Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially SOC 2. But what is a SOC report? Which one do you need? Why is a SOC 2 report so important? Do you actually need it, or is it something that just looks good on paper?
There are three types of SOC reports, but we’ll mainly talk about the second one for now, which is “designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations,” according to ssae16.org. If a SOC 1 report handles the financial transactions a company makes, SOC 2 reports on the security behind those financial transactions, making it more relevant than ever in the growing wake of credit card fraud and data breaches.
What’s in a SOC 2 report?
There are five Trust Services Principles, or criteria, that comprise a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality and Privacy. Unlike PCI DSS, which has very explicit requirements, SOC 2 requirements allow more flexibility for the data provider to decide how it wants to meet the criteria. Therefore, SOC II reports are unique to each company. Essentially, the provider looks at the requirements, decides which ones are relevant to their business practices, and then writes their own controls to fit those requirements. The data provider can write extra controls as needed, and disregard others if they are not relevant to what they are doing if they so choose. The SOC II audit is simply the auditor’s opinion on how that organization’s controls fit the requirements. This makes the auditor’s reputation very important to SOC II reporting, because an auditor who has had many years of experience in SOC reporting will more likely have a more thorough understanding of SOC controls and the best practices to apply to them. The end result of a clean (passed) opinion is that, according to the auditor, the data provider can be trusted as a secure hosting company.
SOC 2 hasn’t changed since it was first implemented, has it?
No. The only thing that’s changed about it is that the criteria within the five Trust Service Principles has been rearranged and refined to be more security based than before. The five principles themselves are still the same, allowing data providers to decide how they want to meet the controls.
Why is a SOC 2 report so popular right now?
The biggest reason is because SOC 2 reports on the security behind highly sensitive transactions, as mentioned above. People want to be able to trust their data providers with confidential information, and a clean SOC 2 report means companies can depend on their hosting provider for secure, compliant hosting. That in turn means less worry for the end customer, and less investment on their part in controls. It’s important to remember that the customer still has the same responsibility to be compliant, such as company policies and procedures, just like the vendor.
What’s the difference between SOC 1 and SOC 2?
SOC 1 reports are “important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations,” (aicpa.org), whereas SOC 2 reports “are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.” (aicpa.org) In layman’s terms, SOC 1 reports on the financial controls, and SOC 2 reports on the security behind those controls. Each report uses different standards—Standards for Attestation Engagements 16 for SOC 1, and Attestation Standards 101 for SOC 2. In addition, a SOC 1 report is a report generated by auditors for other auditors, whereas SOC 2 reports have more sensitive information and are not shared outside the company with anyone.
Do I need a SOC 2 report?
If you’re a data provider that stores or processes financial information, absolutely. If you’re a company looking to outsource your data storage of financial information and need a provider that is secure and compliant, a SOC 2 report will go a long way towards fulfilling that obligation. If your current or potential vendor is not willing to share their reports, consider another provider.
Ok. What about SOC 3?
The SOC 3 report is a public-facing document that gives a high-level overview of information in the SOC 2 report. A SOC 2 report has a lot of sensitive information about specific systems and network controls, and if it falls into the wrong hands, it could cause a lot of headaches for an organization. Therefore, a SOC 3 report is used as the front-facing report, such as marketing materials. Think of it as the abstract of a master’s thesis.
For more information on SOC reports, and SOC 2 specifically, the American Institute of CPAs is a good place to start. You can also find additional resources on SOC 1, and the differences between SOC 1 and SOC 2 or visit www.ssae16.org.
Data Center Standards Cheat Sheet: From HIPAA to SOC 2
With the confusion regarding what audits and auditor reports apply to certain aspects of data center standards, I felt the need to create a basic data center/hosting solution audit cheat sheet to simplify matters. Here’s your comprehensive guide to data center audits and reports.
A SOC of A Different Color: Critical Differences Between SOC 2 and SOC 1/SSAE 16
If you’re in a business that needs to meet Sarbanes-Oxley compliance, you probably know by now that the SAS 70 report expired earlier this year and was replaced with the SSAE 16 attestation. SSAE 16 is a lot like SAS 70, but adds an attestation set forth and signed by a company’s management that confirms that the described controls are in place and functional.
SOC 1, SOC 2 & SOC 3 Report Comparison
In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended for financial and accounting auditing, the SSAE 16 audit was established to verify data center operational and security excellence.