SOC 2 audit reports were designed for business associates such as IT-enabled SaaS and cloud computing service providers that store data in the cloud. They are internally facing audits conducted by an external SOC 2 Auditor.
SOC 2 is not a regulation like HIPAA, GDPR, or CCPA, and isn’t required for SaaS or cloud vendors. However, for companies that handle electronic personal health information (ePHI) —or any other personal data — SOC 2 is a data best practice. It ensures that a business associate’s data privacy and security policies are in alignment with a company’s data privacy regulations and can be adapted for service providers that need to comply with multiple regulations.
What is SOC?
Companies that outsource to vendors must make sure that they choose vendors who have effective internal controls. These standards are known as SOC or Service Organization Control.
SOC for service providers are audit reports performed by an independent auditor that prove vendors meet the requirements of the companies that do business with them. There are three types of SOC reports SOC 1, SOC 2, and SOC 3. They are not upgrades of each other but different kinds of reports.
SOC 1 focuses on a service provider’s financial reporting, whereas SOC 2 and SOC 3 both scrutinize a vendor’s security and data protection. The difference between SOC 2 and SOC 3 is restricted use. A SOC 3 report can be openly distributed, but a SOC 2 report is internal and limited to the vendor and the company requesting it from the vendor.
Today, any company that stores customer data in the cloud should strive to meet SOC 2 requirements to minimize the risk of unauthorized exposure and liability.
What is SOC 2 Compliance?
The American Institute of CPAs (AICPA) designed SOC 2 for outsourced IT-enabled SaaS and cloud computing service providers that handle a company’s data. At its core, SOC 2 is primarily an auditing procedure that ensures SaaS and cloud-computing providers securely manage data to protect both the privacy of a business’s clients and its interests.
But SOC 2 is more than just a technical audit. It also establishes strict criteria that vendors must comply with to properly and securely manage customer data following five Trust Service Principles — security, availability, processing, integrity, confidentiality, and privacy.
What are the five Trust Service Principles of SOC 2?
SOC 2 audit reports ensure that companies maintain internal corporate governance, risk management, and regulatory oversight by requiring their service providers to manage data according to these five Trust Service Principles.
1. The Security Principal
Security means the protection of data during its collection, use, processing, transmission, and storage. It also means the protection of the systems that process, transmit, and store the information which allow the primary organization to meet its goals.
Security can include access controls, network and web application firewalls, two-factor authentication, and intrusion detection to protect data and the data systems against abuse, theft, misuse, breaches, and any other unauthorized access of data and systems.
2. The Availability Principal
Availability refers to the accessibility of the systems, data, services, and products as outlined in the service level agreement (SLA) with a company to manage its daily business processes.
The availability principle isn’t focused on functionality and usability, but rather on the systems themselves, such as controls to support accessibility for operations and monitoring network performance. For example, a backup site failover plan, should any incident occur that impedes the availability of systems, would be governed by the availability principal.
3. The Processing Integrity Principle
The processing integrity principle has to do with whether a system is doing its job by processing data that is complete, valid, accurate, timely, and authorized. Processing integrity is more concerned with the processing behavior itself rather than the integrity of the data. However, systems should function free of error, delay, omission, and any unauthorized or accidental manipulation of data.
4. The Confidentiality Principle
The confidentiality principle governs a company’s ability to protect its confidential information throughout the data lifecycle until the data’s removal. Confidentiality is not the same as privacy in that privacy deals with personal information. In contrast, confidentiality — while it can include personal information — is intended for information that a company needs to control, such as intellectual property.
Confidential requirements included in contracts or legal clauses would also fit under the umbrella of the confidentiality principle. Other information might be trade secrets, proprietary information, business plans, or sensitive financial information. Protections under this principle may involve encryption, firewalls, access controls, and any other safeguards for information processed or stored on systems.
5. The Privacy Principle
The privacy principle focuses entirely on personal information that is collected, used, stored, disclosed, and disposed of in line with a company’s objectives and privacy policies.
Personal information is any information that can identify an individual. Personal information can include a name, home or email address, ID numbers, physical characteristics, purchase history, medical or health history, financial information, IP addresses, or biometric identifiers, and other identity indicators. Electronic personal health information (ePHI), as outlined by HIPAA, would fall under the privacy principle.
The SOC 2 privacy principle follows the criteria established by the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles that manage and prevent privacy risks.
What are Soc 2 Reports?
SOC 2 has two different report types that are the output of SOC 2 audits by external auditors. A SOC 2 Type I report assesses and reports on the design and functionality of a service provider’s system controls at a given point in time. A SOC 2 Type II report tests and reports on a service provider’s controls over a period of time (a minimum of six months), which attests to the operating effectiveness of its system controls.
Companies can request SOC 2 reports from SaaS or IT-enabled cloud service providers to assess and monitor any risks associated with a third party’s technology services. Vendors can also request the audits and reports on themselves. SOC 2 reports give companies vital information about how vendors manage data and maintain controls around their systems and processes involving sensitive data.
To put it simply, when a business associate is SOC 2 compliant, companies feel more confident trusting it to handle their data. For companies that handle electronic personal health information (ePHI) and are subject to the HIPAA, or that need added privacy and security controls to meet other data privacy regulations, SOC 2 reports add another layer of assurance against violations or data breaches.