Organizations that use a data center to support their infrastructure and computing needs must consider compliance as part of their overall risk management and IT policy development strategies. One of the most common compliance standards considered for organizations with a data center environment is SOC 2 compliance.
The Service Organization Control (SOC) is a compliance framework used to determine whether a service organization’s internal controls and practices are effective at safeguarding the privacy and security of its customer and client data.
SOC 1 vs. SOC 2 vs. SOC 3
SOC reports evolved from the 1992 Statement on Auditing Standards No. 70: Service Organizations (SAS 70). They can be one of three categories:
- SOC 1 reports address how organizations handle financial information for their clients. This report ensures that financial reporting is managed securely by the business handling the transaction.
- SOC 2 reports review an organization’s controls for security, processing integrity, privacy, and related issues. Customers often ask for a SOC 2 report before engaging with specific vendors.
- SOC 3 reports review the same material as SOC 2 reports, but they are less exhaustive and are intended for a general audience. For example, a business might commission a SOC 3 report on itself and post the results on its website.
In this article, we will be discussing the SOC 2 report specifically, which was developed by the American Institute of Certified Public Accountants (AICPA) in response to growing concerns over data privacy and security.
SOC 2 Type I vs. Type II
SOC 2 is composed of two parts, Type I and Type II. The difference between SOC 2 Type I and Type II reports lies in the amount of time each covers.
- A SOC 2 Type I report (typically an organization’s first-ever SOC 2 report) assesses whether an organization’s internal controls are designed properly at the time of the audit.
- SOC 2 Type II reports evaluate the effectiveness of security and privacy controls over a period of time. How long? Usually since the organization’s previous SOC audit, which usually is one year.
After that, SOC 2 audit frequency is typically once a year.
SSAE 18 vs SOC 2
We should explore SOC 2’s relationship to SSAE 18, the underlying standard that provides the guidelines for what a SOC 2 report should contain. (“SSAE” stands for “Statement on Standards for Attestation Engagements.”)
As we mentioned earlier, the original source for SOC 2 reports was the Statement on Auditing Standards No. 70. That document was eventually replaced by SSAE 16, and then SSAE 18, which is the standard used for SOC reports today.
The requirements set forth in SSAE 18 affect how organizations prepare for and execute SOC reports. Among other things, SSAE 18 directs service organizations to identify all sub-service organizations and to understand complementary sub-service organization controls. As part of the review, service organizations must include data centers, cloud infrastructures, Software-as-a-Service (SaaS) platforms, and other outsourced vendors.
Now that you understand what SOC 2 is, its evolution, and its requirements, let’s move on to what you need to have a SOC 2-compliant data center.
What does my data center need to be SOC 2 compliant?
All SOC 2 reports revolve around the following requirements, known in SOC 2 documentation as “trust services principles.”
- Security. The organization must have data protection controls in place to prevent unauthorized access. All SOC 2 reports must include an attestation on this criterion from the service provider.
- Availability. A service provider must have reasonable security controls in place to ensure its system is available and can be used under the terms of service.
- Processing integrity. All transactions must be processed promptly and accurately, with no errors or unauthorized processing.
- Confidentiality. All private or confidential data must be protected according to the security policies laid out in the organization’s service agreement.
- Privacy. All personal and private information must be handled according to any relevant privacy regulations or controls specified in the service agreement or privacy notices.
How do I make my data center SOC 2 compliant?
If your organization is attempting to achieve SOC 2 certification for any of the trust services principles, here are some helpful steps to get you there.
Step 1: Get Help With Auditing
When it’s time to hire an auditor to help you prepare for compliance, you’ll need help ensuring that all details are properly addressed. To do that, choose a SOC 2 compliance tool with:
- Quick, easy deployment
- User-friendly design
- Easy internal audit capabilities
- Vendor management tools
- Continuous controls monitoring
- Integration with your software and services stack
- At-a-glance compliance dashboards that include your other frameworks
Step 2: Select the Trust Principles That Apply to You
Again, the principles are:
- Security: Is your data center protected against both physical and virtual unauthorized access?
- Availability: Is your data center available for operation and use as indicated in your service agreement?
- Processing Integrity: How does your data center process data? Does it do so accurately, promptly, and in a manner that is lawful?
- Confidentiality: Do you guard confidential information and prevent unauthorized access to it as you’ve agreed to with your customers?
Step 3: Design a Path to SOC 2 Certification
After you’ve audited your organization’s systems to find any gaps, map out a plan to remediate those gaps ahead of submitting your organization for a SOC 2 audit.
Once you’ve defined your SOC 2 compliance processes, everyone in the organization needs to follow them—and follow them continuously, to assure that your annual renewal audits in the future success as well.
Step 4: Perform a Self-Audit
After you’ve taken the necessary steps to create SOC2-compliant systems, you’ll want to perform a self-audit. This is to assure that all your controls suitably prevent unauthorized access and meet the goals established in your compliance roadmap, and to assure that you continue to implement the proper controls over time.
Step 5: Have Your Official SOC 2 Audit
This final step is where you submit your organization for an official SOC 2 audit and get certified. Then, to maintain certification, you’ll need to plan for annual renewal audits to prove that your security controls and documentation are still in place and working optimally for your organization.
Is there compliance for data centers from other frameworks that overlap with SOC 2?
Yes, several data security standards can overlap with SOC 2 depending on the type of organization you have.
- The National Institute of Standards and Technology (NIST) 800-53 NIST Data Center Security Standards dictate security and privacy controls for federal information systems and organizations.
- The Health Insurance Portability and Accountability Act (HIPAA) will apply to any health organization and its associates that have protected health information (PHI) stored in a data center.
- The Payment Card Industry Data Security Standard (PCI DSS) will impact any organization that processes financial transactions and receives, stores, sends or deletes credit card information.
- The International Organization for Standardization (ISO) 27001 is the most widely accepted certification for information security, physical security, and business continuity.
- The Federal Information Security Management Act (FISMA) is for organizations within the federal government and requires them to develop, document, and implement an information security and protection program.
How ZenGRC Can Support SOC2 Compliance For Your Data Center
Developed initially for technology service companies, SOC 2 has become an important standard for every enterprise doing business online, particularly those with data centers. Failure to comply sets a bad precedent and shows your customers that they can’t trust you to keep their data secure.
Enterprise compliance can be a nightmare to manage manually. At that level, spreadsheets simply aren’t capable of handling the number of moving parts that go along with the many forms of compliance your business is responsible for.
ZenGRC takes the worry out of SOC 2 certification and walks you through the framework step by step.
Our “single source of truth” dashboard displays compliance gaps within your infrastructure and tells you how to resolve them. And when it’s time to hire an auditor, ZenGRC can save time and money by providing audit information in an easy-to-use format.
ZenGRC can support a wide variety of compliance frameworks and cross-checks objectives across multiple platforms, streamlining your compliance efforts and freeing your compliance team to work on other areas of the business.
If you’d like to see ZenGRC in action, contact us today for a free demo.