SOC 2’s five Trust Services Criteria were created to evaluate the design and operational effectiveness of your organization’s information security program. A Service Organization Control (SOC) 2 report handles the details of your customer data, can only be issued by a CPA firm, and is governed by the American Institute of Certified Public Accountants (AICPA).

A Quick Overview of SOC 2

SOC 2 is a reporting standard that is relevant to security and privacy and looks primarily into how IT operations are managed by third-party service providers. A report will include the tests performed by the auditor and all results of evidence reviewed. It is used to ensure that these providers are handling customer data appropriately by inquiring into the organization’s system and its controls.

A SOC audit determines whether or not those controls fit the requirements of the SOC 2 framework. A SOC 2 report attests that a third-party service provider meets some if not all of the five Trust Services Criteria.

SOC 2 applies to all outsourced companies that store customer data in the cloud. If any of your customer information is stored in the cloud, SOC 2 could apply to you as well. SOC 2 can help ensure that you are meeting regulatory requirements and is an excellent part of the due diligence in any vendor management program. It also shows relevant stakeholders that you are following procedures to protect the data of your customers.

There are two types of SOC 2 reports:

• A Type 1 report considers whether or not the design of your systems meets the criteria of the Trust Services Criteria.
• A Type 2 report considers the operational effectiveness of that design.

The Type 1 report is audited at a particular point in time, while the Type 2 report is audited over a period of time to get a broader understanding of those systems in operation.

SOC 2’s Five Trust Services Criteria

Regardless of what type of audit you’re getting, Type 1 or Type 2, an auditor will assess to what extent your company adheres to SOC 2’s five Trust Services Criteria which include: 

1. Security 
2. Privacy
3. Availability
4. Processing Integrity
5. Confidentiality  

You’ll need to make the decision about how many of the five criteria will be included in the scope of your SOC 2 audit. These criteria will apply to your system, which is defined by the personnel that make up your physical infrastructure as well as your operating software, manual procedures involved in operating the system, and the data that you store.

Security

This is the only mandatory criteria to be included in a SOC 2 report, while all others are optional. It is also referred to as the “Common Criteria” as it forms the basis of every other criterion you might include in your report. Security is the foundation that is shared among all other criteria.

In this, the system must be protected from all unauthorized access. Controls are put in place to limit access and protect against data breaches that can occur over the web or by physical means. This is where IT security tools such as multi-factor authentication and intrusion prevention systems play a part in protecting systems from breaches.

Privacy

This criterion pertains to personal information and its use, collection, retention, disclosure, and destruction according to the organization’s objectives as it relates to the generally accepted privacy principles issued by the AICPA and CICA. There is quite a bit that goes into the privacy criteria. To name a few considerations, this would regard your privacy policy and how your organization operates within that policy, such as requiring the consent of clients and collecting information only for designated purposes as an act of further privacy protection. 

Further, there is also a consideration for the client to access and change their private data should the need arise and a duty to disclose when a breach has occurred. This criterion overlaps with new privacy regulations like the GDPR and the CCPA so if you are looking at getting a SOC 2 audit and having this control covered it certainly aids you with further regulatory compliance. As such it is the most frequently included optional criteria. 

Availability

The system must be available for use and operational as agreed upon in the original negotiations between parties. Here the minimum acceptable level of performance is considered as agreed upon in the service level agreement.

This particular criterion doesn’t outline what service needs to be available as long as it is operational and functioning. In maintaining availability, disaster recovery methods and incident response are usually kept at the forefront for protective measures.

Processing Integrity

This is to ensure that there are no processing errors. According to AICPA, all data processing activities must be accurate, valid, timely, authorized, and complete. Processing integrity exists if a system performs unimpaired and free from outside interference. Processing integrity is aided by quality assurance to ensure that the system is achieving its purpose.

Confidentiality

All data classified as confidential is protected from compromise and kept private. This means limiting access of information to a need-to-know basis and has to do with the methods by which information is kept confidential. This could be as simple as maintaining a system for the storing of confidential data and the encryption of communications pertaining to it. Confidentiality is put in place when third parties handle sensitive data such as financial information or intellectual property. Role-based access controls and network application firewalls are tools that help aid in conforming to the confidentiality criteria.

To Conclude…

For each Trust Services Criteria of the system, policies are developed and documented before they are communicated to your employees. Procedures are put in place to uphold the policies and ongoing monitoring occurs to ensure compliance to the policies developed. This gives you a structure for policies, communications, procedures, and monitoring. 

Remember that not all of the Trust Services Criteria must be adhered to, but a SOC 2 audit will determine if you are complying with at least some of the criteria listed, the two most important being Security and Privacy. Here at Carbide we can help you on your road to SOC 2 compliance.

We know what a time-consuming ordeal achieving SOC 2 compliance can be — that’s why we have SOC 2 controls, policies, tasks, and planning tools built into the Carbide platform. With a custom-generated security program based on the SOC 2 framework and your unique business operations, you can quickly start checking off items on your SOC 2 to-do list. Talk with us about our mission to make SOC 2 readiness as painless as possible.