SOC2 Type-1 & Type-2 Reports

SOC2 Implementaton

Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles. These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.

There are two types of SOC reports:

Type I describes a vendor's systems and whether their design is suitable to meet relevant trust principles. Type II details the operational effectiveness of those systems.

SOC 2 CERTIFICATION

SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.

Trust principles are broken down as follows:

Security :

The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information. IT security tools such as network and web application firewalls (WAFs), two factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.

Availability :

The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties. This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.

Processing integrity :

The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized. However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.

Confidentiality :

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information. Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.

Privacy

The privacy principle addresses the system?s collection, use, retention, disclosure and disposal of personal information in conformity with an organization?s privacy notice, as well as with criteria set forth in the AICPA?s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.

Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
Regulatory oversight

Similar to a SOC 1 report, there are two types of reports: A type 2 report on management?s description of a service organization?s system and the suitability of the design and operating effectiveness of controls. A type 1 report on management?s description of a service organization?s system and the suitability of the design of controls. Use of these reports are restricted.

There are two types of SOC reports, ISO HIPAA GDPR Compliance services implementors and auditors

Principles	Objectives
Security	The protection of the system from unauthorized access, both logical & physical
Availability	The accessibilty to the system, products or services as advertized or committed by contact, service level, or other agreements
Processing Integrity	The completeness, accuracy, validity, timeliness and authorization of system processing
Confidentiality	The system's ability to protect the information designated as confidential, as committed or agreed
Privacy	Personal information is collected, used, retained, disclosed and disposed of in conformity with the comitmments in the privacy notice.

A system consists of five key components organized to achieve a specific objective. The five components are categorized as follows :

Infrastructure. The physical & hardware components of a system (facilities, equipment, and networks)
Software. The programs and operating software of a system (system, application and utilities)
People. The personnel involved in the operation and use of a system (developers, oeratores, users and managers)
Procedures. The programmed and manual procedures involved in the operation of a system. (automated & manual)
Data. The information used and supported by a system (transcation, streams, files, databases, and tables)

SOC 2 CERTIFICATION, ISO HIPAA GDPR Compliance services implementors and auditors

Security , ISO HIPAA GDPR Compliance services implementors and auditors

The following four components are represented in the respective principles and criteria.

Policies.The entity defines and documents its policies for the 'Trust Services Principle' of its system.
Communications. The entity communicates its defined 'Trust Services Principle' policies to responsible parties and authorized users.
Procedures. The entity placed in operation procedures to achieve its documented 'Trust Services Principle' objectives in accordance with its defined policies.
Monitoring. The entity monitors the system and takes action to maintain compliance with its defined system 'Trust Services Principle' policies.

FEATURES

Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organization.

Availability, ISO HIPAA GDPR Compliance services implementors and auditors

Processing integrity, ISO HIPAA GDPR Compliance services implementors and auditors

Determining exactly which service offering(s) you want to make compliant

BENIFITS

Obtaining a SOC 2 report requires an investment of both time and money for a service organization and, at some point, might seem like more work than it's worth. However, the advantages to obtaining a SOC 2 report far outweigh the initial investment. Following are ten benefits: