SOC 2 compliance is an esteemed designation offered to organizations that pass the SOC 2 auditing procedure. This audit is conducted by outside, impartial auditors and was developed by the American Institute of CPAs, or AICPA.
To earn SOC 2 attestation, a service organization must meet the following five trust service principles.
Security. SOC 2 auditors will assess policies, processes, and controls that have been put in place to protect systems from unauthorized access. Access controls might include intrusion detection, firewalls, or two-factor authentication. These security measures are intended to prevent system breach, hacking, and unintended disclosure or alteration of data stored in the system.
Confidentiality. Auditors will also evaluate safeguards that have been put in place to protect confidential data during storage. Confidential data might include intellectual property, proprietary business data, legal documents, transaction details, or engineering plans—essentially any information restricted to a certain person or group. Controls can be put in place by a cloud or SaaS service provider to block unintended access to any confidential data while it’s being transmitted or stored in the system. This might include firewalls, encryption, or access controls along with policies for identifying confidential data, retaining it for a set period of time, and erasing or destroying that data after the retention period has expired.
Privacy. How a service provider safeguards personally identifiable information is also part of an SOC 2 audit. Personally identifiable information encompasses any details that might identify an individual. For example, this might include their name and address, their race, sexual orientation, religion, or social security number. It also encompasses sensitive health records, credit details, and financial information. SOC 2 auditors assess the system’s ability to maintain privacy of that personally identifiable information during storage, transmission, use, and disposal. Auditors will also look to ensure an organization meets the promises set forth in its privacy policy and that it complies with AICPA’s own generally accepted privacy principles.
Availability. SOC 2 compliance requires that a service provider’s product or solution operates at the minimum performance levels promised in their service level agreement or contract. This covers both network availability and incident handling. Some areas an auditor might investigate include a company’s handling of security incidents or its disaster recovery processes. Controls in place to safeguard availability might include detection measures, environmental protection procedures, or routine testing of back-up system integrity.
Processing integrity. Finally, auditors evaluate how well a system achieves its intended objective. This means not only its ability to deliver the right information in a timely manner but also that the data is complete, valid, authorized, and that it accurately reflects the data a user entered originally into the system. Processing integrity might be compromised if, for example, there are duplicates when processing or if there are errors or inaccuracies in transactions that were submitted into the system.
