logo Client Portal logo +61 3 9070 5606
ITH Publication - April 4, 2024, 12:31 pm


What is SOC2 compliance framework ?

We have managed to collate information  with regards to SOC2 compliance which would be helpful for organisations assessing their SOC2 security posture. This preliminary information should help you get general understanding of SOC2 compliance and give you a broad sense of understanding in terms of what might be required for an organisation wanting to be SOC2 compliant/certified. 

 


  • What is the SOC 2 compliance framework?

SOC 2, aka Service Organization Control Type 2, is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manner.

How is SOC2 compliance helpful to organisations?

AICPA’s cybersecurity risk management reporting framework helps organisations communicate about and CPAs report on cybersecurity risk management programs. AICPA's Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria) guideline is intended for use by CPA's to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program. Management teams can also use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

  • What are the criteria surrounding SOC 2?

There are 5 criteria to choose from when doing a SOC 2, security, confidentiality, availability, processing integrity, and privacy. You can do a base report on security criteria, but the other ones can be relevant for business development or required contractually.

There are ultimately 4 types of SOC reports, a SOC1 and SOC2, each of which have a type I and type II report. A SOC1 is used when you are a service organization (i.e. payroll provider etc.) that manages an IT or service function that rolls up to a financially significant account on a client's balance sheet. A SOC2 is relevant if you manage or have access to certain types of data that carry some contractual or legal liability (i.e. health care or financial data etc.). There is a Type I and Type II version of both the SOC1 and SOC2 report. A Type I basically states that we have all of the controls in place to meet the relevant criteria of a SOC1 or SOC2 as of this date. A Type II states that we had these controls in place, and they operated effectively over this period of time (usually 6mos, 9mos, or 12mos).

A SOC1 generally has more business controls involved, and can pull in things like account reconciliations for auditor review. A SOC2 is generally more concerned with the scope of the environment where sensitive data is stored, and access to modify those environments.

  • Can a small company be SOC 2 compliant?


It can be difficult for a small company due to the lack of some formal processes. However, it's doable, and has become a cost of doing business in some industries. If you deal with any sensitive data on behalf of your clients, then there are a lot of companies that require it. Generally, you will need to have the following covered:

  1. HR - Org Chart, Employee Handbook, Job Descriptions, and background checks.

  2. IT Security Policies - Risk Management, Logical Access, Change Management, Disaster Recovery, and Incident Response cover the majority of it.

  3. Logical access - Password requirements at all layers (Application, OS, Database, Code Repo, etc.). A process to approve access changes. If standardized, this can just be a pre-approval matrix, but you will still need an access form or ticketing system to track access approvals for anything beyond what is standardized. A process to remove access that retains evidence of when the access was removed. A quarterly user access review of all IT layers (AWS/Azure, Microsoft AD, Code development tools/repos, in-scope applications servers, and databases). Monitoring of security events/incidents.

  4. Change Management - (This depends on whether you develop your own applications, as that brings a lot more in scope) If you don't develop your own software, you really just need to keep track of authorizing a change to be deployed, testing the changes, and approving the change. Change control board or change manager can authorize a change to be deployed, but a relevant business manager would need to approve it. If you develop your own software, then there is a stronger look at segregation of duties across the change management process. The auditor takes a sample of changes and requests evidence of the initial authorization of the change, testing, deployment, and approval. They may also look through a listing of commits to make sure no-one was doing commits that shouldn't have had access.

  5. Physical security - Doors locked with key cards, process for tracking the issuance and revocation of key cards. Quarterly review of key card access.

  6. Backups - scheduled process for automated backups. Track and remediate backup failures. Do a test restore annually.

Be cautious of claims made by the various software vendors  that market themselves as being able to get you through an audit at a lower total cost of ownership. They can make the audit process easier, which might even offset some of your internal effort, but the software solutions out there now don't really bring down the level of effort from the audit


Click here to fill out our contact form.
OR Click here to send an email to IT Horizon.