What is SOC 2 and Why it Matters for Security

There are some things in life that should be a given: rollercoasters are inspected regularly, chefs wash their hands, and your organization’s file transfers are secure.

That last is a little more nebulous to see immediate cause-and-effect (it’s not like your rollercoaster car rolling off the tracks or getting food poisoning!) but unsecure file transfers could put sensitive data at risk, impacting hundreds of thousands of people. There are numerous safeguards you can put in place to strengthen your security and tools to test for weaknesses, but only a handful of services that get down to the very basics of security controls – and one of these is SOC 2.

What is SOC 2?

SOC, short for System and Organization Controls, is a suite of audit services for information systems (think: your firewall, data breach plan, encryption, and more) to ensure that the security system in place is adequate to protect against, detect, and respond to security threats.

SOC 2, formally “SOC for Service Organizations: Trust Services Criteria,” is one of three American Institute of CPAs (AICPA) offerings dedicated to service organizations. Each of these assesses risks with SOC 2 focusing specifically on an organization’s information systems and how secure they are within five categories, the Trust Service Criteria.

It’s mostly used to audit service providers that manage data on behalf of others, sometimes before the contract is set.

Related Reading: Globalscape Completes SOC 2 Type 1 Compliance Engagement

A Noncomprehensive List of SOC Acronyms

AICPA – American Institute of Certified Public Accountants

ICFR – Internal Control over Financial Reporting

SOC – Systems and Organization Controls

TSC – Trust Services Criteria

SOC 1 vs. SOC 2 vs. SOC 3

SOC 2 is, unlike many law titles or tech labels, not the second version of anything. Rather, it’s one type of report that is prepared specifically for information service organizations and details their controls over the five trust service criteria.

SOC 1 has a more financial lean and is officially called “The SOC for Service Organizations: Internal Control over Financial Reporting (ICFR),” while SOC 3 is lighter, general use version of SOC 2. It is catered to those who need the same type of security controls as SOC 2, but do not have either “the need for or the knowledge necessary to make use of a SOC 2 Report.”

The AICPA also offers the SOC for Cybersecurity and SOC for Supply Chain, which both focus on cybersecurity within their specific fields.

Type 1 and Type 2

Both SOC 2 and SOC 1 have two types of reports, both of which investigate how well the organization’s system is outlined and how well the design of the controls in place suits the security level needed, as well as if the data security design is able to address data security goals and risks. A type 1 report reviews this at a moment in time, while type 2 examines functionality over a longer period of type (from three months to a year). A type 2 report further measures the operating effectiveness of the controls in place.

Organizations That Adhere to SOC 2

Service organizations, which are companies that provide information systems as a service to other organizations, such as technology service providers, cloud computing providers, and SaaS companies, are the main targets and users of SOC 2. Because they’re managing or storing customer data on behalf of another company, SOC 2 is used to understand their internal processes. It validates whether the internal controls are appropriate as well as whether the customer data entrusted to them is safe and private.

Today, organizations are exchanging data at a larger volume and faster pace than ever before. Cloud computing, the practice of using external systems rather than owning and maintaining physical infrastructure, is helping many organizations accelerate growth while saving money. However, it introduces some complexities and risk. SOC 2 helps understand and mitigate those risks before they become a liability.

What is SOC 2 Security Compliance?

SOC 2 is not a strict compliance requirement, but instead evaluates five arenas to establish whether an organization is adequately protecting the data that it collects and stores. The intent behind SOC 2, and the five Trust Service Criteria, is to protect customer data through a holistic information security plan.

To do this, an outside group conducts a technical audit to establish whether an organization understands their regular operations and security measures, has tools in place to protect data and recognize threats, and whether it would be able to respond to any security threats appropriately. This process can take anywhere from six months to a year.

Related Reading: How Globalscape Fits into Your Data Security Suite 

SOC 2’s 5 Trust Service Criteria of Customer Data

SOC reports are built on the Trust Service Criteria (TSC), five semi-overlapping categories that help examine an organization’s information systems. The list is not the final authority; instead, it is a guide that covers the basics while offering enough flexibility for companies to build up data security structures that best fit their needs, as well as other requirements and regulations they must meet.

1. Security

Security asks whether data and systems are safe from unauthorized access, whether internal or external. Tools evaluated include multi-factor authentication (MFA), firewalls, and network monitoring and threat detection.

2. Availability

Availability determines if systems, data, and network performance are monitored and maintained. It evaluates everything from your infrastructure, software, and the stored data itself to understand if performance levels meet your pre-determined SLAs (service level agreement), avoids downtime, and supports your disaster recovery plan.

3. Processing Integrity

Processing integrity is about quality assurance. It looks at the intended process and evaluates whether it is secure, runs as expected, and can be monitored for any gaps, leaks, or breakdowns. However, this criterion does not look at the actual data, just whether the mechanism to move it is working as intended.

4. Confidentiality

Data is encrypted and access is limited. Confidentiality determines whether the data collected and stored is safeguarded from internal and external threats or risk of exposure. Rather than just data shared as part of any contract, the company as a whole is evaluated for how well it secures data and adheres to data security laws and regulations.

5. Privacy

Privacy encompasses the security and confidentiality TSCs previously listed, but with a focus on personally identifiable information (PII). This again asks whether data is secured from inadvertent access by user access controls, MFA, and encryption.

Why is SOC 2 Compliance Important?

Like an annual physical, SOC 2 helps take a step back and examine the overall health of an organization’s data security systems. This step in data security lays the foundation for both expectations and understanding of how an organization is protecting the data is collects and stores.

Why? Well, gaps in security can lead to data breach, whether unintentional or malicious. Cybersecurity experts have noted that the number of attacks is growing year over year, with new inroads for cybercriminals for data theft, malware, and ransomware attacks.

Protecting Your Sensitive Data and Meeting SOC 2

Data security software solutions go a long way to protect your sensitive data from various avenues of attack.

From the start, use a tool that offers user access roles and access logs to limit and review how users are viewing and engaging with data internally. Then, deploy threat detection and prevention solutions, such as network monitors, content inspectors, and more, to gain a better understanding of your regular traffic and get a heads up on any deviations. Finally, ensure that the data you are sending is secured during transit—and that you keep sensitive data from leaving your organization entirely—with managed file transfer and data loss prevention.

Looking for solutions that have already completed SOC 2 audit assessment? Globalscape Enhanced File Transfer (EFT), a secure managed file transfer solution, is an industry-leading software solution used to secure data movement, automate, and integrate data in and out of the cloud, that has successfully completed the SOC 2 Type 1 Compliance Engagement. Discover how Globalscape EFT can secure your files today.