If you sell software to businesses, clients will probably start asking if you're SOC 2 compliant? Why? Because it's a convenient way to confirm you have *some* maturity around security best practices.
What SOC 2 is not!
You should not confuse SOC 2 compliance for actual security best practices. Although it covers the core departments and processes that interact with sensitive data, it does not stipulate standards. It merely confirms that the processes you self declare, are actually being followed in practice. Some might argue that's a little like the fox guarding the hen house. Importantly, this is not a government regulated certification. There are no penalties for failing to fulfill declared policies. Auditors won't charge you a fine. They'll point out your shortcomings and help you resolve them. With that context, it's easy to understand why the primary motivation to become SOC2 compliant is to facilitate sales. It will likely mean your sales teams are asked to complete fewer security RFIs during the sales process. Instead, they can simply submit the company's SOC 2 report.
What is SOC 2 compliance?
SOC 2 compliance is an audit framework designed to help service organizations demonstrate how they secure customer data stored in the cloud. Commonly adopted by software vendors, it establishes strict policies to secure and protect the privacy of customer data. SOC 2 is different from SOC 1, which reports on controls at a service organization relevant to financial reporting, and also different than SOC 3, which reports on the same information as SOC 2 but in a format intended for a more general audience. This blog post will focus on SOC 2 compliance (Service Organization Control 2).
How to become SOC 2 compliant
The process to become SOC 2 compliant typically takes six months. To begin the process, first form a team to own the project. That team will be responsible for conducting a readiness assessment and defining the audit scope. They will write information security policies and procedures and develop an implementation plan to close any identified gaps. Next, they engage with a third-party assessor to complete a SOC 2 Type 1 audit, which is designed to be a point in time snapshot of your organization’s controls.
When the SOC 2 Type 1 audit is complete, you will receive a SOC 1 report. This audit report will guide you in closing identified gaps over a 6 month period. Finally, the SOC 2 Type 2 (sometimes listed as “Type ii”) audit can begin, in which an assessor will verify the operating effectiveness of your internal controls over time.
Your decision to become SOC 2 certified is voluntary, and not driven by HIPAA compliance or other regulations and standards such as PCI-DSS. Rather, the decision to become SOC 2 certified can come from your customers. They may express concerns about security to their business partners, and seek assurance that you are storing their sensitive data securely in your data center. Or they may request more detailed technical information about the protection of your cloud computing environment, such as whether it is protected with an intrusion detection/prevention system, uses load balancing and is backed up properly. Ultimately, SOC 2 demonstrates to customers that you have the proper people, policies and procedures in place to not only handle a security incident, but respond accordingly.
The SOC 2 audit standard was inspired by an earlier audit called SAS 70 (Statement on Auditing Standards 70), which a CPA (Certified Public Accountant) would use to assess the effectiveness of an organization’s internal controls. When organizations began using SAS 70 as a way to prove a vendor was safe to work with, the SSAE 16 (Statement on Standards for Attestation Engagements 16) report took the place of SAS 70, and then SOC 2 was introduced as a report that focuses strictly on security.
To learn what is SOC 2 compliance it's helpful to understand the criteria known as the five Trust Services Principles (renamed to Trust Services Criteria in 2018). These principles are defined by the AICPA (American Institute of CPAs) as “a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs.” You are not necessarily required to address all the Trust Service Principles, but will select the ones that are relevant to the services you provide to customers. The principles include:
- Security - This principle gives a customer reasonable assurance that their data is safe and secure, and demonstrates that systems are protected against unauthorized access (both physical and logical).
- Availability - Besides the security principle, availability is the second most common principle chosen for the SOC 2 examination. It focuses on systems being available for operation and use.
- Processing integrity - This principle focuses on system processing being complete, accurate, timely and valid.
- Confidentiality - The confidentiality principle ensures information deemed confidential is protected as committed or agreed.
- Privacy - The privacy principle refers to how personal information (first name, last name, address, phone number, etc.) is collected, used, retained, disclosed and disposed. It ensures your data handling practices align with your privacy notice and use the criteria defined in privacy principles issued by the AICPA.
In conclusion, to answer the question: what is SOC 2 compliance, SOC reports help demonstrate to your user entities that you are serious about integrity, ethics and security throughout your operations. Learn how strongDM makes SOC 2 compliance easier for high-growth startups and schedule a demo today.