SOC 2 compliance, like so many things related to IT and security, is chock full of terms and acronyms to learn. If you are just getting started with SOC 2, it’s helpful to get familiar with this alphabet soup ahead of time so you can move your compliance efforts forward with confidence.
Below is a SOC 2 terminology glossary to get you started:
The American Institute of CPAs, formed in 1887, set the U.S. auditing standards for non-profit organizations and private companies, as well as state, federal and local governments. The institute has more than 430,000 members coming from various areas of practice and expertise.
There are many security frameworks available for organizations to map to, including the Critical Security Controls, HIPAA, NIST Cybersecurity Framework, SOC1/SOC2 and more. Some organizations may have to follow several frameworks for compliance reasons. Control mapping involves listing out your organization’s risks and then mapping out which controls address those risks.
Cloud service provider
A cloud service provider (sometimes abbreviated as CSP) offers Internet-based computing services that individuals and businesses can consume - typically on a subscription basis. These services are usually offered in three different categories:
- IaaS - Infrastructure as a Service
- PaaS - Platform as a Service
- SaaS - Software as a Service
A CPA is a Certified Public Accountant - someone who often serves as an auditor, business advisor or other key decision maker. A CPA is required to pass the CPA exam, meet necessary work experience requirements and take regular professional education courses to keep their certification in good standing.
FedRAMP (The Federal Risk and Authorization Management Program) is a government-created program that provides a NIST-based standardized security assessment for cloud services and products. FedRAMP is similar to SOC 2 - the key difference is that while FedRAMP is concerned primarily with cloud-based providers, SOC 2 assesses all third party providers.
HIPAA is the Health Insurance Portability and Accountability Act, which is a United States law developed by the Department of Health and Human Services. HIPAA aims to protect our medical and health information, but does not attest to the organization’s privacy and security controls - which is the job of SOC 2.
With Infrastructure as a Service, a cloud provider will host the components you would traditionally have on your local or data center network, such as servers, firewalls, routers, switches, storage and virtualization. The provider will have large pools of these resources available so you can scale them up and down as your needs change.
Internal corporate governance
Internal corporate governance are setup to insure that management acts in the best interest of the company owners. Some examples of governance mechanisms include setting up a board of directors, establishing codes of conduct and engaging in regular internal auditing.
ISO, which stands for International Organization for Standardization, is heavily focused on making sure your organization's technical and security components are up to snuff, but does not play a part in ensuring an organization operates legally and ethically. For example, ISO will require you to follow a strict password policy just like SOC 2. However, if you allow your employees to defraud customers, SOC 2 will frown on it, but ISO doesn’t care.
The National Institute of Standards and Technology is a set of technically focused practices recognized by US federal agencies. These practices have some overlap with those in ISO, but are also aligned with FISMA (Federal Info Security Management Act). If you are going to be doing business with government agencies, you want to get NIST certified.
Platform as a Service is especially popular with developers. Similar to IaaS, PaaS offers the computing resources you need to run a comprehensive virtual network, but with the addition of the operating systems, development tools, databases and other management software needed to build applications and services.
The Payment Card Industry Data Security Standard (PCI-DSS) is the information security framework that organizations handling credit cards must adhere to. The standard is overseen by the Payment Card Industry Standards Council, who created the standard to protect cardholder data and reduce fraud. Organizations following PCI-DSS must have an annual assessment to validate compliance.
PII stands for Personally identifiable information, and is generally considered to be any data that could identify a particular individual, or distinguish one person from another. Examples of PII include full name, home address, email address, fingerprints, handwriting, date of birth and phone number.
A policy contains statements and plans that an organization follows to make decisions. A good SOC 2 program contains concise, well-written policies covering a variety of topics, including:
This policy, which is focused only on technical infrastructure, aims to minimize your organization's risk of data exposure by enforcing the principle of least privilege.
The business continuity policy maps out a plan to keep your business running after a disruptive event.
The change management policy sets expectations for how changes to systems will be documented and communicated to appropriate parties.
This policy sets expectations as to how your organization will handle sensitive client information.
The cyber risk management policy focuses on identifying security incidents that could happen based on incidents that happened in the past.
The data center security policy details procedures needed to prevent unauthorized access to your organization’s data center.
This policy helps your organization create security policies around your company data based on its sensitivity.
Disaster Recovery Policy
The disaster recovery policy is similar to the business continuity policy, but the difference is in the goal of each policy: business continuity aims to return your business to normalcy, while disaster recovery maps out the functions your business needs to maintain during a crisis
The encryption policy provides guidance around how and where your organization will deploy encryption in your organization.
This policy is the cornerstone of your security program, and declares your mission is to protect the confidentiality, integrity and availability of the organization’s information and information systems.
The IT vendor management policy helps your organization identify vendors that pose a risk to the organization, and defines controls to minimize those risks.
This policy ensures your organization is collecting logs from key endpoints, that the logs contain adequately verbose data, and that log collection is tested regularly.
The office physical security policy defines the controls and monitoring procedures around physical assets.
The password policy defines how your organization will select and securely manage passwords.
In this policy, you will define how your organization will access the company network and resources from anywhere without sacrificing security.
In this policy, your organization establishes guidelines for how employees can use removable media, cloud storage and BYOD devices while keeping company risk to a minimum.
The software development lifecycle policy lays out requirements for developing and/or implementing new software and systems while making sure all work is compliant with any necessary regulatory guidelines.
The workstation security policy creates rules around workstation use in order to reduce your organization’s risk of data loss and exposure.
An organization is under regulatory oversight if it is supervised by an outside body in order to control or direct according to principle, rule or law.
Risk management processes
This exercise will help an organization identify and prioritize risks (such as breaches, system failures and natural disasters) and then create strategies for minimizing the impact to business.
Software as as Service is a model in which a third-party hosts applications and data that are consumed over the Internet, typically on a subscription basis. Dropbox, Spotify and WebEx are examples of SaaS offerings.
The Statement on Auditing Standards 70 used to be the audit used to assess the effectiveness of an organization’s internal controls. But when organizations also started to use SAS 70 to attest that a vendor was safe to do business with, the SSAE 16 (Statement on Standards for Attestation Engagements 16) took its place, and SOC 2 was started as a report focused strictly on security.
SOC, which was created by the AICPA, stands for Service Organization Control. SOC is a framework to guide organizations in shoring up their security controls in the cloud and in their data centers. SOC comes in several “flavors:”
- SOC 1 focuses on a company’s financial reporting
- SOC 2 centers around the controls a company uses to protect their customers’ data
- SOC 3 is similar to SOC 2, but written in layman's terms for a general audience
SOC is also offered in several types:
- SOC 2 Type 1 - this is a point-in-time snapshot of your organization’s controls, which are tested and validated for effectiveness
- SOC 2 Type 2 - this is similar to SOC 2 Type 1 except the controls are examined over a longer period of time (typically 12 months)
The Statement on Standards for Attestation Engagements 16 report is what replaced the SAS 70 after SOC 2 was introduced as a report focusing only on security.
Trust Service Principles / Trust Services Criteria
SOC 2 is heavily based in criteria called the Trust Services Principles (which were renamed to the Trust Services Criteria in 2018). These principles, defined by the AICPA, are:
- Security - data and systems need protection from anything that could compromise their privacy, integrity, confidentiality and availability
- Availability - systems should be available at all times for use
- Processing integrity - accurate, authorized system processing must happen - and in a timely manner
- Confidentiality - any information deemed confidential needs to have proper protections surrounding it
- Privacy - if personal information is collected, stored or processed, it needs to be handled and disposed of with appropriate controls