To understand the scope and process of SOC 2, you need to be familiar with the Trust Service Principles (TSP). Before we start, we promise, this is not overwhelming, so just keep on reading.
The Trust Service Principles are a set of principles for assessing the risk and opportunities associated with the information security of an organization. The five criteria were developed by the American Institute of Certified Public Accountants (AICPA) and cover the following categories:
- Processing Integrity
In fact, System and Organization Controls (SOC 2) is a reporting framework developed by the AICPA for service organizations, which is obviously super credible because whenever an acronym organization is involved, you don’t question it! SOC 2 is a framework especially created for SaaS companies to demonstrate that they meet the highest standard of data security. Trust us, if a company approaches you and asks if you have SOC 2 and you respond, “uh, well, we were going to get it, but…”. It doesn’t look good. Just get it! It saves you from having to deal with long explanations and excuses.
SOC 2 is guided by the AICPA’s Trust Services Criteria (or Trust Services Principles).
A more flexible security protocol
Now, the interesting thing about SOC 2 is that it’s not a one-size-fits all box-ticking examination. SOC 2 is designed to be flexible and adaptable to the needs of each organization, while also providing a rigorous framework for assessing security and integrity. It almost makes it more personalized, which is pretty frikkin’ cool! Personalized SOC 2! Now that’s snazzy if you ask us!
In practice, this means that unlike in PCI DSS and other compliance regulations, companies need not cover all the five above. It’s a pretty big relief, right?!? They can choose at least one (security is mandatory), several, or all of these SOC 2 trust principles, as long as the trust principle applies to them .
Your next question is probably “How the heck will we know which TSPs apply to us?”. To answer this question in simple terms, you determine this by customer requirements, core business requirements the system covers and management decisions. You do not pass or fail your SOC 2 audit depending on whether you meet all the criteria.
A company aiming for SOC 2 compliance must first undergo SOC 2 preparation for readiness. This involves a gap analysis process to identify the gaps between the current state to the desired state within the SOC 2 framework. A business will also define the scope of its SOC 2 audit: which of the 5 Trust Services Criteria categories you will include in your audit process. These categories each cover a set of internal controls related to different aspects of your information security program. (Not that Security is required to be in scope for every SOC 2 audit.) In other words, it’s a way of clearly demonstrating to clients which steps you have successfully taken in your information security program.
With that in mind, let’s take a brief look at the five SOC 2 TSPs. Of course, each of the criteria deserves a blog post (or manual) of its own. If that sounds intimidating, don’t worry. Like we mentioned before, The TSPs are useful, precisely because they provide clear guidelines for assessing your organization and implementing effective controls. And, critically, advanced SOC 2 technology makes implementing SOC 2 protocols much simpler than ever before.
5 SOC 2 Trust Service Principles
Security is a fundamental infosec criterion. The Security category covers measures taken to prevent unauthorized access to systems.
Security measures generally include firewalls, intrusion detection and beefed up authentication measures for users.
Are services available in terms of the user agreement or SLA? In SOC 2 terms, availability will generally look at factors such as whether a network is reliably active and how quickly problems can be resolved.
In some cases, Availability will be a key consideration. For example, consistent service, with little downtime, is a key selling point of data centers. It follows that if you are implementing SOC 2 in a data center, you will seek to demonstrate to potential clients that you meet rigorous Availability criteria.
Processing Integrity certifies that the system does not produce errors in processing. In cases where errors occur, these are rapidly detected and corrected. The criterion also measures whether data is presented on time, in the agreed format.
Processing Integrity may be an important principle for organizations such as financial services companies that are expected to provide consistent, accurate and timely data to clients.
Under the Confidentiality rubric, data is restricted to only specified individuals. Confidentiality is generally ensured using robust access control measures, encryption, IT mapping, classification, retention, access and disposal. In addition, protocols should be in place to prevent systemic data breaches.
The Confidentiality and Privacy criteria share similarities but are subtly different. The Confidentiality TSC assures clients that their confidential information is protected (for instance, it is only accessible by a limited number of authorized individuals). Privacy determines how an organization uses, stores and retains users’ information. Importantly, Privacy assesses how, when and why an organization shares that information.
It’s all about implementation
The five Trust Services Criteria provide a clear, systemic set of categories to help you navigate your SOC 2 compliance, and ensure you apply the appropriate protocols for your businesses. Which I’m not sure if we mentioned already, but it’s suuuper important!
But having a clearly defined strategy is only half the process. How do you actually enact your SOC 2 goals?
As more companies are discovering, the answer is advanced, fast, personalized and expert-driven SOC 2 automation software, like Scytale. Not simply because automating SOC 2 compliance makes the whole process easier; but also because automating your compliance with Scytale means expert-advisory services throughout the journey from our team. It’s a better way to build a resilient organization that consistently meets the demands of clients. It’s a way to achieve, and remain SOC 2 compliant. And once again it’s the best way to avoid those uh well…type of moments.