Information security and data privacy are more important than ever. With a growing number of systems in our work environment, we look for solutions that are secure and manage sensitive data with care. For organizations that provide services to customers, nothing is more critical than being trustworthy. Especially with regard to the processes and handling of a customers’ information.
SOC has become a critical report when evaluating a service organization. It is a rigorous process wherein a third-party firm conducts an audit that assesses how a company manages data. Now, let us tell you a bit more about what that means.
What is SOC?
SOC means Service Organization Controls.
Service Organization Controls (SOC) are regulations to ensure service providers securely manage client data to protect the interests of both the client’s organization and privacy of their customers. The controls assure that appropriate policies and procedures are in place for data collection and processing and that the company is prepared in case things go haywire.
There are different SOC standards:
A SOC 1 report focuses on the financial transactions of a company such as financial statement controls at service organizations.
SOC 2 reports on non-financial organizational controls related to security, availability, processing integrity, confidentiality or privacy of a company's systems. It is based on the existing SysTrust and WebTrust principles and is designed to evaluate an organization's information systems. Within SOC 2 there are two types:
- Type I evaluates and reports on the design of controls put into operation as of a specified point in time. It reviews whether the company's systems meet the relevant trust principles.
- Type II includes the design and testing of controls to report on the operational effectiveness of controls over a period of time. It assesses whether the systems can achieve the related control objectives throughout a specified timeframe. A Type II report also includes a detailed description of the service auditor’s tests of controls and results.
Why should customers care about SOC?
Choosing software requires trust. With the move to cloud computing, a lot of companies are giving up controls for systems that support key business functions. If one of these systems were to go down it could impact the company's productivity or performance.
While service providers say they are focused on security and reliability, customers often just have to take their word for it. With a third-party party assessment, customers are given reassurance and have a more tangible proof-point when choosing a service provider. SOC demonstrates the focus on security, making sure that companies aren't just saying it.
Why is Sign In Enterprise doing this?
We have always put a large focus on security and platform reliability. As our team is growing at a rapid pace, it is important to establish more central controls and procedures that ensure everyone is aligned and clear on how we operate as a company. SOC 2 will allow us to formalize and communicate our processes externally and continue to drive our focus on security across everything we do.
What is the process?
So, what does this process look like in practice?
Step 1: Look at all the SOC requirements
Step 2: Hire a 3rd party to help
Step 3: Decide on the areas of SOC 2 to focus on
Step 4: Review the SOC 2 requirements for those areas
Step 5: Identify the controls you have in place already for those requirements
Step 6: Identify additional controls you need to put in place to support those requirements
Step 7: Implement those controls
Step 8: Test the controls (Testing the controls is a very important step to ensure the company is prepared in the event of something happening)
Step 9: Fix anything in the controls that were identified during the test. These things evolve over time. It's important to always have them front of mind.
Step 10: Third-party assessment to ensure the controls are in place
Step 11: Report is written and delivered
Strong security is fundamental to our vision of the company we wanted to build. Investing in SOC 2 compliance helps us demonstrate to our customers that we are trustworthy and take security, data protection, and compliance seriously. Sign In Enterprise is in the process of getting SOC 2 Type I focused on Security, Availability, and Confidentiality, and is proactively pursuing the Type II report.
Curious? Got questions? Get in touch.