{"id":12466,"date":"2020-06-30T10:00:00","date_gmt":"2020-06-30T14:00:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12466"},"modified":"2024-10-18T10:58:48","modified_gmt":"2024-10-18T14:58:48","slug":"what-is-soc2-compliance-how-does-it-affect-your-business","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/what-is-soc2-compliance-how-does-it-affect-your-business\/","title":{"rendered":"What Is SOC2 Compliance &#038; How Does It Affect Your Business?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">How SOC 2 reports can help cloud service providers stand out from the competition (and make your customers feel more confident in your ability to protect their data)<\/h2>\n\n\n<div class=\"wp-block-image is-resized\">\n<figure class=\"alignright size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"368\" height=\"342\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/CT-126.jpg\" alt=\"SOC 2 compliance graphic that's a comic from CloudTweaks about cloud security and data storage\" class=\"wp-image-12467\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/CT-126.jpg 368w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/CT-126-300x279.jpg 300w\" sizes=\"auto, (max-width: 368px) 100vw, 368px\" \/><figcaption class=\"wp-element-caption\">Image source: <a href=\"https:\/\/comics.cloudtweaks.com\/license\/disorganized\/\" target=\"_blank\" rel=\"noreferrer noopener\">CloudTweaks<\/a><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">While we can all appreciate the humor of this comic, it\u2019s scary how many organizations have this type of mindset when it comes to the security, privacy, and confidentiality of their cloud-stored data. This is where SOC 2 compliance audits and reports really come in handy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what is SOC 2 compliance? SOC2 compliance is an essential component of information security for many businesses and organizations. This rings especially true for those that are third-party service providers such as cloud storage, web hosting, and software-as-a-service (SaaS) companies\u2026 Or, really, any organization that stores its customer data in the cloud. As you can imagine, that expands the list a lot.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, <strong>SOC 2 audits and reports help service providers show that the privacy, confidentiality and integrity of the data they handle \u2014 meaning their customers\u2019 or their customers\u2019 users\u2019 data \u2014 is a priority<\/strong>. While it\u2019s not saying that they\u2019re 100% secure as organizations as a whole, it shows that they\u2019re ahead of their competitors who lack these reports. This helps their customers understand that those vendors are doing what they should be doing to keep said data secure in the cloud.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, when we talk about SOC2 compliance, what exactly does that mean? And why is having an SOC 2 report so important to your customers? And who actually performs these examinations and creates the reports that organizations worldwide trust?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Is SOC 2? A Look at What SOC2 Compliance Entails\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Feeling a little lost? You&#8217;re not alone (hence why we wrote this article). In a nutshell, SOC2 (commonly pronounced \u201csock 2\u201d) stands for the second of three <a rel=\"noreferrer noopener\" href=\"https:\/\/www.aicpa.org\/interestareas\/frc\/assuranceadvisoryservices\/sorhome.html\" target=\"_blank\">System and Organization Controls (SOC)<\/a> audits and reports that are integral to information security. The SOCs are a set of compliance standards that were developed by the American Institute of CPAs (AICPA), a member network of more than 430,000 CPAs around the world.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SOC audits are designed to examine the policies, procedures, and internal controls of an organizations. Testing and reporting on these controls are important because they impact the security, privacy, and confidentiality of an entity\u2019s sensitive data. Every audit is conducted in accordance with the <a href=\"https:\/\/www.aicpastore.com\/SOC\/reporting-on-controls-at-a-service-organization-re\/PRDOVR~PC-0128210\/PC-0128210.jsp\" target=\"_blank\" rel=\"noreferrer noopener\">AIPCA audit guide<\/a> and <a href=\"https:\/\/www.aicpa.org\/Research\/Standards\/AuditAttest\/DownloadableDocuments\/AT-00101.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Attestation Standards Section 101<\/a> more commonly known as AT Section 101).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SOC audits are what draws the lines that service providers need to color within regarding data privacy, security, and integrity. It\u2019s about showing customers and potential customers that you know what you\u2019re doing and are taking the appropriate steps to ensure their data is secure with you.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Three Types of SOC Reports<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">So, what are the three types of SOC reporting options for service organizations? They include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.aicpa.org\/interestareas\/frc\/assuranceadvisoryservices\/aicpasoc1report.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>SOC 1<\/strong><\/a> \u2014This is designed for reporting on the processes and controls that influence an organization\u2019s internal control over <strong>financial reporting <\/strong>(ICFR). Essentially, the choices you make as a service organization may affect the financial reporting of your users\u2019 organizations.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.aicpa.org\/interestareas\/frc\/assuranceadvisoryservices\/aicpasoc2report.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>SOC 2<\/strong><\/a><strong> <\/strong>\u2014 This report is designed for service organizations and reports on <strong>non-financial reporting<\/strong> controls and <strong>focuses on five key trust services criteria <\/strong>(formerly called trust services principles), or TSCs as they\u2019re more commonly known (which we\u2019ll discuss more in depth momentarily). Basically, the goal here is to help outline the standards that are necessary to keep sensitive data private and secure while it\u2019s in transit or at rest.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.aicpa.org\/interestareas\/frc\/assuranceadvisoryservices\/aicpasoc3report.html\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 3<\/a><\/strong> \u2014 The third type of SOC report is akin to the second in terms of the reporting criteria \u2013 the difference between the two boils down to how the info is reported. <strong>SOC 2 is tailored for specific organizations, whereas SOC 3 reports are more applicable for general audiences (the public).<\/strong><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">There are also technically SOC reports for cybersecurity and the supply chain as well, but we won\u2019t get into all of that today. Just know that there are <a href=\"https:\/\/www.aicpa.org\/content\/dam\/aicpa\/interestareas\/frc\/assuranceadvisoryservices\/downloadabledocuments\/comparison-of-soc-examinations-and-related-reports.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">several key differences<\/a> between an SOC for cybersecurity report (which, essentially, is an examination of an organization\u2019s cybersecurity risk management program) and an SOC 2 engagement report. <a href=\"https:\/\/kirkpatrickprice.com\/blog\/difference-between-soc-for-cybersecurity-and-soc-2\/\" target=\"_blank\" rel=\"noreferrer noopener\">KirkPatrickPrice reports<\/a> that those differences relate to subject matter, purpose and use, audience, and report types.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are specific standards that apply to all types of SOC reports \u2014 these are known as the <a href=\"https:\/\/www.aicpa.org\/content\/dam\/aicpa\/research\/standards\/auditattest\/downloadabledocuments\/ssae-no-18.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Statement on Standards for Attestation Engagements (SSAE)<\/a>, which is currently at version No. 18. This auditing standard is basically the successor of the now-deprecated SSAE No. 16 auditing standard, which used to only apply to SOC 1 reports.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How SOC 2 and SOC 1 Differ, and Why SOC 2 Compliance Matters to Your Organization<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The SOC 2 standards, in particular, focus on the non-financial reporting on the internal controls and systems that you can implement to protect the confidentiality and privacy of data that\u2019s stored in cloud environments.  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, these controls are a specific set of policies and procedures that help to ensure the security of any sensitive information that the third-party service providers are responsible for protecting. This differs from a SOC 1 examination, which focuses on financial reporting. Basically, this type of report is created by auditors, for auditors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Well, considering your organization has to adhere to specific data security standards (think: <a href=\"https:\/\/www.thesslstore.com\/blog\/ccpa-vs-gdpr-what-you-need-to-know-about-these-data-privacy-laws\/\">CCPA, GDPR<\/a>, <a href=\"https:\/\/www.thesslstore.com\/blog\/10-data-privacy-and-encryption-laws-every-business-needs-to-know\/\">FIPS<\/a>, <a href=\"https:\/\/www.thesslstore.com\/blog\/demystifying-pci-dss-compliance\/\">PCI DSS<\/a>, <a href=\"https:\/\/www.thesslstore.com\/blog\/hipaa-compliance-technical-safeguards\/\">HIPAA<\/a>, etc.), then you should be able to expect that any third-party organizations you\u2019re contracted with to store or process your data online does the same\u2026 right?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you believe that, then I have a bridge or two to sell you\u2026 and possibly a unicorn.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, not all service providers are stringent about protecting their own data. If your data isn\u2019t properly handled, it can leave you vulnerable to various security issues, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data theft, breaches and leaks<\/strong> \u2014 Considering that <a href=\"https:\/\/www.riskbasedsecurity.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Risk Based Security<\/a> reported that more than <a href=\"https:\/\/www.thesslstore.com\/blog\/cyber-security-statistics\/\">15 billion records were exposed<\/a> in 2019 due to data breaches, this is a critical issue.<\/li>\n\n\n\n<li><strong>Malware and ransomware attacks<\/strong> \u2014 Ransomware were a very costly issue for key organizations and institutions around the U.S. last year. <a href=\"https:\/\/www.emsisoft.com\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\">Emsisoft<\/a> reports that <a href=\"https:\/\/www.thesslstore.com\/blog\/cyber-security-statistics\/\">ransomware attacks cost a cool $7.9 billion<\/a> to healthcare providers, government organizations, and educational institutions in 2019 alone.<\/li>\n\n\n\n<li><strong>Reputational damage and related losses<\/strong> \u2014 Loss of trust, for any reason, deals a major blow to an organization. When it\u2019s the result of cyber security events that could have been avoided by implementing security measures, it\u2019s a double whammy.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">So, if they\u2019re not stringent in their own practices, why would you expect them to put in the effort to protect your data? This is where the five trust services criteria of an SOC 2 examination come into play.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So, What Are the Trust Services Criteria of SOC 2?<\/h2>\n\n\n<div class=\"wp-block-image is-resized\">\n<figure class=\"alignright size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"656\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soc-2-trust-criteria.png\" alt=\"Doughnut chart graphic of the SOC 2 trust services criteria\" class=\"wp-image-12469\" style=\"width:295px;height:auto\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soc-2-trust-criteria.png 608w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soc-2-trust-criteria-278x300.png 278w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><figcaption class=\"wp-element-caption\">The five trust services criteria of SOC 2<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">As you now know, an SOC 2 examination is a way for you to ensure that a third-party service provider is doing what they\u2019re supposed to do to protect and secure your customers\u2019 data. This provides you with some security assurance by knowing that a reputable third party (in this case, a licensed CPA) has evaluated the service provider\u2019s policies, controls and procedures to mitigate or identify potential risks based on five specific <a rel=\"noreferrer noopener\" href=\"https:\/\/www.dashsdk.com\/resource\/soc-2-trust-services-criteria-tsc\/\" target=\"_blank\">trust services criteria<\/a> (TSCs):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These reporting options are outlined in the AICPA\u2019s TSP 100 <a href=\"https:\/\/www.aicpa.org\/content\/dam\/aicpa\/interestareas\/frc\/assuranceadvisoryservices\/downloadabledocuments\/trust-services-criteria.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy<\/a>):<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Security<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This section of the trust service criteria is included in all SOC audits. It focuses on the common criteria (CC) within the principles of the SOC 2 audit report that relate to protecting the data and systems that are used to collect or create, store, use, process, or transmit data. (We\u2019ll talk about those CCs after we finish up with the TSCs.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to the AICPA\u2019s 2017 Trust Services guide, the security TSC is all about ensuring that:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cInformation and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity\u2019s ability to achieve its objectives.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Here at Hashed Out, we always harp on the importance of data security and integrity. So, we\u2019re happy to see that security is number one on the AICPA\u2019s list as well because, well, <em>it\u2019s just that important!<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some examples of tools and policies that could fall under this category include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Intrusion detection and intrusion detection systems (IDS)<\/li>\n\n\n\n<li>Firewalls and other network and application security measures<\/li>\n\n\n\n<li>Multi factor authentication tools and potentially client certificates<\/li>\n\n\n\n<li>Penetration tests and vulnerability assessments<\/li>\n\n\n\n<li>Implementing computer use policies<\/li>\n\n\n\n<li>Digital and physical access controls<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>There is one important thing we\u2019d like to note:<\/em><\/strong><em> The security category is one that applies to all engagements, whereas the other four categories don\u2019t necessarily have to be covered in the report. (Basically, you can report on just security if you want, or you can choose to report on security + any of the other options that we\u2019ll talk about shortly.)<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Some organizations opt to be thorough and include all five, whereas others only include the criteria that they believe are most applicable to them. Really, the choice is up to you for how you want to proceed.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Availability<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This TSC category is all about accessibility \u2014 how readily available the data is to both an entity\u2019s systems and to the products or services its customers receive. During this part of the audit, a licensed CPA examines the systems\u2019 controls to see whether they support such accessibility for operation, monitoring, and maintenance and to help the organization achieve its objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some examples of tools, processes and policies that would fall under this category include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/in-case-of-emergency-a-disaster-recovery-plan-checklist-for-data-security\/\">Disaster response and recovery<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/3-2-1-backup-rule-the-rule-of-thumb-solution-to-your-data-loss-problems\/\">Secure data backups<\/a><\/li>\n\n\n\n<li>Performance and incident monitoring and response<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. Processing Integrity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Well, this category is kind of self-explanatory. But let\u2019s go ahead and break it down anyway. It\u2019s commonly understood that businesses and organizations want to know that their customers\u2019 data isn&#8217;t being compromised or manipulated in any way during processing. So, if they\u2019re working with a third-party service provider, this part of the trust services criteria helps them to ensure that the accuracy, completeness, validity, and timeliness of the data is there and that the provider\u2019s systems are processing the data as authorized. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, the focus here is to address whether an entity\u2019s systems are able to achieve their goals or purposes for which they were designed. So, this part of the audit process assesses whether the systems demonstrate any delays, omissions, errors, or manipulations (inadvertent or unauthorized) in the processing. But that doesn\u2019t necessarily mean that the data is free of errors that are caused by erroneous data entry, however, of course \u2014 that\u2019s a data integrity issue, which is a separate concern.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some examples of processes and policies that would fall under this category include process monitoring and quality assurance (QA) processes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Confidentiality<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This category of the five trust services criteria aims to demonstrate that any &#8220;confidential&#8221; data remains protected and secure. This includes a variety of types of information&#8230; everything from an entity\u2019s personal information to their intellectual property.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Encryption, such the in-transit data security offered by <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-website-security-certificate-and-what-does-it-do-for-your-business\/#:~:text=Essentially%2C%20a%20website%20security%20certificate,secured%20using%20an%20encrypted%20connection.\">SSL\/TLS certificates<\/a> and email signing certificates (aka client certificates and personal authentication certificates), is essential.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some tools and processes that would be particularly useful for protecting data include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Digital and physical access controls<\/li>\n\n\n\n<li>Network and application firewalls<\/li>\n\n\n\n<li>Cryptographic solutions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5. Privacy<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Wait, aren\u2019t confidentiality and privacy the same thing? Nope. The confidentiality TSC applies to various categories of sensitive information, whereas privacy applies only to personally identifiable information (PII) that includes (but isn\u2019t limited to):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First and last names<\/li>\n\n\n\n<li>Social security numbers (or other similar identifiers)<\/li>\n\n\n\n<li>Addresses and contact information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The AICPA outlines privacy criteria in its guide as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Notice and communication of objectives<\/li>\n\n\n\n<li>Choice and consent<\/li>\n\n\n\n<li>Collection<\/li>\n\n\n\n<li>Use, retention, and disposal<\/li>\n\n\n\n<li>Access<\/li>\n\n\n\n<li>Disclosure and notification<\/li>\n\n\n\n<li>Quality<\/li>\n\n\n\n<li>Monitoring and enforcement<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To qualify for SOC 2 compliance in this area, an organization must demonstrate that they protect and handle personal information securely. This particular reporting option relates to how data is collected, used, disclosed, retained, and disposed of as part of how an entity performs its job.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some important tools, processes and policies that could be useful for SOC 2 compliance include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encryption<\/li>\n\n\n\n<li>Access controls<\/li>\n\n\n\n<li>Privacy and disclosure notifications<\/li>\n\n\n\n<li>Secure disposal processes<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\">About Those Common Criteria We Mentioned Earlier\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Did you know that the five trust services criteria are only one part of the TSP? There\u2019s actually a second component to consider \u2014 basically, that each of the five SOC 2 common criteria are comprised of nine specific sub-categories:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Control environment (CC1)<\/li>\n\n\n\n<li>Communication and information (CC2)<\/li>\n\n\n\n<li>Risk assessment (CC3)<\/li>\n\n\n\n<li>Monitoring of controls (CC4)<\/li>\n\n\n\n<li>Control activities related to the design and implementation of controls (CC5)<\/li>\n\n\n\n<li>Logical and physical access controls (CC6)<\/li>\n\n\n\n<li>System operations (CC7)<\/li>\n\n\n\n<li>Change management (CC8)<\/li>\n\n\n\n<li>Risk mitigation (CC9)<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image is-resized\">\n<figure class=\"alignright size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"654\" height=\"573\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soco-framework.png\" alt=\"Cube graphic from the 2013 COSO Framework\" class=\"wp-image-12468\" style=\"width:261px;height:auto\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soco-framework.png 654w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soco-framework-300x263.png 300w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><figcaption class=\"wp-element-caption\">Image source: Committee of Sponsoring Organizations&#8217; (COSO) <a href=\"https:\/\/www.coso.org\/_files\/ugd\/3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf\">Internal Control &#8211; Integrated Framework Executive Summary<\/a>.<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The first five common criteria categories correspond to the first five that are outlined in the <a href=\"https:\/\/www.coso.org\/Pages\/ic.aspx\" target=\"_blank\" rel=\"noreferrer noopener\">2013 COSO Framework<\/a>, which is composed of 17 principles. <strong>(Note: The 2013 COSO Framework is still in use as part of the 2017 TSC standards.)<\/strong> The remaining four supplemental criteria categories are outlined in <a href=\"https:\/\/www.aicpa.org\/content\/dam\/aicpa\/interestareas\/frc\/assuranceadvisoryservices\/downloadabledocuments\/trust-services-criteria.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">TSP Section 100.05<\/a> as additional criteria that supplement COSO principle 12.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are also additional specific criteria for the remaining four TSP categories that are covered in TSP Section 100.07.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">So, What Are the 17 COSO Principles?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The 17 COSO framework principles are as follows (note: these are written verbatim from the AICPA 2017 TSP Section 100 document cited earlier):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 1:<\/strong> The entity demonstrates a commitment to integrity and ethical values.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 2:<\/strong> The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 3:<\/strong> Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 4:<\/strong> The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 5:<\/strong> The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 6:<\/strong> The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 7:<\/strong> The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 8:<\/strong> The entity considers the potential for fraud in assessing risks to the achievement of objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 9:<\/strong> The entity identifies and assesses changes that could significantly impact the system of internal control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 10:<\/strong> The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 11:<\/strong> The entity also selects and develops general control activities over technology to support the achievement of objectives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 12:<\/strong> The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 13: <\/strong>The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 14:<\/strong> The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 15:<\/strong> The entity communicates with external parties regarding matters affecting the functioning of internal control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 16:<\/strong> The entity selects, develops, and performs ongoing and\/or separate evaluations to ascertain whether the components of internal control are present and functioning.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Principle 17:<\/strong> The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Two Types of SOC 2 Reports<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re like most people, who\u2019ve at least heard of the SOC 2 report. But what you may not know is that there are actually two types of SOC 2 reports: report 1 and report 2. Both reports aim to provide detailed info and assurance about the controls and system an organization uses to process and secure users\u2019 data and protect their privacy. Just how they go about doing so \u2014 and what each report focuses on specifically \u2014 differs from one report to the next, and part of that difference boils down to time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s explore these two reports a little more to better understand SOC2 compliance:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>SOC 2 type 1 report<\/strong> \u2014 According to the AICPA, this report is the \u201cmanagement\u2019s description of a service organization\u2019s system and the suitability of the design and operating effectiveness of controls.\u201d This report evaluates the controls at a specific point in time.<\/li>\n\n\n\n<li><strong>SOC 2 type 2 report<\/strong> \u2014 This report takes the first a step further and focuses not just on the description and design of the controls, but it actually involves evaluating the operational effectiveness of them. Furthermore, this doesn\u2019t happen over a week or two \u2014 the evaluating CPA writes this report over an extended period of time to ensure the effectiveness of the controls (potentially taking several months).<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Jacob Nemetz, CEO of Dash Solutions, which provides solutions for security compliance in the public cloud, emphasizes the importance of businesses having a SOC report.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cGenerally, a service organization should look at getting a SOC report every year to ensure that there is continuous coverage by the SOC 2 reports. Coverage issues could lead to further security scrutiny by partners or clients.\u201d <\/em><\/p>\n<cite>\u2014 Jacob Nemetz, CEO, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.dashsdk.com\/\" target=\"_blank\">Dash Solutions<\/a><\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">How You Can Get a SOC 2 Compliance Report<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Only a licensed CPA firm can provide one of these reports. Why? Because the AICPA requires that SOC audits and reports are performed only by independent, licensed CPAs. From the beginning to the end of the auditing and reporting process, you\u2019re required to hire the services of a certified CPA or CPA firm.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, this means that while you might have a great working relationship with your non-CPA bookkeeper Sue, if she isn\u2019t a certified public accountant, then she can\u2019t perform your SOC 2 audit. That\u2019s just the way it is.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations should engage with a reputable SOC 2 audit firm and can expect to deal with the following when going through a SOC 2 audit:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security Questionnaires \u2014 <\/strong>Service organizations will most likely be provided with a set of questions around your team\u2019s security program, policies and implemented security controls.<\/li>\n\n\n\n<li><strong>Documentation and Evidence Collection \u2014 <\/strong>Teams may be asked to provide evidence of effective controls within the organization. Teams will want to provide current policies and proof that technical security controls are currently in place.<\/li>\n\n\n\n<li><strong>Security Evaluation \u2014 <\/strong>An auditor may ask for <strong>additional<\/strong> evidence or information around internal&nbsp; controls. Teams with SOC 2 compliance gaps may be asked to update their security program and resolve security issues before receiving a report.<\/li>\n\n\n\n<li><strong>Report Creation \u2014 <\/strong>After an auditor has successfully<strong> <\/strong>evaluated your internal controls, they will <strong>write up and provide a SOC 2 report<\/strong> for your organization.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">While an audit firm may work with your organizations to ensure that security controls are current, teams should have certain internal controls and documentation in place to simplify the compliance process.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cTeams that are unprepared for a SOC 2 audit often face a longer assessment process, additional scrutiny, and higher overall costs. Teams should prepare security controls and collect all relevant evidence to streamline the audit process.\u201d<\/em><\/p>\n<cite>\u2014 Jacob Nemetz, CEO, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.dashsdk.com\/\" target=\"_blank\">Dash Solutions<\/a><\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">To learn more about what SOC 2 compliance entails, what\u2019s involved in the auditing and reporting processes, and just about SOC in general, reach out to a licensed CPA who handles SOC reports. While we\u2019re here to provide you with insights, we\u2019re not licensed CPAs, so be sure to check with the experts!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts on SOC 2 Compliance (TL;DR for You Skimmers)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Yeah, we know all of that was a lot to take in, but we hope this article answered all of your questions relating to the questions &#8220;what is SOC 2?&#8221; or &#8220;what is SOC 2 compliance?&#8221; That\u2019s also why we\u2019d like to include a little summary of what we talked about for those of you who prefer to skim instead of read content:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SOC 2 is one type of three types of System and Organization Controls audits and reports that are integral to information security.<\/li>\n\n\n\n<li>They\u2019re useful for providing information about specific entities regarding how they handle and store sensitive or private data in the cloud.<\/li>\n\n\n\n<li>SOC 2 reports can contain one or more trust services criteria, but always include security:\n<ul class=\"wp-block-list\">\n<li>Security,<\/li>\n\n\n\n<li>Availability,<\/li>\n\n\n\n<li>Processing integrity,<\/li>\n\n\n\n<li>Confidentiality, and<\/li>\n\n\n\n<li>Privacy.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>There are common criteria for the TSCs:\n<ul class=\"wp-block-list\">\n<li>Control environment (CC1)<\/li>\n\n\n\n<li>Information and Communications (CC2)<\/li>\n\n\n\n<li>Risk management (CC3)<\/li>\n\n\n\n<li>Monitoring of Activities (CC4)<\/li>\n\n\n\n<li>Control activities (CC5)<\/li>\n\n\n\n<li>Logical and physical access controls (CC6)<\/li>\n\n\n\n<li>System operations (CC7)<\/li>\n\n\n\n<li>Change management (CC8)<\/li>\n\n\n\n<li>Risk management (CC9)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>There are 17 COSO principles<\/li>\n\n\n\n<li>Only licensed CPAs can evaluate whether your organization meets SOC2 compliance standards.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re a service provider or other organization that stores customer data in the cloud, regardless of whether you choose to report on just the security trust services criteria or all five TSCs, it\u2019s important that you embrace SOC 2 audits and reports. After all, this type of report tells organizations \u2014 your prospective customers \u2014 that you\u2019re serious about protecting their data. So, why not give them that security assurance by proving that your business stands head-and-shoulders above the competition?&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SOC 2 compliance is about showing organizations that you\u2019re competent and are taking steps to ensure your customers\u2019 data is secure. Unlike what the comic suggested at the beginning, you\u2019re not an organization that depends on sheer luck, disorganization, or other unreliable factors to protect their data in the cloud.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>As always, leave any comments or questions below\u2026<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How SOC 2 reports can help cloud service providers stand out from the competition (and make your customers feel more confident in your ability to protect their data) While we&#8230;<\/p>\n","protected":false},"author":17,"featured_media":12480,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[10670,12402],"class_list":["post-12466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-compliance","tag-soc-2","post-with-tags"],"views":13606,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/soc-2-complaince.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12466"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12466\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12480"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}