What it Means to be SOC 2 Compliant
AICPA (the American Institute of Certified Public Accountants) developed the SOC 2 (System and Organization Controls) framework in 2010 to provide guidance for evaluating the operating effectiveness of an organization’s security protocols, especially within cloud environments.
SOC 2 is a compliance and privacy standard that outlines how organizations should manage customer data and related systems to ensure confidentiality, integrity, and availability.
SOC 2 defines five Trust Services Criteria (TSC) that evaluate various aspects of information security and governance. The first, security, must be a part of any SOC 2 audit, and organizations can choose to include other trust services categories. Organizations tailor their SOC 2 audits based on their specific needs and the services they provide.
- Security: Ensures protection against unauthorized access, breaches, and other security incidents by assessing the effectiveness of controls related to data protection, access, and system security.
- Availability: Ensures systems are available for use as needed by examining whether the service is available as promised and whether any planned or unplanned downtime occurs.
- Processing Integrity: Ensures accurate and complete processing of data as well timeliness and consistently of data processing.
- Confidentiality: Ensures data confidentiality by examining data encryption, access restrictions, and confidentiality agreements.
- Privacy: Ensures compliance with privacy regulations for personal information.
Customizing SOC 2 Controls to Best Fit Your Organization
Organizations design their own internal controls to meet these requirements, as needs and controls are unique to each organization. It’s common for organizations to use a service or consulting company, such as Raxis’ partner Strike Graph, to help them understand the different controls, to assess which are relevant for the organization’s systems and services, and to ensure that they have fulfilled the controls properly before an audit takes place.
Many organizations focus entirely on the Security TSC, also known as the common criteria, for their SOC 2 audits. The common criteria are required for all SOC 2 audits. These are the areas of focus, created in 2017 and revised in 2022:
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
During the SOC 2 audit, an independent auditor evaluates the organization’s security posture related to the selected Trust Services Criteria. Organizations provide evidence for the controls they have in place, and, if auditors feel there are deficiencies, organizations can choose to remedy those during the audit or to explain why they accept the risk.
SOC 2 Type 1 versus SOC 2 Type 2
While Type 1 provides a foundational layer regarding the control design for the organization, Type 2 offers a comprehensive view of control effectiveness over time. Type 1 is the first step in annual SOC 2 compliance. Organizations can choose to combine Type 1 and Type 2 during their first SOC 2 audit or to become Type 1 compliant the first year and then move on to Type 2 in subsequent years.
SOC 2 Type 1 evaluates an organization’s cybersecurity controls for their effectiveness at safeguarding customer data at a specific point in time, while Type 2 examines how well the organization’s system and controls actually perform over a period of time (often 3-12 months).
Raxis, for example decided to focus on SOC 2 Type 1 in our first year of compliance so that our team had the time to focus on building out the necessary controls in the most robust manner possible that matched our systems and services. SOC 2 allows organizations (to a certain extent) to setup their controls with as much simplicity or complexity as they see fit. As security is integral to every part of Raxis’ business and goals, our aim in choosing to become SOC 2 compliant was to take the time to build the controls out to best protect the data entrusted to us.
Honestly, we discovered that we could not discover the best way to implement our controls without building out and testing the systems themselves. In the end, we could have performed our SOC 2 Type 2 audit in 2023 as well, but with the busy end-of-year penetration testing season, we decided to complete our first SOC 2 Type 2 compliance audit this April, covering this past winter and spring.
How Does Penetration Testing Relate to SOC 2 Compliance
SOC 2 compliance is essential for demonstrating your commitment to data protection, while penetration testing provides an extra layer of security by identifying vulnerabilities so that your organization can correct them before they are exploited.
But there’s more… SOC 2 compliance often requires a penetration test (and a retest of critical and severe findings) as one of the controls in order to show that organizations successfully monitor and correct/mitigate security risks to their systems.
Raxis often performs SOC 2 penetration tests for our customers and is proud to work with SOC 2 partners to perform penetration tests for their customers as part of their framework offerings. Tailoring your penetration test to your specific needs and goals is an important first step in scoping any test.
Why Choose to Become SOC 2 Compliant?
While not yet required, SOC 2 compliance helps establish trust between service providers and their customers. With high-profile data breaches becoming more common, many organizations, like Raxis, choose to become SOC 2 compliant both as an exercise to ensure the security controls they’ve created are robust and also to ensure the controls are updated as the threat landscape changes over time.
SOC 2 compliance is audited annually, ensuring that both the organization’s controls themselves and their implementation are tested regularly to ensure that new risks are accounted for and that security policies and procedures do not become stale. SOC 2 compliance ensures that organizations handle customer data securely and transparently, meeting specific criteria for trust and protection.