Is SOC2 Compliance Right For Your Organization? And How To Start?

Receiving SOC 2 Type 2 compliance is no small undertaking. For us here at Jones IT, it took hundreds of hours of assessments, planning, and remediation in order to simply lay the groundwork for the system of controls that would bring us into compliance. Though the process can be difficult, many of our customers share our interest in improving their security in a remote age, and so SOC 2 has become a regular topic of discussion.

In this article, I am going to explore some of the reasons why your organization should become SOC 2 Compliant, and provide you with a few insider tips that will help kickstart your own compliance journey.

So What Is SOC 2?

The System of Organization Controls (SOC) 2 is a reporting framework developed by the AICPA that aims to demonstrate, in the form of a report, that you are managing your client’s data based on the following five distinct “trust services criteria”:

1. Security

2. Availability

3. Integrity

4. Confidentiality

5. Privacy

Essentially, a SOC 2 report provides an overview of your organization’s system of controls for managing data. A SOC 2 Type 1 report only reports on the quality of the controls, while a SOC 2 Type 2 report also reports how well your organization is adhering to those controls. If a Service Organization (a company that is providing you with a service that requires your data) presents you with a SOC 2 Type 2 report, then you immediately know two very useful things about that company:

1. You’ll know that their system of controls has been reviewed by a 3rd party auditor and approved as an effective set of controls to combat risks facing the organization in question. 

2. You’ll know that the organization actually follows its controls.

As an added bonus, you’ll be able to read what those controls are and how they function in the context of the organization. It’s truly a fantastic document.

What Kind of Organization Would Want a SOC 2 Report?

Based on the above, you might imagine that the value of a SOC 2 is self-evident, and to some degree it is. However, SOC 2 reports have a high cost. Besides the cost of an audit, you also have to deal with the cost of risk assessments, remediation, and maintenance associated with your controls. Antivirus software isn’t free after all. So what are some criteria that increase the value of a SOC 2 compliance?

1. Does your organization provide or develop a SAAS Platform?

As a “software as a service” developer, you may want to demonstrate to your clients and partners that you take security seriously. The trust services criteria mentioned above perfectly demonstrate that your software is safe, consistent, and reliable.

2. Does your organization regularly fill out security assessments?

It might be time to shortcut the assessment process, and instead, provide a cleanly curated 3rd party assessment of your internal security. Many organizations will accept a SOC 2 report as a substitute for those grueling reports.

3. Does your organization partner with other SOC 2 compliant organizations?

You might want to make working with each other smoother by ensuring that your vendor assessments are mutually smooth. Some SOC 2-compliant organizations may only want to partner with other compliant companies. Becoming compliant might open excellent opportunities for partnerships.

4. Does your organization have a need for world-class security? 

All of the above are excellent reasons to pursue SOC 2 compliance, but sometimes it's good enough to know what your risks are, and that a 3rd party has verified that you are properly prepared for those risks. It has certainly helped us to sleep better at night. 

My Organization Wants to Pursue SOC 2. Where do we start? 

Pursuing a SOC 2 Type 2 Report can be a massive undertaking, but once you have achieved your first Type 2 Report, maintaining it gets much easier. Let’s start by reviewing what is required of you in order to achieve a SOC 2 Type 1 and Type 2 report.

To achieve a SOC 2 Type 1 report, you have to have an AICPA certified third party review and report on the quality of the administrative, physical, and technical controls that govern your organization’s Trust Services Criteria. In order to achieve a SOC 2 Type 2 report, your auditor has to go a bit further and confirm not only that your controls are sufficient, but that you are actually implementing them actively at your organization.

Let’s take a moment to review the three different types of controls that you’ll implement in order to protect your organization. I covered these in my HIPAA Compliance blog post, and the same categories of control apply here as well.

What is an Administrative Control?

Administrative Controls refer to the training, policy, procedure, or other implementations aimed at informing and altering the behavior of people, rather than protecting the data or systems directly. Administrative controls play an important role in the enforcement of your Trust Services Criteria by helping to train and inform your employees about what is and is not permissible behavior.

An example of an Administrative control would be an IT Policy that states that “remote workers must use a virtual private network (VPN) while accessing company resources”. In this example, the control isn’t the VPN, but rather the policy that says that employees must use a VPN. Policies must usually be signed by employees to verify that they have read and understood the requirements.

What is a Physical Control?

Physical controls refer to the implementation of physical barriers, systems, or other protections between an unauthorized individual and sensitive data. Physical controls include things such as security checkpoints or doors, security guards, and security camera systems. Physical controls could also include security measures such as photo IDs and biometric access to a facility. Generally speaking, if a control obstructs the ability of a perpetrator to access sensitive data or personally identifiable information (PII) in person, it is physical control.

As an example, say that you have a policy that states that “employees must use NFC (near field communication) photo-id cards in order to access the office”. In this example, the Policy itself is an administrative control, and the real NFC Photo ID cards are the physical control. If the door was left open for anyone to walk through, this would be a breach of both the physical and administrative controls (a physical breach for anyone walking through the door, and a breach of the policy for the individual who left the door open knowing that they should not have (assuming that it has been outlined in the policy).

What is a Technical Control?

A technical control is a hardware or software solution that detects or prevents unauthorized digital or cyber access to data. Technical controls include controls such as a network firewall, an IDS (intrusion detection system) or IPS (intrusion prevention system), drive encryption, VPN, and user-based access controls. An easy example of a technical control would be the antivirus software that you have installed on your computer.

How the Three Types of Controls Work Together to Protect Your Data

Let’s assume that there is a laptop containing sensitive company data. Firstly, administrative controls would protect this device through a policy called a “Clean Desk Policy”, which would state that the laptop is not to be left out on your desk, and must be placed into locked storage when not in use. Let’s say that there is a breach in this particular control, and the laptop is left on an employee’s desk. The laptop is still being protected by physical controls, given that it is safely inside the building. A perpetrator would have to get past the locked doors, security guards, photo ID cards, and security cameras in the building to successfully steal the laptop undetected.

But for the sake of the example, let’s say that the perpetrator does indeed bypass all physical security controls. Even then, the data on the laptop is still protected by technical controls, in particular, drive encryption. Drive encryption would mean that the thief cannot simply remove the hard drive from the laptop to read the data, as it would only display as seemingly random characters. The use of encryption on the device would successfully stop data exfiltration from taking place. You can see from this example how the three areas of security controls work together to create a safe environment for your sensitive data.

SOC 2 Compliance Process

You can break down the “SOC 2 Process” into the following steps:

1. Conduct an Internal Risk Assessment.

The best way to begin the SOC 2 process is to formally identify the risks to your organization. Your goal should specifically be to identify risks that might compromise your organization’s Security, Availability, Integrity, Confidentiality, or Privacy. Knowing what threatens your data and services can help you to determine the scope of your SOC 2 report.

For example, if providing data to clients for use is not part of your core offering, then you might be able to scope “Availability” out of your audit and report. Note that you can only scope out categories that do not apply to your organization, meaning that you can not scope out Security, as Security applies to every company.

2. Write policies that mitigate risks via administrative, physical, and technical controls.

Once you have identified risks to your organization, the next step is to begin crafting policies that address those risks. IT Policies represent an administrative control that helps to maintain your applicable Trust Services Criteria. If you are aiming at a SOC 2 Type 1 report, then writing sufficient controls is all that is required of you.

As a tip for writing Policy items, make sure that the policies that you write reflect as closely as possible the routines, procedures, and culture that your organization already implements. Writing policies that are too different from the status quo can significantly increase the work you’ll have to do in the following remediation steps. However, your policies still need to sufficiently address risks to your Trust Services Criteria, so be careful not to make them too vague or lenient or you’ll be heading back to the drawing board.

3. Remediate issues that prevent your organization from aligning with those controls.

Remediation is the process of making the reality of your organization conform to the policies that have been written to govern it. The difficulty you’ll have at this stage is a direct reflection of your risk assessment and remediation policies. If you are already remediating risks to your organization that have been simply recorded in the policies, then great, you’re done! More often, however, we find that our clients need to implement new systems or controls in order to conform to their newly written policy. This might include everything from implementing MDM (mobile device management),  Antivirus Software for endpoints, to installing security cameras, security guards, and door locking mechanisms. 

4. Establish a system for gathering and retaining evidence of your controls in action.

It isn’t enough to just be remediating issues that conflict with your new policy. You are going to have to prove that you are conforming with your policies to your auditors, and that means that you need a system for collecting evidence relating to your SOC 2 controls.

At Jones IT, we have several different workflows that help us collect and store evidence in preparation for our annual audit. One of the most important to me is our partnership with Vanta, which provides us with a best-in-class SaaS solution for automating much of our evidence collection and storage, and makes it easier and cheaper for our auditors to conduct their review of our evidence. 

5. Establish a system for regularly auditing, reviewing, and remediating vulnerabilities.

Once you have all of the above steps in place, it’s time to set the process on repeat. You’ll have to regularly review your controls and their effectiveness in mitigating risks to your trust services criteria. This will likely take the form of regularly occurring meetings within various departments that have expertise over the relevant controls under the supervision of the administrative team. It can be difficult work, but the results are an impeccable understanding of your organization and the risks that it faces, along with well-documented and closely monitored controls to mitigate those risks.

As you have likely gathered, getting ready for a SOC 2 audit is a hefty process. We help many of our clients achieve and maintain their SOC 2 reports, and if you are interested in talking to us about a SOC 2 risk assessment, you can reach out to us by clicking the button below.