What is SOC 2 for?

About SOC 2

SOC 2 compliance is a crucial framework for technology and cloud computing companies. SOC 2 is a compliance framework for data privacy and security developed by the American Institute of CPAs (AICPA).

Its goal is to make sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 is both a technical audit and a requirement that comprehensive information security policies and procedures be written and followed.

An example would be that our service is available when needed and that personal information passing through it is maintained confidential at all times.

Many of the security aspects SOC 2 addresses involves external interactions that could affect internal or customer data security. The AICPA developed SOC 2 as a way to encourage the implementation and oversight of proper security procedures.

Similar to other security guidelines, SOC 2 outlines a basic structure for security measures, but then allows companies to customize those basic measures to their needs.

Organizations that provide tech services and systems to third parties should be familiar with SOC 2. Service organizations are usually required to pass a SOC 2 audit in order to partner with or provide services to other companies. The framework is designed to ensure that relevant organizations, such as Cloud computing providers and software-as-a-service companies, process information securely.

Penetration testing is primarily used to test control effectiveness in SOC 2 Type II audits and required to pass the compliance checks.

Why is SOC 2 compliance important?

The most obvious answer is that SOC 2 compliance demonstrates that your organization maintains a high level of information security.

The rigorous compliance requirements, which are put to the test in an on-site audit, ensure that sensitive information is being handled responsibly. Organizations that implement the necessary controls are therefore less likely to suffer data breaches or violate users’ privacy.

This protects the organization from the negative effects of breaches, such as regulatory action and reputational damage, and gives them a competitive advantage.

SOC 2-compliant organizations can use this fact to prove to customers that they’re committed to information security, which in turn will create new business opportunities.

How are SOC 1 and SOC 2 different?

Depending on the service or system you provide, third parties might ask whether you’re SOC 1 or SOC 2 compliant. 

You might think that SOC 2 is an updated version of SOC 1, but they are actually two different frameworks. You might be required to complete one SOC audit or both. 

SOC 1 is less common and applies when you host financial information that could affect third parties’ financial reporting. 

SOC 2 applies to all other types of sensitive information related to the third party. If you don’t host financial data, this is the only compliance audit you should complete. 

By contrast, if you only host financial information, you don’t need to complete SOC 2. 

Organizations that host both types of data will need to complete both compliance audits.

What is a SOC 2 audit?

A SOC 2 audit provides an in-depth assessment of an organization’s: 

  • Security; 
  • Availability; 
  • Processing integrity; 
  • Confidentiality; and/or 
  • Privacy controls. 

SOC is broken down in many ways. There is SOC 1, 2, and 3 – which all contain slightly different requirements – but even within SOC 2, which we’re focusing on here, there are two types of certification.

Type 1 involves passing the SOC 2 audit and proving that your policies, procedures, and technologies adhere to the framework’s requirements at that time.

Type 2 involves ongoing compliance with SOC 2 and a thorough audit process that tests the real-world application of your policies, processes, and technologies.

Type 1 or Type 2?

SOC 2 has 2 different types like SOC1. Type 1 reports cover the description of systems and suitability of design of controls (Known as criteria in SOC terminology) whereas type 2 reports have everything in type 1 reports
and the effectiveness of the controls over a period of time. Type 2 SOC 2 reports are considered more useful since the auditor verifies that the controls work in an appropriate manner over a period of time.

What does a SOC 2 audit report contain?

The audit report is more than just a list of findings and a checklist of compliance requirements. SOC 2 allows plenty of room for interpretation, because every organisation will have its own requirements based on the way it operates. 

As such, the audit report should provide: 

  • An opinion letter,
  • Management assertion,
  • A detailed description of the system or service,
  • Details of the selected trust services categories,
  • Tests of controls and the results of testing.

What does SOC 2 certification cover?

To achieve SOC 2 certification, organisations must implement controls on:

System monitoring

Organisations must always monitor their information systems, keeping track of who is accessing sensitive information and what changes they are making to it.

This process should include the adoption of access controls, which ensure that only approved users can open sensitive information. A sophisticated access control management system will contain layers of controls that ensure employees can only view information that’s relevant to their job.

This not only reduces the risk posed by malicious insiders but also mitigates the damage should a cyber criminal gain unauthorised access to an account. As such, access controls provide an extra level of security in the event that employees choose weak passwords or expose their credentials in a phishing scam.

Data breach alerts

No matter how sophisticated your cyber security defences are, you will suffer a data breach sooner or later, because there are simply too many attackers and too many vulnerabilities.

When a security event occurs, you need a system that will alert you of the threat. This doesn’t just refer to unauthorised access, but also to suspicious file transfers or changes to sensitive data.

These are particularly important to look out for when it comes to threats such as spear phishing, where an attacker poses as a senior employee or third party and requests that a lower-level employee sends them a certain file.

The organisation in question hasn’t technically been breached – the attack is nothing more than an email from an illegitimate address – but when the employee complies with the request, a serious incident has occurred.

Audit procedures

Organisations must adopt a rigorous audit procedure to ensure they keep detailed records of the way personal information and other sensitive data is used.

It’s only by doing this that you can trace the source of a data breach and determine the full extent of the damage.

Forensics

The final aspect of SOC 2 compliance concerns the way you respond to threats. This covers the steps you take to identify the full extent of the breach, understand how the incident occurred and prevent further damage.

Having such forensics systems in place gives you the assurance that incidents will be handled promptly, ensuring that a bad situation doesn’t get any worse.

What does SOC 2 require?

First and foremost, SOC 2 requires that you develop security policies and procedures. These need to be written out and followed, and auditors can and will ask to review them.

The policies and procedures should encompass: security, availability, processing integrity, confidentiality, and privacy of data stored in the cloud.

What must I monitor for SOC 2?

Meeting SOC 2 compliance means establishing a process and practices that guarantee oversight across your organization. Specifically, you want to be monitoring for any unusual, unauthorized, or suspicious activity. Often this takes place at the level of system configuration and user access.

You need to be able to monitor for both known malicious activity (like a common phishing scheme or obviously inappropriate access) and unknown malicious activity (like a zero-day threat or a new type of misuse).

To find these “unknowns,” you must establish a baseline of normal activity in your cloud environment, because this will make it clear when abnormal activity takes place. The best way to do this is with a continuous security monitoring service.

What kind of alerts must I set up?

To ensure that you are meeting SOC 2 requirements, you must receive alerts whenever unauthorized access to customer data occurs. If you do not receive these alerts in time, you may not be able to respond and take corrective action in a timely fashion.

To combat false alarms and increase the signal to noise ratio, you need a system that only sounds the alarm when activity strays outside of what is normal for your environment.

SOC 2 in particular requires that you set up alerts for:

  • Exposure or modification of data, controls, configurations
  • File transfer activities
  • Privileged filesystem, account, or login access

Make sure your organization is clear on what constitutes a threat indicator for your environment and risk profile, and then fine-tune your alerts so you know when something significant happens and you can move quickly to preserve the integrity of your data.

Is AWS SOC 2 compliant?

If you’re running in AWS, as the majority of cloud-based organizations are, then you’re probably wondering whether AWS meets SOC 2 compliance. The short answer is Yes. If you’d like to review it yourself (trust, but verify), customers can access the AWS SOC 2 report here.

Is Microsoft Azure SOC 2 compliant?

Similar to AWS, Microsoft Azure passes compliance checks as well and based on their reports which they provide frequently, they can guarantee sufficient security level to their clients as well as Amazon.

Conclusion

Like other types of compliance checks, SOC 2 must guarantee potential users and clients of services or companies a sufficient level of information security and protection from possible data leaks, in addition, guaranteeing the availability of the service and the integrity of information.

Companies that pass this type of checks are always in great demand for their services due to the guarantees provided that the risks are minimized.