SOC 2: Trust Services Criteria and Secure IT in 2022
With COVID-19, always-online eCommerce and the migration to remote, distributed workforces, IT security is more important now than ever. In some industries, regulations can dictate the privacy and security requirements that every organization must meet. In others, those regulations may be less rigorous or even non-existent. That’s why many organizations turn to additional frameworks to shore up their approach to security. That’s where SOC 2 comes in.
Service Organization Control (SOC) is a standard put into place by the American Institute of Certified Professional Accountants (AICPA) to help financial institutions protect client and customer data. Because the framework is robust and focused, many organizations opt to achieve certification as part of a larger security and customer relationship strategy.
In 2022, after such dynamic shifts in our lives (particularly those tied to digital information), SOC 2 is more important than ever. Specifically, the five Trust Criteria can serve as the backbone of modern privacy and compliance strategies.
What Is the CIA Triad in SOC 2?
Before digging into the criteria that make up SOC 2, it’s essential to understand the operational priorities that inform them. Fortunately, SOC 2 draws from a relatively well-known grouping of approaches that can serve as the foundation of most security strategies.
These priorities are:
- Confidentiality: Information must remain secure and private. This can mean protecting customer information from outside, unauthorized access or partitioning data access internally to avoid unauthorized employees from exposing confidential information to the outside world. Confidentiality is the cornerstone of any security compliance framework–including the SOC 2 security.
- Integrity: Data moves through IT systems in complex and often unintended ways. Because of this fact, that information can become corrupted or unintentionally (or even maliciously) modified. SOC 2 and its focus on data integrity is meant to foreground that, no matter the system, information must remain intact, auditable and traceable.
- Accessibility: Information should be secure, of course. But data isn’t of use to anyone, customer or organization, if it isn’t accessible. This priority emphasizes the capacity of an organization to provide secure access to data so that it can be processed by that organization or managed by the customer.
These three aspects aren’t isolated–hence their arrangement into a unit of three. A robust and secure system must be able to manage privacy and security controls across the entirety of their IT infrastructure and associated practices, many of which will touch on two or all three of these priorities.
What Are the Five Trust Services Criteria?
Now, with the CIA priorities in place, SOC 2 defines different approaches for compliance with the framework. These approaches, called the Trust Services Criteria (TSA), address specific aspects of SOC 2 attestation that organizations must meet for certification. Each criterion addresses a group of controls and practices the organization must meet or follow.
The Five Trust Services Criteria are:
These controls impact how your organization protects system data and resources from unauthorized access. Specifically, security measures under this criteria should prevent any damage to information that could affect confidentiality, integrity or availability.
Measures in this criteria can include technologies like vulnerability scanning, endpoint security, penetration testing, multi-factor authentication (MFA), anti-malware and firewalls.
Like the CIA triad, this version of availability emphasizes the ability of authorized businesses users and customers to access relevant data. Practices and measures in this criteria can include those that maintain system backups and disaster recovery, system uptime, redundancy technologies and performance monitoring.
This criterion refers to the ability of your IT system and associated practices to ensure that information is complete, valid, accurate and authorized as it travels through different technology. Tools include error-checking tools, content and data audits and data storage.
Ensuring processing integrity includes programs like data Quality Assurance/Quality Control (QA/QC) and process monitoring.
Unlike security, which focuses on keeping unauthorized users out of a system, confidentiality protects certain kinds of data from unauthorized viewing. These forms of data can vary between organizations and can include business plants, transactional information, technical schematics or intellectual property.
Confidentiality is ensured through data encryption, Identity and Access Management (IAM), MFA and other security measures.
Privacy, like confidentiality, focuses on keeping data out of the hands of outsiders. Privacy specifically applies to personal information for individuals, including Personal Identifiable Information (PII) such as names, addresses, ID numbers, Personal Health Information (PHI) and other information.
That means obfuscating information appropriate data encryption and using typical security measures, IAM security and MFA controls.
The critical thing to understand about SOC 2 attestation is that while these criteria are in place in the language of the framework, how an organization meets these criteria depends on their operations and lines of business. SOC 2 reports released by an organization will address how their specific infrastructure and practices meet these requirements. While some controls (encryption, etc.) will be standardized across organizations, others (data integrity) may vary.
When an organization undergoes an audit, they may choose to comply (and become certified under) one or more of these criteria. However, all organizations seeking SOC 2 compliance must, at minimum, meet requirements for the Security TSC. Accordingly, the SOC 2 Security attestation is the most common.
Are SOC 2 and the TSC Similar to Other Regulations?
Adhering to the Trust Services Criteria in SOC 2 serves several positive purposes:
- Meeting SOC 2 requirements aligns business practices and IT infrastructure with best practices for protecting confidentiality, integrity and accessibility.
- Partners and customers wanting assurance that a business associate takes the security of their information seriously will often appreciate, if not require, that businesses they work with meet SOC 2 standards.
- SOC 2 requirements can align with other challenging regulations, particularly if your organization meets all five. For example, meeting SOC 2 TSC requirements can readily position an organization to adapt to regulations and frameworks like HIPAA security, PCI DSS, NIST 800-53 security and privacy controls and ISO 27000 series security standards (specifically ISO 27001 and ISO 27002).
Prepare For and Meet SOC 2 Attestation Requirements
SOC 2 certification calls for a good understanding of requirements, internal IT configurations, and aligning the latter with the former. Lazarus Alliance has decades of experience and a proven track record of helping our clients meet their SOC 2 certification and continuing audit demands.
Ready to Start Your SOC 2 Audits?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.