SOC 2, All You Need To Know

October 27, 2022

SOC 2 Overview

SOC 2 isn’t a set of hard and fast rules. Rather, it is a framework that sends a strong signal that an organization prioritizes key attributes: security, availability, processing integrity, confidentiality, and privacy. Completing a SOC 2 certification on its own is generally not enough to prove that you are 100% secure as an organization, but it’s a very good start and will go a long way toward instilling trust in your customers.

Glossary

SOC 2 trust principles​

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”

Security

The foundational security principle, common to all audits.

Confidentiality​

Protection from unauthorized disclosure of sensitive data.

Availability​

Protection that systems or data will be available as agreed or required.

Integrity​

Protection that systems or data are not changed in an unauthorized manner.

Privacy

The use, collection, retention, disclosure, and disposal of personal information is protected.

How do I get a SOC 2

Unlike ISO-27001, which has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.

These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.

compyl soc 2

SOC 2 Type I vs Type II explained

The SOC 2 reporting standard is defined by the AICPA. All SOC 2 audits are signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend anywhere from six months to a year on focused preparation. This includes identifying which systems are in scope for the audit, developing policies and procedures, and implementing new security controls to reduce risks. When ready, an organization will hire a licensed AICPA auditor to conduct the audit. The actual process involves scoping, artifact document collection, and an on-site visit. The time commitment is typically several hours of introductory phone conversations and two days in-person at your office.

SOC 2 Type I

An audit conducted against the Trust Services Criteria standard at a single point in time. This audit answers: Are all the security controls that are in place today designed properly?

SOC 2 Type II

An audit conducted against the Trust Service Criteria standard over a period of time. This period typically covers six months the first time, and then a year thereafter. This means you’ll need a system of record. Type I reports are, as you might imagine, quicker to prepare for and conduct because you don’t have to wait for historical data over six months. However, while Type II reports take more time, they are also that much more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on. They report on what you’re actually doing, rather than what you aspire to do. Because of this added value, our recommendation is to get started early and work directly toward the Type II report. This approach emphasizes immediate action taken toward improving your security, and because Type II also covers Type I, there are financial savings in the long term if you start with Type II from day one.

Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation, referred to as Common Criteria, is an internationally recognized standard for computer security certification. Common Criteria is a framework that assures that the process of specification, implementation, and evaluation of a computer security product has been rigorously tested in a repeatable manner. The goal of Common Criteria is for vendors to make claims about the security of their products and that independently run testing laboratories can determine if they meet those claims. Below are the nine Common Criteria that are typically associated with SOC 2 compliance for SaaS providers and vendors.

CC1 - Control environment​

CC2 - Communications and information​

CC3 - Risk assessment

CC4 - Monitoring activities​

CC5 - Control activities​

CC6 - Logical and physical address​

CC7 - System operations

CC8 - Change management

CC9 - Risk mitigation

How Compyl can Help

SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.

Trust principles are broken down as follows:

Internal workflows

SOC 2 CC1: Control Environment Workflows are at the heart of every organization. As an organization grows from two people to five to ten, and so on, these workflows can introduce security loopholes. SOC 2 CC1 addresses your control environment, of which workflows are a component. Most workflow suites includes predetermined workflows for the most common business tasks, including employee onboarding, offboarding, vendor requests, approvals, renewals, and terminations. It also includes the ability to build, save, and repeat your own customized workflows to match your particular internal processes. When you use Compyl for SOC 2 compliance, all your workflows are documented as exportable logs. When you decide to undertake a SOC 2 audit, you can easily pull these logs and present them as evidence to your auditors.

Vendor management

SOC 2 CC5: Control Activities As mentioned earlier, the average mid-sized company uses 120 SaaS tools. That’s a lot of vendors. Lack of visibility into who all these vendors are and how they interact with your company can be grounds for SOC 2 noncompliance. Maintaining unwieldy spreadsheets, while a common standard, fails to capture crucial real-time data regarding your vendors.

SaaS discovery, security, and monitoring

SOC 2 CC6: Logical and Physical Access Controls While the broader CC6 framework considers both logical and physical access controls, Compyl helps you manage logical access controls. We do this by giving you enhanced visibility of all the third-party apps in use at your organization. App discovery and tracking give you a single source of truth as support for your SOC 2 compliance documentation. Moreover, security monitoring provides ongoing access control data collection crucial to your SaaS security audit compliance. If a new app is added to your organization or there’s a user state change, Compyl captures this data as exportable activity logs. Through this data, you can demonstrate the measures you have taken to modulate logical access control across all your organization’s apps. Using Compyl for SOC 2 compliance gives you a centralized view of all third-party SaaS apps in use in your organization, and tools to help you manage how your personnel interacts with them.

SaaS codex and system of record

SOC 2 CC9: Risk Mitigation One of the challenges companies face when creating a risk mitigation plan is the lack of a system of record. A system of record is a single source of truth providing transparent, auditable data about a process within an organization. Organizations using different SaaS products without a point of convergence struggle to create a unified system of record. Compyl solves this by providing a converged system of record comprising an extensive SaaS codex with a robust system of record.

Privacy

The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.

Putting it all together

Adapt quickly to new industry requirements, expansion, and other needs that affect the organization.

The importance of SOC 2 compliance

While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its role in securing your data cannot be overstated.

Imperva undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant. Compliance extends to all services we provide, including web application securityDDoS protection, content delivery through our CDNload balancing, and Attack Analytics.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies