SOC 2 is an international compliance standard that defines rules for B2B (business-to-business) organizations regarding data security.
SOC (Service and Organization Controls) 2 was developed by AICPA (The American Institute of Certified Public Accountants).
It regulates data security management based on the following five cybersecurity principles, which are also defined as Trust Service Criteria (TSC):
- Processing Integrity
SOC 2 requirements, explained for cloud
In order to become SOC 2 compliant, you must fulfill 64 controls across the 5 TSCs mentioned above.
In this section, we will look at some of the points of focus necessary to obtain the accreditation. They should be taken into account by companies that use cloud services.
Grouped by criteria and explained, here are examples of requirements:
- Implements Boundary Protection Systems - The company uses firewalls, IDSs, DMZs to secure devices.
- Requires Additional Authentication or Credentials - Multi-Factor Authentication (MFA) is configured for all users.
- Designs Detection Measures - Logging and monitoring are implemented.
- Implements Alerts to Analyze Anomalies – Targeted alerts are used to ensure fast remediation for high-priority assets.
3. Processing Integrity
- Protects Stored Items – Sensitive data is safely stored in order to prevent it from being tampered.
- Creates and Maintains Records of System Storage Activities – Logging and monitoring are required for this criterion as well.
- Restricts Logical Access– Access to sensitive cloud assets is limited, and the Least Privilege Principle is implemented.
- Identifies and Authenticates Users – The company follows good practices regarding IAM.
- Uses Encryption to Protect Data – All assets of type storage are encrypted.
- Protects Identification and Authentication Credentials – Managing access to cloud assets is a matter of privacy since an entity that isn't authorized should not be able to access them.
How do you obtain the SOC 2 accreditation?
The process of obtaining it depends on the type of accreditation you’re going for. There are two types of SOC audits, which require different reports:
- Type 1: a single audit and a single report are required at a specific date and time. For this type, the design of the security program put in place is evaluated.
- Type 2: to obtain the SOC 2 Type 2 accreditation, an audit is carried out over a period of time, usually a minimum of six months. For type 2, the execution of the security program is evaluated.
There are advantages and disadvantages to both types.
While type 1 requires less effort and is easier to get, it is also less valuable, since the evaluation result only reflects the state of the company's data security at a given point in time.
With type 2, you invest more time and resources into getting accredited, but the result shows more effort and commitment toward the customer's data security.
Once you’ve decided which SOC 2 type you want to obtain, you need to start the long process of obtaining the accreditation.
Use Cyscale to make this process easier for you
Cyscale can help you obtain the SOC 2 accreditation for your company by:
- checking with the use of in-app controls whether you're implementing the requirements,
- providing you with remediation steps for any findings,
- helping you to demonstrate, during the audit, that you’re SOC 2 compliant and should receive the accreditation.
In the image below, you can see a part of the SOC 2 standard page in Cyscale, which gives you metrics to know how you're doing in your process of becoming compliant.
A large set of technical controls included in this standard are mapped to SOC 2 points of focus to easily understand which ones you’re correctly implementing, and which require your attention.
Receive new blog posts and product updates from Cyscale