top of page

What is SOC2 Compliance?

SOC 2 (System and Organization Controls 2) is a type of audit report that attests to the trustworthiness of services provided by a service organization. It is commonly used to assess the risks associated with outsourced software solutions that store customer data online.


Availability

  • Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet the entity's availability commitments and system requirements.

  • Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity's availability commitments and system requirements.

  • Recovery plan procedures supporting system recovery are tested to help meet the entity's availability commitments and system requirements.

Confidentiality

  • Confidential information is protected during the system design, development, testing, implementation, and change processes to meet the entity's confidentiality commitments and system requirements.

  • Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition to meet the entity's confidentiality commitments and system requirements.

  • Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties to meet the entity's confidentiality commitments and system requirements.

  • The entity obtains confidentiality commitments that are consistent with the entity's confidentiality system requirements from vendors and other third parties whose products and services are part of the system and have access to confidential information.

  • Compliance with the entity's confidentiality commitments and system requirements by vendors and other third parties whose products and services are part of the system is assessed on a periodic and as-needed basis, and corrective action is taken, if necessary

  • Changes to the entity's confidentiality commitments and system requirements are communicated to internal and external users, vendors, and other third parties whose products and services are part of the system.

  • The entity retains confidential information to meet the entity's confidentiality commitments and system requirements.

  • The entity disposes of confidential information to meet the entity's confidentiality commitments and system requirements.

Organization and Management

  • The entity has designed organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to security, availability, and confidentiality.

  • Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls and other risk mitigation strategies are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and implemented to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security, availability, and confidentiality and provides resources necessary for personnel to fulfill their responsibilities.

  • The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to security, availability, and confidentiality

Communications

  • Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external users of the system to permit users to understand their role in the system and the results of system operation.

  • The entity’s security, availability, and confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal users to enable them to carry out their responsibilities.

  • The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties.

  • Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security, availability, and confidentiality of the system, is provided to personnel to carry out their responsibilities.

  • Internal and external users have been provided with information on how to report security, availability, and confidentiality failures, incidents,concerns, and other complaints to appropriate parties.

  • System changes that affect internal and external users’ responsibilities or the entity’s commitments and system requirements relevant to security, availability, and confidentiality are communicated to those users in a timely manner.

  • The entity retains confidential information to meet the entity's confidentiality commitments and system requirements.

  • The entity disposes of confidential information to meet the entity's confidentiality commitments and system requirements.

Risk Management and Design and Implementation of Controls

  • The entity (1) identifies potential threats that could impair system security, availability, and confidentiality commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system); (2) analyzes the significance of risks associated with the identified threats; (3) determines mitigation strategies for those risks (including implementation of controls, assessment and monitoring of vendors and other third parties providing goods or services, as well as their activities, and other mitigation strategies); (4) identifies and assesses changes (for example, environmental, regulatory, and technological changes and results of the assessment and monitoring of controls) that could significantly affect the system of internal control; and (5) reassesses, and revises as necessary, risk assessments and mitigation strategies based on the identified changes.

  • The entity designs, develops, implements, and operates controls, including policies and procedures, to implement its risk mitigation strategy, reassesses the suitability of the design and implementation of control activities based on the operation and monitoring of those activities, and updates the controls, as necessary.

Monitoring of Controls

  • The design and operating effectiveness of controls are periodically evaluated against the entity’s commitments and system requirements as they relate to security, availability, and confidentiality and corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.

Logical and Physical Access Controls

  • Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized internal and external users; (2) restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • New internal and external users, whose access is administered by the entity, are registered and authorized prior to being issued system credentials and granted the ability to access the system to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

  • Internal and external users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data) to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • Access to data, software, functions, and other IT resources is authorized and modified or removed based on roles, responsibilities, or the system design and changes to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations, as well as sensitive system components within those locations) is restricted to authorized personnel to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • Logical access security measures have been implemented to protect against security, availability, and confidentiality threats from sources outside the boundaries of the system to meet the entity’s commitments and system requirements.

  • The transmission, movement, and removal of information is restricted to authorized internal and external users and processes and is protected during transmission, movement, or removal, enabling the entity to meet its commitments and system requirements as they relate to security, availability, and confidentiality.

  • Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

System Operations

  • Vulnerabilities of system components to security, availability, and confidentiality breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, and evaluated, and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • Security, availability, and confidentiality incidents, including logical and physical security breaches, failures, and identified vulnerabilities, are identified and reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s commitments and system requirements.

Change Management.

  • The entity’s commitments and system requirements, as they relate to security, availability, and confidentiality are addressed during the system development life cycle, including the authorization, design, acquisition, implementation, configuration, testing, modification, approval, and maintenance of system components.

  • Infrastructure, data, software, and policies and procedures are updated as necessary to remain consistent with the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality.

  • Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s security, availability, and confidentiality commitments and system requirements.





22 views0 comments

Recent Posts

See All

Comments


bottom of page