What is a SOC 2 Certification?
Service Organization Control 2 (SOC2) is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. SOC 2 is a technical auditing process and certification that measures security and availability and serves as an assurance to customers that their data is being managed in a controlled and audited environment.
Service Organization Control 2 audits were designed by the AICPA (American Institute of CPAs) as an auditing process to check the existence and effectiveness of data security, availability, processing integrity, confidentiality, and privacy controls at vendor organizations. The reports from a SOC 2 audit are commonly used to assess, provide information, and verify a third-party vendor’s data management processes.
When a business is SOC 2 compliant, it signifies they implement proper security systems to ensure security, availability, processing integrity, confidentiality, and privacy of customer data.
SOC 2 compliance is essential for technology-based service organizations that store customer data in the cloud. This makes it applicable to most SaaS businesses, and any business that relies on the cloud to store its customers’ information.
SOC 2 for Service Organizations – https://www.aicpa.org/home
Why is SOC 2, Type 2 Critical to Clients of SaaS Service Providers?
SOC 2 is a valuable tool for assuring our most demanding clients that we are a trusted provider.
Providing a SOC 2 report streamlines our customer’s vetting process. Without a SOC 2 report, each client or potential customer may have to commission their own audit of our service before they can buy it, and then repeat that audit annually. That’s not only a big commitment to make before a purchase, but it’s also a huge burden for the service provider to support audit after audit, indefinitely.
With a SOC 2 report in hand, we provide assurance to our clients and potential customers that a third party has reviewed our controls to rigorous standards.
A SOC 2 Type 1 is a point-in-time report that evaluates and tests the design of your information security controls. A SOC 2 Type 2 report is completed over an extended period of time (the timeframe depends on the scope of your audit, usually between 6 to 12 months) to test the implementation and effectiveness of your information security program.
Understanding the SOC 2 Certification Process
The Five Trust Services Principles of SOC 2
A SOC 2 audit can only be performed by a CPA; Ryan Eyes’ examination was conducted by one of the nation’s largest professional services firms. The examination verifies the suitability of the design and operating effectiveness of Ryan Eyes’ controls as described in the SOC report throughout the examination period, providing reasonable assurance that its service commitments and system requirements were achieved based on the trust services criteria relevant to Security, Availability, and Processing Integrity (“applicable trust services criteria”) set forth in TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (“Trust Services Criteria”).
At their core, these audits gauge how the service delivery of a system fulfills the selected trust principles of SOC 2.
The process, product, or service must remain available per the agreement between user and provider. Both parties either explicitly or implicitly agree on the appropriate level of availability of the service. A system need not be evaluated for efficiency or accessibility to meet the trust principle of availability. To audit availability, an auditor must consider the reliability and quality of the network, response to security incidents, and site failover.
If access to the data is limited to certain individuals or organizations, it must be treated as confidential. Data protected by the principle of confidentiality could include anything the user submits for the eyes of company employees only, including but not limited to business plans, internal price lists, intellectual property, and other forms of financial information. An auditor will take into account data encryption, network firewalls, software firewalls, and access controls.
System processing is complete, valid, accurate, timely, and authorized to meet business objectives.
The principle of privacy applies to the collection, disclosure, disposal, storage, and use of personal information with regard to the generally accepted principles of privacy (GAPP) as established by the AICPA. It applies to Personal Identifiable Information (PII), information that can be used to differentiate persons, including but not limited to names, addresses, phone numbers, and social security numbers. Other data, including race, gender, medical profiles, and religion are also covered by GAPP. An auditor must verify controls in place to prevent the dissemination of PII.
System resources must be defended against outside access to comply with the principle of security. Access controls must adequately resist attempts at intrusion, device manipulation, unauthorized deletion, data misuse, or improper modification and release. An auditor looks at IT security tools like WAF (web application firewalls), encryption, and intrusion detection in addition to administrative controls such as background checks and authorizations.
SOC 2 reports will be used by Ryan Eyes to provide security assurance to clients during the sales process, meet compliance with regulatory requirements, or manage governance and risk management. SOC 2 has become a standard for B2B vendors and SaaS companies.
As we suggested earlier, providing a SOC 2 report will streamline our sales process for our clients. Without a SOC 2 report, the burden of conducting an annual audit would fall on our clients annually. It was critical for us to remove that barrier for our clients and help them focus on the benefits of our services and solutions rather than manage audits.
With a SOC 2 report complete, Ryan Eyes is ensuring security compliance for our clients and providing the peace of mind that our operations will meet even the most stringent requirements.
To Learn More About Choosing a Cloud Provider for Your Organization – Contact Us, We Are Happy to Help – 1 (347) 759 0105.
You Can Also Fill Out Our Contact Us Form Here to Talk with a RyanEyes Consultant – https://www.RyanEyes.com/contact-us/