SOC II Compliance
Information security is important for all organizations including, not limited to, cloud-computing providers and Software-as-a-Service (SaaS) companies. Data can be mishandles by application and network security providers leaving these enterprises vulnerable to cyber threats such as extortion, data theft, and malware installation.
SOC II Compliance is important to such organizations and provides an auditing procedure for these organizations to ensure they manage data and their clients’ privacy.
What is SOC II Compliance?
Soc II Compliance was developed by the American Institute of CPAs (AICPA). SOC II defines criteria for manager customer data. It is based on five “trust service principles” which are security, availability, processing integrity, confidentiality, and privacy. SOC II Compliance reports sign with each business and their unique practices, allowing for controls that work with the trust principles.
There are two different types of SOC reports:
Type 1 which describes a vendor’s systems and if their design meets relevant trust principles.
Type 2 which details the operational effectiveness of those systems.
SOC II Certification
When a SaaS company goes for SOC II Compliance certification they are assessed by third-party auditors. Internally, a team within the company will work to prepare the organization to meet all of the criteria for SOC II Compliance. Upon certification, the company will continue to monitor itself and continuously improve to re-certify. There are five principles the company must work to align themselves with.
Security protects system resources from unauthorized access. Access controls help prevent potential system abuse, theft, or unauthorized removal of data, misuse of software, and any inappropriate changes or disclosure of information. There are several tools which can help in this instance to prevent security breaches including network and web application firewalls (WAFs), two-factor authentication, and also intrusion detection.
This principle speaks to the accessibility of the system itself, its products and/or services defined by their contracts or service level agreements (SLA). The principle does not address system functionality and usability, but it does involve security related criteria which could impact availability. The company must monitor network performance and availability while also being prepared for security incidents and how to respond and handle them.
- Processing Integrity
Addressing whether or not a system achieves is purpose is the the third principle of processing integrity. Does the system deliver accurate data when it is needed? All data processing in the system must be complete, valid, accurate, timely and authorized. Data processing must be monitored and coupled with quality assurance procedures that can also ensure data integrity.
When access and disclosure is restricted to authorized people or groups
in a system data can be considered confidential. Data can be viewed as client information, intellectual property, sensitive financial data — just to list a few examples. Encryption is key here in order to protect confidentiality during data transmission. Rigorous access controls and implanting network and application firewall can safeguard information that is processed or stored on the company’s systems.
Privacy covers the systems’s collection, use, retention, disclosure ad disposal of personal information. This information must align directly with the company’s privacy notice along with the criteria deemed by the AICPA’s generally accepted privacy principles (GAPP). PII or personal identifiable information refers to data that can identify an individual. This type of information includes Social Security numbers, addresses, names, birthdates, etc. Other types of sensitive information can include information about ones race, health, religion, or sexual orientation. All of these types of information and data are required to be held with extra levels of security and certain controls must be put into place for all PII in order to prevent unauthorized access.
SOC II Compliance is of utmost importance to cloud and SaaS companies, especially in today’s age. Protecting company data and client data is a top priority that requires great focus, hard work, and diligence. When company, such as an SaaS company, is SOC II Compliant, it means:
- The company knows what normal operations look like, are monitoring for threats, monitoring user access levels and can become immediately aware of unauthorized activity.
- The company has the tools in place to recognize threats and alert appropriate members of the organization to evaluate the threat in order to continue to protect data and the company’s systems.
- The company will have information on security incidents in order to understand the scope of any potential issue and begin to remediate systems and processes while restoring data and process integrity.