Cybersecurity is ever-changing and a critical consideration for business survival. One must always be prepared to keep their business secure and their customers satisfied. But how do you keep up with all the compliance framework changes, such as last October’s SOC 2 guidance updates?
This was my challenge as the GRC manager at a SaaS startup: an updated compliance framework version would be released, and I’d need to figure out how to incorporate the new requirements. Assessing them, identifying gaps, educating teams and implementing the necessary changes filled me with anxiety.
ISO27001 was especially perplexing. Everything I read didn’t quite make sense, and I just wished someone had written a simple guide to the new framework requirements.
If you feel the same way about the new SOC 2 guidance — here is your guide!
What Is SOC 2?
SOC stands for “Systems and Organizations Controls.” It is a framework designed to help software vendors and other companies demonstrate the security controls they use to protect customer data in the cloud.
The American Institute of Certified Public Accountants (AICPA) is the governing body of the SOC framework. They set the U.S. auditing standards used for SOC 2 examinations and periodically review them.
SOC 2 Trust Service Criteria
There are 5 Trust Service Criteria (TSCs) that make up the SOC 2 certification. Security is the only required TSC.
Demonstrate systems are protected against unauthorized access and other information security risks that could impact the ability to provide the services promised to clients, including:
- Protection of Information: security of information during any activity including the collection or creation of the data, and during the use, processing, transmission and storage of the data.
- Protection of Systems: security of any systems that use electronic information to process, store or transmit information relevant to the services provided by the service organization.
Demonstrate systems are operationally available at all times so as not to impact a client’s business.
Demonstrate that system data processing and transactions occur accurately and in a timely manner on behalf of clients.
The data custodian must demonstrate protection for data classified as confidential and/or identified and signed under a confidentiality agreement or an NDA (non-disclosure agreement), such as legal documents, bank statements, trademarks, etc.
Demonstrate that personally identifiable information (PII) is protected and handled appropriately; for example, show that personal information is collected, used, retained, disclosed and destroyed in conformity with commitments in the organization’s privacy notice.
The description of the organization’s system is the largest and most critical section of the SOC 2 report. It includes the company’s overview: people, processes and technology that support the organization’s product, software or service. It also covers a description of all the controls that have been implemented with respect to the TSCs. This important information helps your auditor assess whether the system components are effectively protecting customer data.
What’s New with SOC 2?
The AICPA made significant guidance updates to the Description Criteria implementation and points of focus on the SOC 2 TSCs. These updates provide more examples.
The AICPA incorporated:
- New attestation standards
- Information about the risk assessment process and specific risks
- Additional clarity regarding certain disclosure requirements, such as how controls meet the requirements of a process or control framework
Revised SOC 2 TSC Points of Focus
The revised SOC 2 TSC points of focus provide guidance and clarity on:
- Incorporating new changes to CPA attestation standards
- Key differences between the Confidentiality and Privacy TSCs and when it’s appropriate to report on controls included in them
- Business objectives and how they relate to the service commitments and system requirements
- Identifying sub-service organizations versus vendors, appropriate types of controls or related disclosures and management’s use of specialists
- Identifying the use of software applications and tools that help with the detection of threats and vulnerabilities, such as firewalls, intrusion prevention and/or detection systems, etc.
- Improved controls supporting the implementation of the TSCs
- Addressing the landscape of changing technologies, threats, vulnerabilities and risks
- Addressing data management, including data storage, backup and retention as it relates to confidentiality
- Differentiating points of focus related to privacy as a “data controller” versus a “data processor”
- Considering the operation of periodic controls that operated prior to the period covered by the examination
Key SOC 2 Areas Impacted
The revised SOC 2 TSC points of focus impact the following criteria, identifying areas of improvement to strengthen operations:
The revised points offer clarity on the types of information relevant to systems of internal control:
- Information about data flow
- Asset inventory and location
- Information classification
- C&A (completeness and accuracy) of information used in the system
CC1.3 and CC1.5: addressing newly identified privacy concerns regarding reporting lines and disciplinary actions.
Information and Communication with Availability and Privacy
The revised points provide guidance on management’s identification of threats to data recoverability and mitigation procedures to better align with widely used privacy practices.
CC2.1: addressing the management, classification, C&A and storage of assets.
CC2.2: addressing communication concerns relating to privacy knowledge and awareness and reporting of incidents related to privacy (*when Privacy TSC is applicable).
CC2.3: addressing communication of incidents related to privacy (*when Privacy TSC is applicable).
The revised SOC 2 TSC points help with identifying a more granular approach to evaluating risks by understanding the underlying components of a risk assessment:
- Threat and vulnerability identification
- The evaluation of the likelihood and magnitude of a threat event intersecting with a vulnerability
CC3.2: addressing the identification of system component vulnerabilities and providing additional guidance on assessing the significance of risks for the sub-service organization.
CC3.4: assessing changes in internal and external threats and vulnerabilities the organization may encounter.
Logical and Physical Access
The updated TSC points encourage consideration of logical access controls across the system architecture, including all relevant:
- IT tools
- Types of access, such as employee, contractor, vendor or business partner
- System and service accounts
- Recovery of devices, such as laptops
CC6.1: addressing the access and use of confidential information for identified purposes (*when Confidential TSC is applicable).
CC6.4: addressing the recovery of physical devices.
System Operations and Monitoring
The revised SOC 2 TSC points encourage the consideration of activities performed by the first and second lines of defense; for example, monitoring performed by those performing a task and by managers who oversee them, respectively.
This is in addition to internal audit functions and other recurring information technology (IT) assessments that have historically been identified in their SOC 2 reports.
CC7.3: addressing the impact on, use or disclosure of confidential information in the case of a security event occurring (*when Confidential TSC is applicable).
CC7.4: addressing the definition of and execution of breach response procedures (*when Privacy TSC is applicable).
Identification, testing and implementation of software patches and resilience requirements during the change management process are also covered in the revised SOC 2 TSC points.
CC8.1: addressing the process for managing patch changes and the design and testing phases for system resilience (*when Availability TSC is applicable) and privacy requirements in the design phase (*when Privacy TSC is applicable).
The updated TSC points offer direction on residual risk after considering internal controls and management’s decisions to accept, reduce or share risks.
CC9.2: addressing the identification and evaluation of vulnerabilities arising from vendor and business partner relationships.
How Do the SOC 2 Updates Impact Companies?
This new SOC 2 guidance is intended to help organizations better meet the information needs of their customers and business partners when considering technological threats and vulnerabilities, as well as confidentiality and privacy issues.
No new TSCs were added or even changed
Nor does every point of updated guidance in the design implementation and operations of controls need to be met, as they are not strict “requirements.”
However, these revisions are effective immediately and will enhance the usefulness of SOC 2 reports for evaluating an organization’s security posture.
Auditors use SOC 2 guidelines to attest to a company’s compliance and security practices. The majority of the updates focus on the privacy and confidentiality TSCs to help clarify the application of existing criteria to new technologies and evolving risks in light of the current landscape. SOC 2 assessors performing examinations will take these into consideration.
Organizations should consider these revisions and incorporate relevant changes to improve clarity and processes, as well as to best represent their service commitments.
What Are the Benefits of SOC 2?
Are you wondering what the benefits of SOC 2 are and why an organization should comply?
Getting SOC 2 improves your information security credibility. It demonstrates that you’re
protecting customer data, which can establish trust, drive revenue and unlock new business opportunities.
Protect your customer data from unauthorized access and theft.
Avoid costly security breaches and the financial and collateral reputation damage that comes with them.
Gain an edge over competitors that can’t show compliance.
Peace of Mind
Develop strong policies and procedures, assure customers your systems and networks are secure and provide valuable insights into your risk and security posture.
Attaining SOC 2 can accelerate your organization’s overall compliance efforts for other frameworks, such as ISO and HIPAA. Plus, it’s an alternative to time-consuming, 500-question security questionnaires!
SOC compliance isn’t required by law, but it is considered the gold standard for companies to prove their commitment to customers. It demonstrates they protect customer’s data and make their services reliable, resilient and consistent. In fact, many enterprises won’t do business with technology vendors or other service providers that haven’t achieved the SOC 2 attestation.
All SOC 2 audits must be completed by an external auditor from an accredited and licensed CPA firm. If not, there is no credibility of the certification. When performed correctly, the SOC 2 certification gives a professional opinion that the processes declared are actually being followed in practice. This valuable information can be shared with clients and prospects alike.
Get SOC 2 Ready with ROAR
Whether you’re seeking SOC 2 certification for the first time or need to stay ahead of recent regulatory changes — the RiskOptics ROAR Platform can help simplify the process.
ROAR gives you the ability to see, understand and take action on your IT and cyber risks. With a unified, real-time view of risk and compliance — framed around your business priorities — you’ll have the contextual insight needed to easily and clearly communicate with key stakeholders. That way, leadership can make smart, strategic decisions to protect your enterprise, systems and data. And your organization can earn the trust of your customers, partners and employees.
Discover the power of the RiskOptics® ROAR Platform! Schedule your FREE demo today.