What does SOC 2 certification mean for cloud security?
At the latest since the start of the COVID-19 pandemic and the shift to remote work, companies have become more interested in flexible and reliable cloud solutions. Yet they are also concerned about potential security gaps. How do you know if a specific SaaS solution offers the highest possible protection against data theft, loss and malware? SOC 2 certification can give you orientation and guidance.
What is SOC 2?
SOC stands for "System and Organization Controls," i.e. the internal controls and procedures that ensure a system is protected against unauthorized access, use and modification. This internationally recognized standard is issued by the American Institute of Certified Public Accountants (AICPA), a respected auditing body. As the largest professional association of auditors in the US, the AICPA publishes a range of guidelines with SOC, which auditors can use to guide their audits.
• SOC 1®— SOC for Service Organizations: Hint: Internal Control over Financial Reporting (ICFR)
• SOC 2®— SOC for Service Organizations: Trust Services Criteria
• SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report
• SOC for Cybersecurity
• SOC for Supply Chain
SOC 2 is used to certify cloud service providers after they meet certain trusted criteria for data security and data privacy.
The 5 trusted criteria
The internal control parameters for these trust service principles include the criteria of security, availability, processing integrity, confidentiality and data privacy. SOC 2 certification tells companies that a cloud provider verifiably meets the following:
• Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to the systems. This ensures the availability, integrity, confidentiality and data privacy of information and systems.
• Availability: Information is accessible at all times to authorized persons and the systems include controls that support accessibility for operations, monitoring and maintenance.
• Processing integrity: This criterion relates to the completeness, validity, accuracy, timeliness and authorization of system processing. The systems have to run free of errors, delays, omissions, and unauthorized or accidental tampering.
• Confidentiality: Companies must be able to protect sensitive information marked as confidential with the systems in compliance with laws and in accordance with their own company guidelines – from its entry or creation to its final deletion.
• Data privacy: In addition to confidentiality for various types of sensitive information, data privacy applies specifically to personal information. With a certified solution, companies must be able to collect, use, store, disclose or delete personal information on the cloud in compliance with data privacy regulations.
The most important ECM certifications
Which certifications should your ECM software offer? How a certified ECM solution helps you stay compliant and fulfill legal and quality standards – from regional to international.Read now
What does it take for a cloud service provider to become SOC 2-certified?
In order for a SaaS provider to meet the criteria above and be certified accordingly, consistent internal controls and processes in line with AICPA provisions are indispensable. The following requirements must therefore be met:
1) Organization and management: The structures and processes of the provider support its employees and include criteria such as responsibility, integrity, ethical values and qualifications of staff.
2) Communication: Strategies, processes, procedures, obligations and requirements for authorized users and other persons are created.
3) Risk management as well as design and implementation of controls: Potential risks are identified and analyzed, followed by appropriate responses and continuous monitoring.
4) Monitoring of controls: The system and whether the controls are appropriate and effective are regularly monitored to identify and eliminate any deficits as quickly as possible.
5) Logical and physical access controls: Logical and physical access to the system is restricted, access is granted, and unauthorized access to the system is prevented.
6) System operations: The implementation of system processes is regulated, any deviations from the normal process are detected immediately and prevented. This also includes deviations from safety standards.
7) Change management: A controlled change management process defines how it is checked whether changes are necessary in the system and how these changes are then implemented and unauthorized changes to the system are prevented.
What happens after certification?
Audits of SOC 2-certified cloud service providers ensure they are maintaining all of the necessary controls and process standards. To continue providing the confirmed highest level of security and availability, SaaS providers have to continuously monitor, analyze and update their services. This includes monitoring access and changes, enabling access controls only for authorized users and at multiple levels, and offering an additional level of security. If a data breach occurs, despite detailed cyber security measures, a certified system has to warn of unauthorized access, suspicious file transfers, or changes to sensitive data. For all of this to be ultimately verifiable, a strict audit procedure must be in place: It ensures that the use of personal information and other sensitive data is recorded in detail. This means that the cloud service provider can promptly respond to threats, accurately determine the scope and circumstances of a violation, and prevent damage on time.
When choosing a cloud solution, check for SOC 2 certification: A state-of-the-art cloud infrastructure can address your concerns about security, support your operations at all times, and quickly adapt your processes to meet new requirements. The Doxis Cloud Services from the SER Group have been certified according to the SOC 2 Type 1 standard, as confirmed by the independent auditing company CyberGuard Compliance LLP in its audit report as part of AICPA certification. Find out first-hand which solutions can be implemented securely in the cloud in a live demo – with no obligation. Make an appointment here ⯈