Data breaches continue to be a pressing concern for companies worldwide. According to the most recent Data Breach Report, the number of reported data breaches in the first quarter of 2019 is up to 56.4% higher than what was reported in the same period last year.
Indeed, information security has become a prime concern for many organizations around the world including those who outsource their business requirements to third-party organizations such as SaaS (software as a service) and cloud computing providers. And this is not a shock since mishandled data can leave companies vulnerable to security attacks like data theft, malware installation, and extortion.
What is SOC 2?
Service organization control (SOC) 2 is an auditing procedure designed to ensure that third-party service providers or simply, service organizations, can securely manage data to protect the interests and privacy of its clients. For many businesses, compliance to this auditing procedure is a prerequisite in looking for a service provider.
Prior to SOC 2, the standard for auditors was the Statement of Auditing Standards No. 70 (SAS 70) which was performed by certified public accountants. Introduced in the early 90s, the intent of the SAS 70 was to report on the effectiveness of different internal function controls. In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the growing requirement of firms to prove and announce their state of security.
Developed by the American Institute of CPAs (AICPA), it sets criteria for managing customer data based on trust service principles of data– availability, confidentiality, processing integrity, privacy, and security. Below is a brief description of the said trust service principles:
This principle refers to the accessibility of a system, product, or service as specified in a contract or service level agreement. It typically applies to firms providing services such as colocation, hosting, and data center to clients. In short, it demands service providers to ensure that their system is available for operation and utilization as agreed upon in the contract.
This principle addresses agreements that a service organization has with its clients regarding the use, access, and protection of information. If the service that a third-party organization offers handles sensitive data like business plans, financial information, and intellectual property, then it is required that the confidentiality principle is present in the SOC 2 report.
This principle pertains to whether a system of the service entity can achieve its purpose like delivering the right data at the right time and at the right price. It refers to complete, valid, accurate, timely, and authorized data.
This principle is commonly applied to all engagement and addresses whether the system protects against unauthorized access. Access controls can prevent security breaches such as disclosure of information, misuse of software, unauthorized removal of data, and potential system abuse.
It is the principle that addresses how a third-party vendor collects and uses personal information. It takes into consideration the disclosure and disposal of data in line with the privacy notice of the organization as well as the criteria expressed in the generally accepted privacy principles of the AICPA. Personal information include details such as name, address, and social security number of an individual.
In short, a SOC 2 report can be considered as an an attestation that a service organization has put in place certain controls to meet the some or all of the above-mentioned trust service principles.
There are two SOC report types—type 1 which describes the systems of a vendor and tackles whether it is capable of meeting relevant trust principles as of a specified date and type 2 which details the operational effectiveness of the said systems throughout a disclosed period of time.
What is SOC 2 Type 1?
To be more specific, a SOC 2 Type 1 report details the suitability of the design controls to the service organization’s system. It details the system at a point in time particularly its scope, the management of the organization describing the system, and the controls in place.
Key to this report is its ‘as of’ date meaning it deals with the specifics of a system within a particular point in time. The auditor will base his or her report on the description of the controls and review of documentation around these controls.
As a proof of compliance to the AICPA auditing procedure, SOC 2 Type 1 report shows that a SaaS firm has best practices in place. There are numerous benefits that this report can provide to any service entity.
SOC 2 Type 1 report is particularly helpful to service companies as it can make them more competitive. It gives potential customers the assurance that a service organization has passed the said auditing procedure, and that their data is safe if they work with the SOC 2-compliant company.
There is an increased customer demand for SOC 2 Type 1 report as cybercrime cases mount. Companies now want to work with vendors who can prove that they can manage or handle sensitive data well. This report is now considered a necessity for companies handling customer data like healthcare firms and financial institutions.
Generation of a SOC 2 Type 1 report is also quick after a service entity completes a readiness assessment. Clients commonly look for this report when shopping for a third-party vendor, especially since the other type of SOC 2 report, Type 2, can take up to a year to be completed.
Moreover, audit for this report is generally less expensive since auditors require minimal data to determine the compliance posture of a service organization. There is also no need to involve the staff or provide as much documentation as one would have to when submitting for a Type 2 report.
Service organizations should strive for SOC 2 Type 1 compliance especially when trying to partner with bigger firms, who are particularly wary of security. Bigger companies are more likely to partner with service entities that have a SOC 2 Type 1 report prepared by a reputable auditor. In short, compliance to this auditing procedure gives a competitive advantage to the service provider.
What is SOC 2 Type 2?
While SOC 2 Type 1 compliance has many benefits, it pales in comparison with compliance to SOC 2 Type 2. It can be said that SOC 2 Type 2 compliance gives a level higher of assurance compared to SOC 2 Type 1. To be able to comply with this requirement, a company should pass a thorough examination of its internal control policies and practices over a particular period of time by an auditor.
With SOC 2 Type 2 report, a service firm can send a powerful message to potential customers that it applies the best practices on data security and control systems. Service entities with this compliance stand to bag more contracts from bigger firms.
Like SOC 2 Type 1 report, SOC 2 Type 2 looks at the five trust principles of data processing and storage– availability,confidentiality, security, privacy, and processing integrity.
Although complying with SOC 2 Type 2 can require a significant investment not only in capital but also working hours, it can distinguish a service provider from other companies that have not passed this type of audit.
SOC 2 Type 1 vs Type 2 Differences
As evident in the definitions and examples illustrated above, both SOC 2 Types 1 and 2 have similarities. Both reports tackle the reporting controls and processes of a service organization related to the five trust principles of data.Moreover, pursuing compliance to SOC 2 whether type 1 or type 2 is voluntary. It is not required by organizations or regulations like the Health Insurance Portability and Accountability Act (HIPAA) or by the Payment Card Industry Data Security Standard (PCI-DSS).
Still, many service providers are pursuing compliance to SOC 2 because of their desire to assure customers that they have the processes and controls to protect data. And it is also becoming a more common practice for customers or user entities to request for SOC compliance or results from their service providers.
But there are also differences between SOC 2 Types 1 and 2. Arguably the most apparent or glaring difference is the period of coverage of the report. In a Type 1 audit, the report covers the design effectiveness of internal controls as of a specific point in time, like September 30, for example. The report only covers the effectiveness of the internal controls designed to meet the service provider’s objectives. It also affirms the suitability of the said controls to the accomplishment or attainment of the objectives.
On the other hand, a SOC 2 Type 2 audit report covers a longer period of time. This can range from six to 12 months although the most common period is 12 months. It tackles the design of internal controls and its operating effectiveness over time to achieve set objectives.
Because of the coverage of a SOC 2 Type 2 report, it also follows that it takes more time and effort for service providers to prepare for it. There is no need to wait for full controls to be in place.
Yet the additional time and resources devoted for compliance to SOC 2 Type 2 yields more value to companies. It tells what a service provider is actually doing to protect sensitive data of its customers. It also appeals to prospective customers and other stakeholders such as partners and insurance firms.
Moreover, SOC 2 Type 2 report delves further into the areas covered in a Type 2 engagement. Below are some of the sections typically in a SOC 2 Type 2 report:
- Assertion– in this part of the report, the auditor will determine if the description of the system provided as a service is fairly represented in the audit report. It specifically measures the description against the trust service principles.
- Independent service auditor report– this summarizes the opinion of the auditor on the effectiveness of the controls when mapped against the trust services criteria.
- System overview– this section provides a background of the service organization including description and purpose of the system covered and the physical location and industry of the service provider.
- Infrastructure– it offers a detailed description of the processes, policies, software, and data utilized by the organization. This often includes information about the physical location, area, and status of SOC audits that the third party service provider has completed or currently pursuing. It also gives an overview of technologies utilized in the environment like networking hardware, backup configuration, and database types, amongst others.
- Significant aspects of control environment– this section reports on the control environment of the service provider including risk assessment processes, information or communication systems, and monitoring of controls.
It should be noted that there is no pass or fail grade in a SOC 2 audit. Instead, the auditor gives an opinion as to how the service entity adheres to the trust service principles. If the auditor’s opinion agrees with the service provider’s assertion, the latter will receive a clean or unmodified opinion which practically states that the firm can be trusted.
It is possible for a company to still receive a ‘clean’ report even if there are minor exceptions on the assessed controls. However, an adverse opinion may be given if there are significant exceptions noted like failure to provide sufficient evidence of control.
In a nutshell, both SOC 2 Type 1 and Type 2 report on controls and processes of a service organization in relation to the trust services criteria. There are other similarities between the two but the main difference is that Type 2 tackles the controls at a specific point in time while a SOC 2 Type 2 report attests the effectiveness of the controls over a longer period, usually 6 to 12 months.
Service entities should strive to achieve SOC 2 compliance because of its many benefits. Being SOC 2 compliant increases customer trust and enhances the reputation of an organization. It also increases data protection and promotes organizational vulnerability awareness.
RSI Security can help companies achieve SOC 2 compliance. One of the top cybersecurity and compliance providers in the world, RSI Security can help service organizations demonstrate their commitment to security and compliance.