer asks—or it’s time for an audit—you can answer with confidence.