Cyber threats are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or significant IT outages concern companies more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have significantly impacted firms in the past two years.
These cyber perils make it increasingly important for organizations to properly secure sensitive data and ensure their selected service providers follow data security best practices in their organizational policies and everyday workflows. This is why more organizations search for SOC 2 compliant service providers.
SOC 2 is a reporting framework created by the American Institute of Certified Public Accountants (AICPA). It is the highest industry standard for managing client data based on five principles: security, availability, processing integrity, confidentiality, and privacy.
SOC 2 is a voluntary compliance standard, and service providers design their controls to comply with one or more of the trust principles, making SOC 2 reports unique to each organization. These internal reports provide essential information about how a service provider manages data and informs their clients, regulators, business partners, suppliers, etc.
Type I: A SOC 2 Type I certification attests to controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls that the service organization’s management provides and attests that the controls are suitably designed and implemented.
Type II: A SOC 2 Type II report attests to a service organization’s controls over six months. SOC 2 Type II reports on the description of controls provided by the service organization’s management, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls. During a SOC 2 Type II audit, the auditor will conduct fieldwork on a sample of days across the testing period to observe how controls are implemented and how effective they are.
Outside auditors issue SOC 2 certification and assess the extent to which a vendor’s systems and processes comply with one or more of the five trust principles. A volunteer task force has developed the Trust Services Principles and Criteria under the AICPA’s Assurance Services Executive Committee (ASEC) and CPA Canada’s Research, Guidance and Support Group.
The security principle refers to the protection of system resources against unauthorized access. This aims to prevent potential system theft, unauthorized data removal, software misuse, and improper information alteration or disclosure. Security solutions such as network and web application firewalls, two-factor authentication, intrusion detection and alerts are just a few ways to comply with this trust principle and help prevent security breaches that can lead to unauthorized access.
Can your customers quickly and easily access their data? Are you giving them digital service in a timely, reasonable way? The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). Therefore, the minimum acceptable performance level for system availability is set by both parties.
Does your system do what it’s supposed to do? Does it securely send data at the right time to the correct location? The processing integrity principle considers whether or not a system achieves its purpose. Therefore, data processing must be complete, accurate, valid, timely and authorized.
Keep in mind, processing integrity does not necessarily mean data integrity. For example, if data contains errors before being put into the system, detecting them is not typically the responsibility of the processing entity. However, data processing monitoring and quality assurance procedures can help ensure processing integrity.
The confidentiality principle requires restricted data access so only relevant, authorized parties can use sensitive customer data. Examples include data intended only for company personnel, business plans, intellectual property, internal price lists and other sensitive financial information.
Organizations must create policies and procedures for keeping this data confidential during transfer, storage, and access. Encryption, firewalls, and access controls are a few ways to comply with this SOC 2 requirement.
Does your data include personally identifiable information (PII) such as name, address, social security number etc.? The privacy principle addresses the collection, use, retention, disclosure and disposal of PII per an organization’s privacy notice and the criteria outlined in the AICPA’s generally accepted privacy principles (GAPP).
While SOC 2 compliance is a voluntary standard, its role in securing systems and data is critical. With our SOC 2, Type II Certification, Gibraltar has gone the extra mile to demonstrate that we can meet the industry’s security, availability, integrity, confidentiality, and privacy standards. We are committed to achieving the highest compliance and security standards to protect our client’s sensitive data and ensure business continuity.