SOC 2 Compliance Checklist
Companies build trust with customers and investors when they have their finances audited. Certified Public Accountants (CPA) perform these financial audits using service organization controls (SOC) issued by the American Institute of Certified Public Accountants (AICPA). The audit results provide assurances that businesses have controls in place to protect financial resources and information. Investors and customers use these audited statements to determine whether to invest or do business with an organization.
Similar AICPA audits are performed for security controls regarding confidential and private data that businesses may store. SOC 1 compliance outlines the criteria for achieving compliance regarding financial resources. AICPA SOC 2 compliance applies to personal and sensitive data an organization may keep. Unauthorized access to such data has the potential to compromise or damage a business.
SOC 2 compliance assures customers and investors that service organizations are using data security and privacy best practices. Compliance is especially important for cloud-based service organizations that offer Software as a Service (SaaS) products. SOC 2 compliance for SaaS providers is an objective assessment of the security of a SaaS vendor. It represents an organization's commitment to its customers to secure their sensitive data and sets it apart from the competition.
SOC has three types of compliance.
SOC 1.These standards pertain to internal controls for financial statements and reporting.
SOC 2. The statement includes controls to protect customer data related to the five areas of Trust Services Criteria (TSC) -- security, privacy, confidentiality, processing, and availability.
SOC 3. The SOC 3 report presents SOC 2 results for public consumption.
SOC 2 and SOC 1 have two subtypes. Type 1 audits the security measures in place during a one-time assessment. Type 2 reports on the security measures over a period ranging from three months to one year.
SOC 2 compliance is adherence to the SOC 2 framework as verified by a third-party audit. The framework outlines how sensitive information should be protected in the five areas of Trust Services Criteria (TSC). The SOC 2 framework is based on the following five TSCs:
Security. Addresses how data is protected from unauthorized access.
Availability. Looks at system reliability for end-user access.
Processing Integrity. Verifies that the systems operate as designed.
Confidentiality. Evaluates the processes in place for limiting access and use of stored confidential data.
Privacy. Views the safeguards in place for protecting personal information from unauthorized access.
TSC Security or Common Criteria is always included in a SOC 2 audit. The other four criteria are optional.
The five Trust Services Criteria (TSC) categories are:
Security
Availability
Processing Integrity
Confidentiality
Privacy
SOC 2 compliance is voluntary. There is no mandate that requires service organizations to adhere to SOC 2 compliance requirements. However, receiving SOC 2 compliance indicates a company's commitment to transparency.
Because compliance is optional, companies can select which of the TSCs to include in an audit. Businesses can include privacy and security TSCs for auditing but omit confidentiality, processing integrity, and availability. Security may be the only TSC that is tested. However, if other areas are tested, security must be included. To ensure a successful outcome, organizations should use the following SOC 2 best practices:
Depending on the industry, companies may have security standards in place. For example, any organization that stores or processes transactions of value must adhere to the PCI-DSS standard for debit/credit card processing. For those businesses, they can leverage existing teams to create a cross-functional group to help identify TSC.
When building a new team, organizations should identify a team leader who can select members from across the enterprise, including executives. The participants should come from operational and administrative departments as well as security and IT. A SOC 2 team needs a comprehensive understanding of how data is collected, used, and stored.
Unlike most cybersecurity frameworks, SOC 2 allows organizations to select the criteria that best fit their businesses. Some companies may not need processing integrity if they simply store data. Businesses must include the Security TSC but may choose which of the remaining four TSCs to audit. They can opt to only audit security.
Before scheduling an audit, companies should conduct a self-assessment. Using the applicable controls outlined in SOC 2, the TSC team or a third party should determine if the existing processes and policies meet the requirement. The gaps should be documented, and plans should be made to remediate them before an official SOC 2 audit is scheduled.
Closing control gaps can take time. Policies and procedures may be missing or out of date. They may not reflect the workflows being used or lack the controls to mitigate risk. Critical areas such as access control and change management may not reflect best practices. All gaps should be addressed before scheduling an audit.
Once the gaps have been addressed, conduct a readiness assessment to ensure that the measures work as intended. Whether TSC teams or a third party conducts the readiness assessment, the process should be as comprehensive as possible. This step is the final piece before scheduling an official audit.
SOC 2 audits are performed by an authorized external firm. An audit team will evaluate existing controls and issue a report explaining the findings. Achieving compliance means receiving a seal that can be displayed to indicate adherence to critical security practices. Failing an audit requires businesses to remediate the weaknesses or vulnerabilities before repeating an official SOC 2 audit.
After passing the initial SOC 2 audit, organizations must conduct annual reviews to ensure their documentation and controls are current. Performing annual assessments and audits ensures ongoing compliance.
Governments and industries often have cybersecurity frameworks in place that organizations must comply with. Healthcare has the Health Insurance Portability and Accountability Act (HIPAA). Education has the Family Educational Rights and Privacy Act (FERPA). For service organizations, SOC 2 has become a recognized standard for data security and privacy.
Adhering to SOC 2 compliance requirements demonstrates an organization's commitment to secure operations. Many businesses require SOC 2 compliance from their service providers to ensure a secure supply chain. SOC 2 also provides a security framework that helps service providers strengthen their cybersecurity defenses.
SOC 2 compliance provides businesses with an objective standard for comparing vendor security measures. It allows them to compare vendor practices to determine the best possible solution. However, becoming SOC 2 compliant can be overwhelming, especially for first-time participants. That's why a SOC 2 compliance checklist can help.
A checklist outlines the key steps in achieving compliance. It can identify critical steps when conducting self-assessments and serve as an ongoing outline for annual evaluations. Trava offers a SOC 2 compliance checklist as a pdf free download. Organizations can use it as a guide for developing their own compliance checklist.
Creating a compliance checklist begins with answering some key questions, such as:
Do you need SOC 2 Type 1, Type 2, or both?
Can you accurately describe the security controls in place?
How are you protecting employee, vendor, and customer data privacy?
Do you know which five trust principles you should assess?
Do you have the resources to complete a self-assessment?
Can you leverage existing compliance frameworks?
Using a SOC 2 questionnaire can help focus on the critical areas that should be addressed.
After passing an AICPA SOC 2 audit, organizations receive SOC 2 certification or attestation. SOC 2 compliance seal can be used in marketing materials, and auditing information can be shared with clients. Organizations can ask clients to sign non-disclosure agreements before sharing SOC 2 reports, or they can receive a SOC 3 report that provides audited information that is designed for public consumption.
SOC 2 certification is valid for 12 months. Annual self-assessments and audits are required to maintain compliance. Using existing SOC 2 questionnaires and checklists, companies can streamline their ongoing assessments and audits. They can also look at third-party providers who can help reduce the strain on internal resources.
As mentioned, AICPA SOC 2 compliance requirements revolve around the following five trust criteria:
The primary TSC focuses on protecting systems and the data they store from unauthorized access. This may include firewalls, multi-factor authentication, and zero-trust operations. It is the only TSC that is required for SOC 2 certification.
Auditors look for controls related to the following:
Password Control. Are strong passwords and rotation enforced?
Firewalls. How are firewalls configured at a system and application level?
Physical Security. What procedures are in place to control access to physical servers or network equipment?
Monitoring. What controls are in place to monitor the security systems and processes for potential anomalies?
Availability refers to an organization's ability to ensure authorized users have access to applications and services when needed. Availability controls evaluate the measures in place to detect, prevent, and correct interruptions in service. These include the following:
Disaster Recovery (DR). When the unexpected happens, how quickly can services be restored? Disaster recovery plans explain how an organization will restore services in case of emergencies, such as natural disasters.
Backup Plans. Critical information should be backed up in case of data loss or compromise. It should include information on how frequently backups are performed, the type of backups, and their location. The plan should also address how backups will be restored.
Business Continuity. Disaster recovery and business continuity are not the same. DR should be part of business continuity planning, but it is designed to address short-term emergencies. Business continuity addresses how an organization will operate in the face of operating changes such as a global pandemic or geopolitical unrest.
Process integrity controls ask how an organization plans to protect the confidentiality, security, and privacy of information when it is in use. For example, SaaS providers using subscription models must have controls in place for processing payments. They may involve credit/debit card payments or direct debit from a customer account. SaaS vendors must have controls in place to protect the information when it is in-transit to a financial institution.
These controls also require procedures for capturing and correcting errors that may occur during processing. Auditors are looking for quality assurance processes that ensure accurate and consistent data processing. They are also assessing the methods in place to monitor critical system processing.
Confidentiality is not the same as privacy. Confidential information is sensitive data that can only be accessed by authorized users. It could include business plans, intellectual property, or security plans for upcoming events. The controls must address both logical and physical access to confidential information.
Many of the confidentiality controls are addressed under other TSCs, such as access control and physical security. Encryption controls may be applied to stored or at-rest data, but confidentiality requires that information be encrypted while in transit. Auditors will also look at data loss prevention capabilities to prevent misdirected emails or unauthorized attachments.
Privacy controls evaluate how well an organization protects personally identifiable information (PII) or data that can be used to identify an individual, such as name, address, banking information, or real estate data. The European Union's recently updated privacy act (GDPR) is considered the world's most comprehensive data privacy law; however, states such as California are looking to implement similar laws.
Privacy laws require that companies provide clear details regarding their use of personal information. Auditors will be looking for privacy statements on websites, documents, and authorization forms.
SOC 2 Type 1 compliance looks at the policies and procedures in place for meeting SOC 2 compliance requirements. Type 2 audits evaluate how well the documented processes perform as intended.
Many organizations achieve SOC 2 Type 1 compliance before attempting a SOC 2 Type 2 audit. It allows them to attest to SOC 2 compliance while putting the safeguards in place to achieve a SOC 2 Type 2 attestation. The two-step process allows organizations to demonstrate their commitment to secure operations while working to put the policies in place.
Determining how to approach SOC 2 compliance can be a daunting task. It can also be time-consuming and costly. Rather than employ a trial-and-error approach, organizations should consider a third-party partner such as Trava to help guide them through the process using cost-effective methods to help save time and money. Contact our team of cybersecurity experts to schedule a free consultation.