soc2 certificationThere were 945 data breaches globally in the first half of 2018. 945!

That’s 4.5 billion compromised records in just 6 months! It is more important than ever to take every precaution to keep user data safe. One way that a company can make sure that they are keeping data safe is by undergoing SOC 2 Certification.

We’ve put together a comprehensive overview of what SOC 2 is and what it’s all about. Read on to learn more!

What is SOC?

The letters SOC stand for Service Organization Control. There are a few reports related to SOC certification. The SOC 1 report is for financial information like credit card numbers. The SOC 2 report is for non-financial information.

The certification process involves an audit by a third-party to verify that a company is meeting SOC guidelines.

Why SOC 2 Certification is Important?

SOC 2 is important because it holds businesses to a standard that protects consumer data. It allows the consumer to have peace of mind knowing that a company is vetted and approved, showing that they are handling data responsibly.

This type of certification is essential for companies that store data in the cloud, as well as those that offer SaaS (software as a service) subscriptions. Companies that handle healthcare information fall under patient-protection laws and HIPAA, so having SOC 2 certification and compliance is a good step for them to show they are protecting patients’ information.

SOC 2 is not required, but it is a way of communicating the degree of care a company is taking to the consumer. High profile data breaches are in the news all the time, and it seems easier than ever for criminals to compromise private data.

Companies should test all web applications and software to make sure they stand up to hacking, DDos attacks, and any other attempts at compromising customer information. When a company does have a data breach, it lowers public opinion of them and users can experience identity theft. That could ruin their credit or lose them their retirement savings!

It is up to companies who use this data to conduct business to protect their users. A SOC 2 certification can go a long way to building user confidence.

SOC 2 Certification Parameters

In order to pass the SOC 2 audit process, a third-party evaluates a company’s system on five criteria:

1. Security

The SOC2 evaluates a company’s system on how it protects system resources against unauthorized access. One of the ways they can accomplish this through bot detection and management. The technology identifies the legitimacy of users attempting to access the site and rejects bots trying to abuse it.

There are also other IT security measures that could be in place, like WAFs (Web Application Firewalls) and intrusion detection. Two-factor authentication, which requires users to use multiple methods to verify legitimacy when accessing the site, is another common security measure that SOC 2 may evaluate.

2. Availability

SOC 2 also tests system availability. It verifies that users can access the software or service site when they need to. It tracks website and system performance and downtime and makes sure that they conform to acceptable standards.

These standards are not defined by the SOC 2 but by the company’s service level agreement (SLA) which is a contract between them and the user. It sets a minimum for performance level that must be met in order to be acceptable and not breach the contract.

3. Processing Integrity

SOC 2 examines the system’s processing integrity. This is an evaluation of whether or not the system delivers on its intended purpose. In simple terms, does it do what it is supposed to do? Does it deliver the right data at the right time? SOC 2 looks for data processing to be valid, complete, accurate, authorized, and timely.

Processing integrity is different than data integrity. If errors are present in the data before they are entered into the system, detecting those errors is not the processors’ responsibility. Companies can avoid data errors by having quality data processing procedures.

4. Confidentiality

SOC 2 evaluates whether the system is keeping consumer data confidential. That means that the data is only shared with a specific set of personnel who need to have access in order to deliver the product to the consumer. This is usually laid out in some sort of disclosure which the user is required to agree to in order to use the service.

SOC 2 makes sure that the company is following what was laid out in the disclosure and that user data is being guarded. Encryption is one of the crucial ways that systems can keep data confidential when it is transmitted. A commitment to keeping user data confidential is essential to the survival of tech companies that rely on user data.

5. Privacy

SOC 2 examines how a company’s system collects, uses, retains, and disposes of user data. It uses guidelines defined by the company’s privacy policy, as well as the AICPA’s GAPP (generally accepted privacy principles.)

Companies are required to put controls in place to protect user’s personal information, especially PII (Personal Identifiable Information.) This is the information that hackers can use to steal someone’s identity. It includes things like social security number, name, and address. This type of data requires an extra degree of protection to ensure it is not compromised and the SOC 2 looks at how a company is doing that.

Keeping Data Safe

Companies that desire to keep data safe should have their system audited. A SOC 2 certification can go a long way to showing users that their data is safe and in good hands the company.

As a user, you should seek out services that are SOC 2 when looking for SaaS or cloud computing, to make sure your data doesn’t end up in the next big breach. And as a service provider, making sure your user’s data is safe should be priority number one.

We are SOC 2 certified and have a commitment to keeping data safe. If you are looking to outsource your data processing, contact us today!