What Does SOC 2 Type 2 Mean?
Are you sure your software as a service (SaaS) vendors and other third-parties are capable of protecting your business’ data?
The fact is that any vendor that has access to your data could potentially put it at risk if they don’t have the right controls and security measures in place.
This is why it’s so important for your IT support and other vendors to undergo Service Organization Control (SOC) audits. A SOC 2 Type 2 Certification gives you concrete evidence that you can trust an organization with your data.
Find out why in our latest video:
What Is SOC 2?
SOC 2 reports provide you with proof that your third-parties are complying with control requirements laid out by the American Institute of Certified Public Accountants (AICPA).
SOC 2 audits examine five critical factors: data privacy, processing integrity, availability, data security, and confidentiality. A SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
How Does SOC 2 Work?
SOC 2 compliance is determined by an auditor that assesses companies based on the following five trust principles:
- Security: This principle examines how system resources are protected from unauthorized access. By implementing an extensive range of access control measures, an organization prevents potential system abuse, data theft, improper use of software, and unauthorized alteration or disclosure of information. Expected access control measures include firewalls, multi-factor authentication, intrusion detection systems, and more.
- Availability: This principle determines whether the availability of the system, apps, and data is in line with the contract or service level agreement (SLA). In this case, the degree of availability and level of performance is set by both you and the other organization. While this principle is not related to functionality or usability, the security-focused aspects are still critical. The organization must have measures in place to monitor network performance and availability, as well as demonstrate their capability for site failover and security incident management.
- Processing Integrity: This principle is simple—it determines whether or not a system achieves its purpose. This means it must provide the correct data, when requested, and at the predetermined price. Furthermore, the delivered data has to be proven complete, valid, accurate, timely and authorized. It’s important to note that processing integrity is not data integrity. Data errors are not usually the responsibility of the organization that handles the processing.
- Confidentiality: Data must be confidential, which, in this context, means its access and disclosure are properly restricted to only a specific group of people or organization. This data could include intellectual property, business plans, confidential pricing, and other financial data. Encryption is a key aspect of this principle. Data must be properly protected both in transit and at rest. This requires the right encryption services, in addition to network and application firewalls and access controls.
- Privacy: This final principle looks at how the system collects, uses, retains, discloses, and disposes of personal information in line with criteria laid out by the AICPA’s generally accepted privacy principles (GAPP). All Personal identifiable information (PII) must be kept private. This type of information includes any data that refers to details that distinguish a person, such as their name, address, or Social Security number. An organization with access to this data must implement controls to protect all PII from unauthorized access.
What’s The Difference Between SOC 2 Type 1 and Type 2?
SOC 2 Type 1 is an audit of the internal controls used for Financial Reporting, and SOC 2 Type 2 focuses on the internal controls relevant to security. While SOC 2 Type 1 allows vendors to achieve standard SOC compliance, SOC 2 Type 2 is more difficult to achieve.
SOC 2 Type 1 examines the organization’s data handling policies and security system, prioritizing both the applicability and efficiency of design controls. Reviewing a potential vendor’s SOC 2 Type 1 report will allow you to see how that organization handles its clients’ data.
SOC 2 Type 2 reports include all of the information covered by SOC 2 Type 1, as well as the auditor’s assessment as to how the organization’s controls have been tested for operational effectiveness over a period of time.
It’s important to note that SOC 2 reports assess an organization’s controls in a given period, which means that reports are not considered valid in perpetuity. Organizations will generally undergo audits on an annual basis.
You Need To Verify Your IT Company’s Cybersecurity
You hear about small businesses and massive enterprises getting hacked on nearly a daily basis. It’s regular news at this point, so you probably tune it out, right?
What about IT companies? Have you noticed when they get hacked?
It’s more significant because they’re supposed to be responsible for their clients’ cybersecurity. It doesn’t look very good if they can’t even protect themselves. And it begs the question—is your IT company secure?
It’s especially dangerous when an IT company gets hacked because they often have access to all their clients’ data. In effect, all their clients are hacked as well.
That’s precisely what happened when Complete Technology Solutions was recently infected with ransomware – all their clients, 100+ dentistry industry businesses, were infected as well. In the end, CTS had to pay a reported $700,000 ransom, but some of their clients were left to pay ransoms individually for their own files.
If it could happen to an IT company that works with that many clients, don’t you think it’s possible it could happen to your IT company too?
Is Your IT Company Secure?
You need to be confident that your IT company can protect you, as well as themselves. If you’re at all unsure, then do your due diligence and inquire about their security standards and practices.
That’s why a SOC 2 certification is so important. You can use SOC 2 reports to get evidence of a potential service providers’ data management and security capabilities.
Instead of your staff having to verify the organization’s controls, you can simply ask for a SOC 2 report (of the appropriate subcategory) and get the information you need, verified by a third-party auditor.
Ask To See Our SOC 2 Type 2 Report
If you’re going to trust an IT company to look after the security of your data, they should be willing to have their cybersecurity processes audited. Do they have proof of their cybersecurity credentials?
The EasyIT team knows how important cybersecurity is for our clients.
Want to see our cybersecurity credentials? All you have to do is ask.