SOC 2 Resources
SOC 2 Compliance Handbook: The 5 Trust Services Criteria
Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process.
SOC 2 COMPLIANCE CHECKLIST
Are you ready to begin your SOC 2 audit but need a little guidance on how to get started? Do you know what system components are evaluated during a SOC 2 audit? Do you know what your auditors are looking for? Download this free SOC 2 compliance checklist to help steer you in the right direction and prepare for your SOC 2 compliance audit.
Combining SOC 1 and SOC 2 Audits
We get a lot of questions about SOC 1 and SOC 2 audits. What’s the difference between the two? Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and SOC 2 audit.
10 Most Common SOC 2 Gaps
A SOC 2 audit is a form of proactively assessing your organization’s information security program. You’ll see how your organization stands up against SOC 2 standards and learn from an information security experts on where your vulnerabilities lie. But, how do you prepare for something as big of an undertaking as a SOC 2 audit?
Sigstr’s Commitment to Security: The SOC 2 Journey
Sigstr helps the world’s best marketers do amazing things with their employees’ emails. The average person spends 6.3 hours in their inbox every day. Sigstr gives marketers the ability to serve targeted ads to their audience where they’re spending the majority of their time: the inbox. This connectivity between Sigstr and email clients presents information security risks that Sigstr must address.
We sat down with Brent Mackay, Director of Product Management and Data Protection Officer at Sigstr, to discuss what their team learned through the SOC 2 audit process and how it gives Sigstr a competitive edge in the email and marketing application space.
How to Read Your Vendor’s SOC 1 or SOC 2 Report
Most organizations outsource some aspect of their business to vendors, whether it’s to perform a specific, integral task or replace an entire business unit. Vendors can be in roles like customer support, financial technology, record storage, software development, or claims processing. Using vendors can further an organization’s business objectives, enable them to function more effectively, and may be more cost-efficient. With all these opportunities, organizations must remain aware of the risks vendors carry with them.
Let’s take a look at some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.
How to Hire a CPA Firm for Information Security Audits
Before choosing an audit firm to work with, you must understand why, for some types of audits, you need a CPA firm to perform the services. Clients and prospects ask us all the time why accountants are allowed to perform information security audits. We understand the confusion behind this sentiment and want to provide some clarity.
Why is a SOC 2 Valuable for Software Companies?
Regardless of the products they offer or the industries they serve, there’s one thing all software companies have in common: the responsibility of securing user data. With the advancing threat landscape, ensuring that an organization’s software remains as secure, available, and confidential as is available on the market has become more difficult. Recognizing this, our client Ziflow, the leading enterprise online proofing software solution for enterprise agencies and brands, continues to pursue and achieve SOC 2 compliance, serving as a prime example of just how valuable SOC 2 attestations are for software companies.
Why Would a Healthcare Organization Need a SOC 2?
No one wants to work with an at-risk healthcare provider. If someone is looking to use your services, they want to know how secure your healthcare organization actually is. You may think that you have a secure healthcare organization, but does an auditor? With more and more healthcare security breaches being reported to the HHS, it’s more important than ever for covered entities and business associates to demonstrate their commitment to keeping protected health information (PHI) secure, providing quality healthcare services, and putting their patients’ well being first.
Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.
What Makes a SOC 2 Audit Successful?
What happens after you receive your SOC 2 report? You’ve just used many resources – maybe even some that you were strapped to allocate – to go through a gap analysis, remediate the findings, and then begin the SOC 2 Type I and/or Type II audit. It’s a massive project that you should be proud to finish…but what now? What makes a SOC 2 audit successful? How do you make the most out of your compliance?
Let’s take a look at four ways to prove that your SOC 2 audit was successful using one of our client’s SOC 2 audit journey as an example.
SOC 2 Reporting Update: 2017 Trust Services Criteria
You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.” Why the changes? The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO framework and ways to better address cybersecurity risks.
SOC 2 vs. ISO 27001: Which One Do You Need?
SOC 2 and ISO 27001 audits are similar in intention; they both help organizations protect the data that they are responsible for. How are they different, though, and which one meets your organization’s needs?
How Can a SOC 2 Bring Value to MSPs?
As vendors, managed service providers (MSP) are sought out to help entities create and maintain a strong security posture – they shouldn’t bring more risk into their clients’ environments. When organizations engage with MSPs, they want to know how secure their organization really is and will often ask that the MSP undergo a SOC 2 audit before engaging with their services. So, while you may think that your services are secure, will an auditor? Will a malicious hacker find vulnerabilities to exploit?
Let’s take a look at how a SOC 2 audit could bring value to MSPs’ reputations, marketing initiatives, and competitive advantages.
What’s the Difference Between SOC for Cybersecurity and SOC 2?
The AICPA recently added a new offering to its SOC suite: SOC for Cybersecurity. The difference between SOC 1, SOC 2, and SOC 3 has always been fairly clear-cut based on factors like internal control over financial reporting, the Trust Services Criteria, and restricted report use.
Now, we have a new player in the game.
SOC 2 Academy: Access Controls for Remote Employees
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.7. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” While we’ve discussed ways that organizations can comply with this requirement, let’s take a look at how an organization’s environment can change the way they approach compliance with common criteria 6.7.
SOC 2 Academy: Additional Points of Focus for Logical Access
While not requirements, points of focus are meant to serve as references to assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. When it comes to implementing logical access controls, there are some additional points of focus that will help organizations ensure that their information security systems remain secure. Let’s take a look at how these additional points of focus will help service organizations comply with common criteria 6.1 during a SOC 2 audit.
SOC 2 Academy: Assessing Changes Within Your Organization
When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.4 (CC3.4) states, “The entity identifies and assesses changes that could significantly impact the system of internal control.” Let’s take a look at what organizations need to do during their SOC 2 audit to demonstrate compliance with common criteria 3.4.
SOC 2 Academy: Assessing the Significance of Risks
During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” When an auditor is assessing an organization’s compliance with this, they will observe how an organization is assessing the significance of risks found in their risk assessment. Let’s take a look at what organizations need to do to demonstrate compliance with common criteria 3.2.
SOC 2 Academy: Assigning Roles and Responsibilities
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.3. Common criteria 6.3 says, “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.” How can organizations comply with this requirement? It comes down to three things: assigning roles and responsibilities, implementing the concept of least access necessary, and creating a separation of duties.
SOC 2 Academy: Attracting, Developing, and Retaining Confident Employees
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the SOC 2 Trust Services Criteria. Common criteria 1.4 says that an organization must demonstrate a commitment to attracting, developing, and retaining competent employees in alignment with objectives. How can organizations do this? Let’s discuss.
SOC 2 Academy: How Does an Auditor Test for Integrity?
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that the organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 states, “The entity demonstrates a commitment to integrity and ethical values.” So, what does an organization need to do to demonstrate this? How will the auditor test for integrity? Let’s discuss.
SOC 2 Academy: A Board’s Independence from Management
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.2 states, “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” Let’s take a look at how boards of directors can demonstrate independence from management and some exceptions to the requirement.
SOC 2 Academy: Change Control Processes
While understanding how to prevent and detect unauthorized software from being installed on your network is important, organizations pursuing SOC 2 compliance should also implement change control processes to mitigate any further risks of unauthorized software being installed. When an organization engages in a SOC 2 audit, an auditor will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria.
Common criteria 6.8 says, “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.” Let’s take a look at how implementing change control processes can help organizations comply with this criterion.
SOC 2 Academy: Change Management Best Practices
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 8.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss some change management best practices that organizations should be following.
SOC 2 Academy: Classifying Confidential Information
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality.
Confidentiality criteria 1.1 says, “The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations should be classifying confidential information.
SOC 2 Academy: Communicating with External Parties
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.3 says, “The entity communicates with external parties regarding matters affecting the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss how to organizations should be communicating with external parties.
SOC 2 Academy: Communicating with Internal Parties
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss communicating with internal parties during an audit.
SOC 2 Academy: Complete, Accurate, and Timely Outputs
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.4 says, “The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.” Let’s discuss why it’s important for organizations to deliver complete, accurate, and timely output when pursuing SOC 2 compliance.
SOC 2 Academy: How Contractual Obligations Impact Confidential Information
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.2 says, “The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss.
SOC 2 Academy: Data Backup Processes
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability.
Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” We’ve discussed how organizations can comply with this criterion, but we believe there’s a key component that requires further discussion: data backup processes. Let’s take a look at why organizations need to have proper data backup processes and how it impacts SOC 2 compliance.
SOC 2 Academy: How is Data Put Into Your System?
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity.
Processing integrity criteria 1.2 says, “The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations need to understand how data is put into their system.
SOC 2 Academy: Dealing with External Threats
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.6 says, “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.” How can organizations be sure that they’re complying with this criterion? Let’s discuss.
SOC 2 Academy: Defining the Responsibilities of Employees
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.3 (CC1.3) states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Let’s discuss at how organizations can go about defining the responsibilities of employees and what auditors will be looking for.
SOC 2 Academy: Designing and Implementing Environmental Protections
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability.
Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why organizations should be designing and implementing environmental protections.
SOC 2 Academy: Designing Processes for Your Technology
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 5.2.
Common criteria 5.2 says, “The entity also selects and develops general control activities over technology to support the achievement of objectives.” This means that organizations need to design and develop processes to ensure that the technology being used is effective and helping the organization meet its business objectives. How can organizations go about designing processes for their technology? Let’s discuss.
SOC 2 Academy: Detect and Monitor Changes in Your System Configurations
When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.1 says, “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.” What will an auditor look for when assessing this criterion? What do organizations need to do to demonstrate that they have processes to detect and monitor changes in their system configurations? Let’s discuss.
SOC 2 Academy: Disposing of Physical Devices
When a service organization pursues SOC 2 compliance, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.5 says, “The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.” Let’s take a look at why disposing of physical devices is important.
SOC 2 Academy: Documentation of Inputs
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.5 says, “The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.” Let’s take a look at why your organization needs documentation of inputs if you’re pursuing SOC 2 compliance.
SOC 2 Academy: Evaluations of Internal Control
When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.1 (CC4.1) states, “The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Why is it so important that organizations effectively perform evaluations of internal control? Let’s find out.
SOC 2 Academy: Expectations of Policies and Procedures
Like with many other frameworks, including PCI DSS and HIPAA, policies and procedures are an integral component of achieving SOC 2 compliance. Why? Because during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 SOC 2 Trust Services Criteria. As part of that, an auditor will verify whether or not an organization complies with common criteria 5.3, which says, “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.” Let’s take a look at how organizations can demonstrate compliance with common criteria 5.3 and what expectations of policies and procedures auditors will have.
SOC 2 Academy: Holding Your Employees Accountable
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.5 (CC1.5) states, “The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” What do organizations need to do to demonstrate that they are holding employees accountable? Organizations can implement accountability measures through positive and punitive reinforcements, but what does that look like? Let’s discuss.
SOC 2 Academy: How Fraud Can Impact Risk
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.3 (CC3.3) states, “The entity considers the potential for fraud in assessing risks to the achievement of objectives.” This means that organizations must consider how fraud can impact risk. What does an organization need to do to comply with common criteria 3.3? Let’s find out.
SOC 2 Academy: Identifying Logging Errors
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.3 says, “The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.” Let’s discuss why identifying logging errors is crucial to complying with this criterion.
SOC 2 Academy: Identifying Vendors as Carve-Out or Inclusive
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s discuss the difference between identifying your vendor as carve-out or inclusive and why it matters during a SOC 2 audit.
SOC 2 Academy: Implementing Internal Controls
When an organization undergoes a SOC 2 audit, auditors need to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 5.1 says, “The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” What will an auditor look for when assessing this criterion? What do organizations need to do to show how they are implementing internal controls? Let’s discuss.
SOC 2 Academy: The Importance of Organizational Communication
Communication is one of the underpinnings of meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” For any type of organization to operate efficiently, there needs to be established avenues of communication for all employees. How will an employee know who to report an issue to if they are unaware about who should receive such information? How does an organization’s management relay expectations or concerns to their employees? During a SOC 2 audit, demonstrating that an organization effectively communicates is especially important. Let’s discuss the importance of two-way communication.
SOC 2 Academy: Incident Response Best Practices
When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.3 says, “The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with common criteria 7.3? Let’s take a look.
SOC 2 Academy: Incident Response Teams
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” Let’s take a look at what organizations need to do to comply with this criterion and why it’s important to establish incident response teams.
SOC 2 Academy: Integration with the COSO Framework
The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities.
SOC 2 Academy: Internal Control Deficiencies
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.2 says, “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss.
SOC 2 Academy: Who Should Make Updates To Your Risk Assessment?
During a SOC 2 audit, an auditor will assess an organization’s risk assessment processes. This includes not only assessing how the organization assesses risk, but the people involved in the risk assessment process as well. Auditors will want to see that the organization has a process in place regarding who should make updates to the risk assessment. Why is that? One of the common findings of SOC 2 audits is that organizations treats their risk assessment as something that they update without much thought from the previous year, and they often don’t involve the appropriate members from the organization to contribute to the risk assessment process. Why is teamwork important during a risk assessment? Who should make updates to the risk assessment? Let’s discuss.
SOC 2 Academy: Making Informed Decisions
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.1 states, “The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.” Let’s discuss why it’s important that service organizations demonstrate that they are making informed decisions during their SOC 2 audit.
SOC 2 Academy: How to Manage Risks
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 (CC3.2) states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” We’ve discussed the different types of risks organizations can face and the importance of using the findings of a risk assessment, so let’s take a look at how to manage risks and what organizations need to do to demonstrate compliance with common criteria 3.2.
SOC 2 Academy: Managing Vendor Risk
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.2 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s take a look at key ways organizations can manage vendor risk.
SOC 2 Academy: Mitigating Risks that Lead to Business Disruptions
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss why organizations need to mitigate risks that lead to business disruptions.
SOC 2 Academy: Who is Monitoring Internal Controls?
Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss.
SOC 2 Academy: Movement of Data
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” How does understanding the movement of data influence SOC 2 compliance? What will auditors be evaluating when assessing an organization’s compliance with common criteria 6.7? Let’s discuss.
SOC 2 Academy: How to Perform a Thorough Inventory
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” While we have discussed many points of focus that organizations should consider when complying with common criteria 6.1, there’s still one critical component to review: performing a thorough inventory of your assets. Let’s discuss.
SOC 2 Academy: Performing Daily Log Reviews
Common criteria 7.2 of the 2017 Trust Services Criteria says, “The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.” When an auditor verifies an organization’s compliance with this criterion during a SOC 2 audit, they’ll use the following points of focus to guide their assessment:
- Does the entity implement detection policies, procedures, and tools?
- Does the entity design detection measures?
- Does the entity implement filters to analyze anomalies?
- Does the entity monitor detection tools for effective operation?
SOC 2 Academy: Physical Security Controls
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.” How can organizations comply with this requirement? What kind of physical security controls should organizations implement?
SOC 2 Academy: Points of Focus
In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria. As such, one of the enhancements to SOC 2 reporting includes points of focus, which will assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. Points of focus are meant to be references, not requirements, because not all points of focus will be applicable to all organizations.
These points of focus serve as a type of checklist for management, providing clarity on how organizations can ensure that they are SOC 2 compliant. Let’s look at an example of points of focus under the security category.
SOC 2 Academy: Preparing for Current and Future Availability Needs
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they need to comply with the additional criteria for availability.
Availability criteria 1.1 says, “The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why preparing for current and future availability needs is important.
SOC 2 Academy: Preventing and Detecting Unauthorized Software
During a SOC 2 audit, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.8. Common criteria 6.8 says, “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.” What do organizations need to do to comply with this? What will an auditor be assessing?
SOC 2 Academy: Protection Through Logical Access
When a service organization undergoes a SOC 2 audit, auditor will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” What will an auditor look for when assessing this criterion? Let’s discuss why organizations should implement protections through logical access controls.
SOC 2 Academy: Quality and Accuracy of Your Data
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity.
Processing integrity criteria 1.1 says, “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why the quality and accuracy of your data is important for SOC 2 compliance.
SOC 2 Academy: Recovering from a Security Incident
Because security incidents are a matter of when, not if, they occur, it’s a best practice to always analyze what happened and how an organization could have prevented it. That’s why during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 Trust Services Criteria, which includes common criteria 7.5. Common criteria 7.5 says, “The entity identifies, develops, and implements activities to recover from identified security incidents.” Let’s discuss what an auditor will look for when assessing an organization’s compliance with this criterion.
SOC 2 Academy: Registering Internal and External Users
When a service organization undergoes a SOC 2 audit, auditors will validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.2 says, “Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.” What will an auditor look for when assessing how organizations go about registering internal and external users? Let’s discuss.
SOC 2 Academy: Risks from Business Partners
While organizations must consider the risks to their operations, finances, and reputation caused by threats inside their organization, they must also consider outside risks from business partners and third-party vendors. During a SOC 2 audit, organizations will have to demonstrate that they consider the risks from business partners and third-party vendors in order to comply with the SOC 2 common criteria 3.2, which states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Let’s take a look at the reasoning behind this, other frameworks that have vendor compliance requirements, and what can happen if an organization fails to manage the risks from business partners and third-party vendors.
SOC 2 Academy: Taking Inventory of Physical Devices
One of the first steps of the SOC 2 audit process is scoping the engagement, which tells auditors what people, processes, and technologies will be included in the assessment. Because auditors will assess an organization’s compliance with the 2017 Trust Services Criteria, organizations need to demonstrate that they comply with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.”
In order to comply with this criterion, organizations need to identify all people, processes, and technologies that impact the internal controls over physical security by taking inventory of physical devices. It’s no longer enough for organization’s to only identify physical devices within their office buildings. Instead, they’ll need to look at remote locations, such as home offices or coffee shops, as well as third-parties. Let’s discuss why taking inventory of physical devices is so important to SOC 2 compliance.
SOC 2 Academy: Testing Your Business Continuity Plan
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.3 says, “The entity tests recovery plan procedures supporting system recovery to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why you need to be testing your business continuity plan.
SOC 2 Academy: Testing Your Incident Response Plan
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” While we’ve already discussed why it’s important to establish incident response teams and how organizations can comply with common criteria 7.4, there’s one component of this criterion that we’d like to emphasize: the importance of testing the incident response plan.
SOC 2 Academy: Trust Services Criteria
In the AICPA’s recent updates to SOC 2 reporting, many will notice that there are quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria will now be strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.
An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy will now be referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.
SOC 2 Academy: What Types of Risks Does Your Organization Face?
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.” Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.
SOC 2 Academy: Using a Risk Assessment
During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. When an auditor is assessing an organization’s compliance with common criteria 3.1, which states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives,” they will want to see that the entity not only conducts but uses their risk assessment. Let’s take a look at how organizations can go about using their risk assessment and why it’s so important.
SOC 2 Academy: What’s New with SOC 2?
In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.
Â
