How SOC 2 Alleviates Security and Privacy Concerns for Your Customers
December 05, 2019
In recent years the impact of data breaches has become more significant. In 2018, for example, the average cost of a data breach was $3.86 million globally, while 88 percent of UK organizations reported suffering a breach in 2018.
Data security officers can’t help but worry as they read the latest headlines of massive disruption caused by a security breach. Even though they are subject to massive fines, the impact of a breach is far more significant than the financial repercussions of one. A violation of trust damages reputations—not only of the company but also of its customers. Companies relying on SaaS solution providers want to be confident that the vendors they choose are truly protecting customers’ data.
Maintaining a high level of security and privacy for their clients is perhaps the biggest challenge for large corporations. They’re responsible for protecting the data of their customers, and customers should be able to trust what their vendors are doing from a security perspective. One way to get answers to those very important questions is through an AICPA SOC 2 program.
What is SOC 2?
SOC (System and Organization Controls) 2 is an auditing procedure that, among other things, ensures secure data management to protect your organization and your clients. SOC 2 is about trust – it’s a way to ensure that organizations are doing what they should to avoid potential breaches and reputational hits. This program is designed to identify those organizational actions by evaluating five possible trust criteria:
- Security — Is the system protected against unauthorized access?
- Availability — Is the system available as agreed upon?
- Processing Integrity — Does the system achieve its purpose with complete, accurate, timely, and authorized processing?
- Confidentiality — Is confidential information protected?
- Privacy — Is the system’s collection, use, retention, disclosure, and destruction of personal information consistent with American Institute of Certified Public Accountants' (AICPA) generally accepted privacy principles (GAPP)?
SOC 2 is unique in that it is designed to be customized for each company’s specific situation. For this reason, there are no pre-defined controls. Each organization defines its processes and controls and is evaluated based on the guiding SOC 2 principles, which allows organizations to specifically measure what matters to them.
This define-your-own standards approach results in greater effectiveness. SOC 2 auditors must evaluate an organization by comparing performance with stated intentions. They then align the stated plans with the five trust criteria to allow each organization to set its own goals regarding maximum security, availability, processing integrity, confidentiality, and privacy.
Two Types of Reports Serve Two Specific Purposes
The SOC 2 program includes two types of reports. Type 1 describes an organization’s policies and procedures and then evaluates how closely they meet SOC 2’s trust principles. Type 2 reports come from an ongoing audit process and reveal how well the organization has followed its policies and procedures during that time.
How to Achieve SOC 2 Compliance
Going through the SOC 2 program isn’t a fast process. It generally takes between 12 and 18 months to evaluate your company’s systems and processes, identify deficiencies, and build out and implement your controls. You need to consider what processes should be verified, which principles apply, and how you apply the principles to your unique situation.
SOC 2 Reports
SOC 2 reports are classified into Type 1 and Type 2. Type 1 reports, also known as point-in-time reports, test the design of a service organization’s controls on a particular date but not the operating effectiveness over the long term. They include a description of the system as well as tests to determine whether those system controls are designed appropriately to help meet goals.
SOC 2 Type 2 reports, however, cover a longer period of time, usually one year. They include a description of your systems and controls and test their operating effectiveness over a fixed amount of time. This ensures your business is continually performing those actions, even when nobody is looking.
When an audit occurs, you are required to provide full documentation for all periods. The auditor will select a random piece of evidence to see if you are following your outlined procedure or not.
Why SOC 2 Compliance Means Reliable Cloud Data Security and Privacy
As mentioned, SOC 2’s power comes from its flexibility and specificity. Companies can ensure they’re fulfilling their responsibilities to protect the data.
For example, a bank is required to protect personal identification data like social security numbers. That one is pretty obvious. This may be lesser known: a bank is also required to protect a phone call on which a customer reveals she’s struggling to make minimum loan payments because of a sensitive family situation. If that information were to get out to the public, the customer would be highly distraught.
Without closely-followed controls designed to keep these sensitive details private, the bank may end up allowing this data to become public, data that could prove potentially devastating to customers. SOC 2 gives organizations a practical way to verify that they have the proper procedures in place and are, in fact, ensure sensitive information stays private.
SOC 2 is so effective when it comes to maintaining security and privacy because it comes with ongoing evaluations. Companies have to stay consistent with their procedures and demonstrate that they’re meeting their standards to maintain their SOC 2 certification.
Why Security Verification is Foundational
Without security, even the most innovative software is useless, even dangerous. A single data breach can destroy a carefully built reputation and cause financial devastation. Security has to be the foundation.
While it’s impossible for any company to ensure 100% protection, SOC 2 offers a clear, practical plan and an accountability structure for companies to implement best practices and continually work to improve security.
Why Commit to Data Privacy
It’s not just hackers and scammers that customers are worried about. Companies don’t want their information shared with anyone without permission. Failure to ensure privacy can have devastating effects on customers.
Regulatory bodies are taking action. Consumer data protection is now a priority. Any company that deals with data in the EU must comply with GDPR, and similar regulations are being considered in the United States and Canada. Companies need to know that their cloud software providers are doing what they can to prevent a breach. SOC 2 provides a solid framework to verify that the provider (and the company, by default) is complying with these regulations.
What Does SOC 2 Compliance Mean for Aptean Customers?
Aptean decided that SOC 2 compliance was a priority for us, and we want users of Aptean Respond, our case and complaint management system, to know that we hold ourselves to very high standards when it comes to their information and their trust. The more we look at SOC 2, the more we realize it is an ideal program to verify that we are consistently hitting goals across all five principles.
Because we are perpetually going through the SOC 2 process, Aptean customers know that we’re committed to their security. We choose SOC 2 because we want a way to verify and demonstrate that we’re concerned with more than just fulfilling legal obligations or hitting a minimum set of standards.
We view security and privacy as the foundation of our case and complaints management system, and we vow to remain committed to protecting our customers’ data privacy.
To learn more about all the ways Aptean Respond is protecting your data, contact firstname.lastname@example.org.