SOC 2 can be a complicated security standard to understand. As a security standard and attestation often required by many enterprise companies and organizations, it is important that organization understand the basics of SOC 2 compliance and how teams become SOC 2 compliant. When dealing with SOC 2 compliance, teams do not need to go through SOC 2 alone.
Below is a general overview of SOC 2 assessment framework, as well as more information for frequently asked questions:
What is SOC 2 Compliance?
SOC 2 compliance is part of the AICPA Service Organization Control reporting platform. The goal of SOC 2 is to evaluate organization security and internal controls around security, availability, processing integrity, confidentiality, and privacy. SOC 2 is a technical audit and attestation that organizations have established internal controls that meet AICPA standards.
Who Needs to Be SOC 2 Compliant?
Software Vendors – Large enterprises with hundreds or thousands of software vendors often ask companies for a SOC 2 Type 2 report in order ensure that an organization has a set of security controls in place.
Cloud Providers – Cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure have numerous clients managing applications and workloads across their infrastructure.
Large Companies – Large organizations often go through audits to receive a SOC 2 Type 1 or SOC 2 Type 2 report in order to improve their overall security stature.
What does SOC 2 Require?
Organizations that work to achieve SOC 2 compliance, may be evaluated against one or more AICPA Trust Service Criteria – Security, Availability, Processing Integrity, Confidentiality, Privacy. Organizations working to SOC 2 must take the following steps to achieve SOC 2 compliance:
- Implement a security program and all internal security controls required under the TSC.
- Perform A SOC 2 Audit with a 3rd party auditor.
- For SOC 2 Type 2 – Organizations must maintain SOC 2 internal controls over a period of time.
What is The Difference Between SOC 2 Type 1 and SOC 2 Type 2?
There are two types of SOC 2 reports organizations can achieve for SOC 2:
SOC 2 Type 1: A Type 1 report highlights policies and procedures for ensuring Trust Service Criteria at a single point-in-time. This means that an auditor will evaluate an organization on a set of criteria and controls one time and ensure that the organization meets specific control requirements.
SOC 2 Type 2: A Type 2 report is more comprehensive then a SOC 2 Type 1 report. A Type 2 report evaluates the same policies and procedures and security controls for ensuring Trust Service Criteria but is measured over a period of time, generally a 3 to 12-month audit period. This means that organizations must demonstrate that security controls are in place and working over a long period of time.
While a Type 1 report provides a certain level of validation for an organization’s internal security controls, it’s value quickly diminishes over time, since it is a point-in-time assessment. A Type 2 evaluates the same internal controls but is more comprehensive report, since it is evaluated over a period of time.
How Does SOC 2 Apply to The Public Cloud?
With many companies managing applications and infrastructure in the public cloud, security has become more important. In order to validate security efforts across their datacenters and IT infrastructure, many public cloud providers work to achieve SOC 1, SOC 2, and SOC 3 reports.
Additionally, many organizations utilizing the public cloud work to achieve SOC 2 compliance. Many SaaS companies, software vendors, and startups operating in the public cloud go through a SOC 2 audit and achieve SOC 2 compliance in order to prove their security efforts to partners and clients.
SOC 2 can be assessed and achieved across many types of systems and IT infrastructure including – on-premise, cloud, and hybrid infrastructure.
How Do I Prepare for A SOC 2 Audit?
When going through a SOC 2 audit it is important that teams are prepared in order to avoid delays in assessment and additional assessment costs. In order to achieve SOC 2 compliance, teams should take the following steps to prepare for a SOC 2 audit:
- Implement all applicable administrative policies and internal controls
- Perform a SOC 2 readiness assessment
- Collect all policies, security documentation, and agreements with vendors and contractors
- Find a reputable AICPA-affiliated SOC 2 audit firm
Teams may turn to a company like Dash, to help build their SOC 2 security program and prepare for SOC 2 compliance.
Is AWS SOC 2 Compliant?
Amazon Web Services (AWS) has achieved SOC 1, SOC 2, and SOC 3 reports. These reports detail the AWS controls environment and implemented controls for AICPA Trust Services Criteria (TSC) and can be leveraged as part of a cloud customer security program. AWS SOC covered cloud services are audited periodically against the SOC reporting framework.
Although AWS has achieved SOC 2 report, organizations that utilize AWS cloud infrastructure are NOT automatically SOC 2 compliant. Organizations operating in AWS must implement SOC 2 controls and go through a SOC 2 audit with a 3rd party audit firm in order to be SOC 2 compliant.
Is Azure SOC 2 Compliant?
Similar to AWS, Microsoft Azure has achieved SOC 1 Type 2, SOC 2 Type 2, and SOC 3 reports. These reports detail the Azure controls environment and implemented controls for AICPA Trust Services Criteria (TSC) and can be leveraged in cloud customer security programs. Azure SOC covered cloud services are audited at least annually against the SOC reporting framework by independent third-party auditors.
Although Azure has achieved SOC 2 report, organizations that utilize Azure cloud infrastructure are NOT automatically SOC 2 compliant. Organizations operating in Azure must implement SOC 2 controls and go through a SOC 2 audit with a 3rd party audit firm in order to be SOC 2 compliant.
How Do I Meet SOC 2 Requirements in The Cloud?
In order to become SOC 2 compliant in the cloud, your team should evaluate your current cloud security controls, determine security gaps and work to build your SOC 2 security program. Teams should consider taking these steps to achieve SOC 2 compliance in a public cloud platform like AWS or Azure.
Establish administrative policies and procedures: Teams should build a set of administrative security policies around your organization and technologies. Policies should cover topics including – security roles, risk assessment, security training, and intrusion detection.
Set security controls to meet policy standards: Security teams should implement all necessary security standards across cloud services including – encryption, audit logging, access control, firewall and networking, and backup and disaster recovery (DR). Teams may use AWS/Azure provided security settings as well as turn to open-source and 3rd party solutions.
Enforce and maintain security controls across your cloud: After implementing necessary security controls and settings across your cloud resources, your team should ensure that security settings stay in place and that all new resources continue to meet set security standards. Teams can monitor and maintain SOC 2 cloud security standards through continuous compliance monitoring.
How Do I Maintain SOC 2 Compliance?
In order to ensure SOC 2 compliance, organizations should perform a SOC 2 audit before the current report is past it’s effective coverage period. Typically, organizations go through a SOC 2 audit annually to keep their SOC 2 Type 2 report current.
This means that organizations generally must continue to maintain all SOC 2 internal controls in order to pass future security audits. Teams will want to ensure that administrative policies are current and that security controls continue to stay in place and are applied to newly created infrastructure and resources. Teams may implement continuous compliance monitoring systems to ensure that security standards are in-place and maintain SOC 2 compliance.
SOC 2 can be an intensive process. It requires that organizations set proper security standards and go through an external security audit.
Dash ComplyOps helps teams to prepare for a achieve SOC 2 compliance. Dash provides teams with a solution for setting custom administrative policies, establishing cloud security controls, and enforcing SOC 2 internal controls through continuous compliance monitoring. Teams can work with Dash and its auditing partners to quickly achieve SOC 2 compliance.