Awareness of the global standard for secure data handling known as System and Organization Controls (SOC) is currently relatively low in the UK, but this situation is set to change over the coming year. With data security now a top priority across the globe, all businesses that collect and share information should have SOC 2 on their radar.
First though, it is key to establish the different levels of the reports available. There are three different SOC audit reports - SOC 1, SOC 2 and SOC 3 - and within these there are different ‘Types’. The topline for each is that SOC 1 examines a company’s financial reporting protocols; SOC 2 investigates how a company commits to and implements internal controls around one or more of American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria in relation to availability, security, processing integrity, confidentiality and privacy; SOC 3 uses the same criteria as SOC 2 but the report is prepared for the purpose of wide distribution, for example on a company’s website for marketing purposes. SOC 1 and SOC 2 audit reports can be either Type I or Type II, the difference being Type I is a point in time assessment of controls and Type II is an assessment of the effectiveness of controls over a period of time, typically 6 months or more. SOC 3 audit report is always based on the results of a SOC 2 Type II assessment.
Of the three options, the SOC 2 Type II report is the most in-depth and rigorous report and I would like to offer some advice to other organizations setting out on the SOC journey by taking a deeper look at what SOC 2 is, who needs it and what it takes to achieve it.
SOC 2 audits explained
A SOC 2 audit provides an organization’s clients and stakeholders with assurance about the suitability and effectiveness of its data controls, based on its compliance with Trust Services Criteria laid down by the AICPA. These criteria are split into four categories; logical and physical access controls, system operations, change management and risk mitigation. SOC 2 is not a certification, rather an examination of an organization’s data controls and an accredited third party’s opinion on the suitability of those controls.
Who needs a SOC 2 audit?
Third-party validation of data controls is important for any organization engaging in services that require data sharing. A SOC 2 audit can make a vendor far more appealing to clients who would have previously spent a great deal of time assessing the vendor’s data practices to ensure they were up to scratch. The SOC 2 report can be used to quickly understand how the vendor operates and it reduces the burden on the client’s security operations group. This third-party validation can be table stakes in winning new business.
The types of clients that require vendors or partners to prove effective and appropriate data controls through SOC 2 vary greatly. In the past this was more likely to be larger American companies, but smaller businesses all over the globe are starting to realize the value of third-party auditing of data controls. It’s not necessarily the size of the business that dictates their requirements for robust and appropriate data controls, but rather other factors such as the impact that exposure of a businesses’ IP to competitors in the market might have.
SOC 2 audits can cover five trust services categories. The only mandatory category is security, but organizations can also choose to be audited for availability, processing integrity, confidentiality and privacy. Meeting the criteria for the security trust services category means that “information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.”
When deciding which trust services categories to be audited against, organizations should take a look at the type of data they collect and share, and determine which categories are necessary to mitigate risks to the specific service they provide. If they are sharing very deep personally identifiable information (PII) on users - employees and clients for instance - they will need to consider the privacy category. For most organizations that work with less sensitive data - such as a name and email address that is only used to create an account - the security category is an ideal first step that will help them ensure they have the right systems and controls in place.
Considerations prior to a SOC 2 audit
It’s easy for organizations to assume the SOC 2 examination process is purely technical but this is far from the case. While controls around security, software development and change management are assessed, the scope of the framework around SOC 2 has expanded in recent years making organizational risk the foundation for the rest of the criteria, and making the audit more business and process oriented.
There is an entire component that assesses the organization, from the board and executive management team downward, to understand how they discuss and document risk, as well as their strategy and expectations. This component means it is vital to have full company buy-in at the start of the SOC 2 process. The board and executive team must be able to demonstrate the controls they have in place for various criteria through documents such as board minutes and organizational risk assessments, both external and internal.
From a more technical standpoint, one of the key things to understand about SOC 2 is that there is no clear path around how to do it. Organizations need to define what they believe are the appropriate controls and processes to ensure data security for their business, and then present these to the auditors on which they can base their opinion. Organizations can go as deep or as shallow as they want around the controls they put in place as the assessment is based purely on the effectiveness of those controls.
There is a risk of organizations over-engineering processes to fit what they think needs to be done instead of creating a framework that is right for their individual organization and achieves their unique data security goals. They need to understand what data they have, determine what risks it poses to their business and their clients, implement appropriate controls to mitigate those risks, and find a way to demonstrate effectiveness. The message to organizations is to be yourself, assuming of course you are data-security minded.
A final consideration for those preparing to undertake a SOC 2 audit is the importance of documentation. The effectiveness of organizational processes can only be assessed if they are properly documented. Many organizations will already be doing the majority of things right but if these aren’t written down, they can’t be shared with auditors or with the company at large to increase understanding. Organizations need to document even the smallest processes, so one of the initial steps in preparing for SOC 2 is identifying documentation the business already has and any potential gaps that exist. Depending on the size of the organization, documentation may be manual to begin with, but automation should be considered to reduce friction in the process and make it as efficient as possible.
Best practise for a SOC 2 audit
- Company policies and procedures regarding software development life cycle
- Segregation of duties is important to demonstrate
- The same person can’t make code changes and push those changes into production unilaterally
- Use GitHub’s branch protection feature to enforce code review approvals
- Track all code and infrastructure changes with a change ticket in a software solution like JIRA
- Network security
- Security Groups, Firewalls, etc. should be set to deny all by default. Have a process where you have to explicitly request and review ports that need to be opened in the network
- Logical access
- Policy of access controls around least privilege are important
- Encryption standards
- TLS 1.2 as the minimum protocol for encrypted communication
- Backup and disaster recovery
- Document your critical services and assign technical lead to restoring each service in the event of a DR event
- Test these controls at least once per year
Awareness of SOC 2 may be low in the UK at the current time but this is changing as clients increasingly prioritize data security. Completing a SOC 2 examination will inevitably help organizations prove the effectiveness of their data controls and ultimately win more business, so now is the time to start preparing.
James Kupernik, CTO, VidMob