With new security threats proliferating the internet – like the NotPetya, CloudBleed, Spectre, and Wannacry viruses – data security standards are constantly in flux. This makes it challenging for even the savviest CIO to keep a cloud-based data system compliant and secure.
To demystify the process of achieving data security compliance, we wrote this guide to the most important data security compliance standard today: SOC 2.
In the following sections, we break down the details of SOC 2 compliance and provide a multi-step approach for achieving your compliance and certification:
- What is SOC 2 Compliance?
- Understanding the Basics of SOC 2 Compliance
- 4 Steps To Ensure Your System Meets SOC 2 Compliance Standards
- Common Questions about SOC 2 Compliance
- Integrate.io: Encrypted ETL for SOC 2 Compliance
What is SOC 2 Compliance?
The American Institute of CPAs created SOC 2 Compliance as a certification standard to govern the storing of private business and customer information by third-party service providers. SOC stands for “Service Organization Control” and SOC 2 specifically relates to data security for companies that store client information on cloud-based servers.
Put simply, it is a technical certification awarded by outside auditors that evaluates your client data security management processes.
Previous compliance mandates, like SOC 1, required organizations to simply pass an audit test, while SOC 2 compliance is a more comprehensive audit procedure. It mandates long-term policy and procedures to better secure customer information through tightened internal control.
The criteria guiding SOC 2 is based on 5 trust service principles outlined by the AICPA: security, availability, processing integrity, confidentiality and privacy. You can find more information about the American Institute of Certified Public Accountants trust services criteria here. We'll go into more detail on them in the next section.
Understanding the Basics of SOC 2 Compliance
SOC 2 is particularly relevant for Software as a Service (SaaS) providers like Integrate.io – as well as the SaaS platforms behind Integrate.io’s hundreds of automatic ETL integrations. That’s because these platforms manage large amounts of highly sensitive information in the cloud. Here are some basics to help you better understand SOC 2 compliance.
There are two types of SOC 2 Compliance:
SOC 2 Type I
This details a vendor's systems to ensure they meet trust service principles. Auditors determine whether a system is compliant at a specific point in time.
SOC 2 Type II
This type assesses whether these operational systems are effective over a designated period of time.
SOC 2 creates a high standard for client data protection by:
- Requiring companies to establish and follow data security policies and procedures for their cloud-based data systems.
- Carrying out assessments to ensure companies are complying with their SOC 2 data security policies and procedures.
- Continuously updating information compliance and security standards to reflect the unique challenges presented by current cloud data security threats.
SOC 2 evaluates your client data security processes according to these trust principles:
- Security: Relates to the protection of your data system from unauthorized or malicious access, i.e., the ability of your access controls to prevent information theft, system abuse, unauthorized data removal, software misuse, unauthorized changes to information, or unauthorized disclosure of data. Information system security tools like two-factor authentication, firewalls, and intrusion detection can prevent these kinds of security breaches.
- Availability: Refers to how accessible the data system, services, or products, which is usually codified in a service level agreement (SLA). In some cases, information security protocol measures could affect system availability, so it’s important to understand what the service level commitment is before security measures restrict availability. The monitoring of network availability/performance, security incident handling, and site failover are included in this trust principal.
- Processing integrity: Relates to how well the data system achieves its goals. In other words, does it process and produce data as intended and promised? In this context, data processing should be accurate, timely, and exactly as requested. This trust principal strictly relates to processing, and it does not normally cover the integrity or accuracy of the data itself. Quality assurance procedures and monitoring of data processing can help safeguard data processing integrity.
- Confidentiality: Relates to the confidentiality of data like internal company information, business information, price lists, intellectual property, confidential client data, etc. Many companies ensure the confidentiality of data by encrypting it during transmission. Application and network firewalls, strict internal and external access controls, and other strategies are effective ways to keep confidential information safe.
- Privacy: Refers to the personal client information that the data system uses, collects, retains, discloses and/or disposes of. This data could include identifiable information (PII) such as client names, addresses, and Social Security numbers. Information related to race, sexual orientation, health, religion, and other data could also require extra security measures. Under SOC 2, strict access controls should apply to this information. Organizations should also treat this personal information in accordance with their client information privacy notices and the GAPP (generally accepted privacy principles) of the AICPA.
Ultimately, whether you're seeking SOC 2 compliance or not, taking the time to develop a custom plan to ensure these five trust principles will elevate the level of your data protection strategy considerably.
In the next sections, we’ll discuss the 4 most important steps to ensure that your cloud-based data system meets and exceeds SOC 2 certification standards.
4 Steps To Ensure Your System Meets SOC 2 Compliance Standards
1) Establish Your Data Security Oversight Plan
The first step toward SOC 2 certification is to develop a formal data security oversight plan that details your process for keeping cloud-based client information secure. This plan should include different levels of oversight within your organization.
Completing your SOC 2 data security oversight plan involves:
- Developing a process to monitor server activity for suspicious or malicious actions.
- Baselining what constitutes “normal” user activity in your cloud system so suspicious activity triggers an investigation.
- Establishing parameters for tracking server configuration changes whether authorized or unauthorized.
- Creating a framework for assigning and managing user access levels.
- Codifying your data security oversight plan in clear language so your team can follow it and so it’s available during a SOC 2 audit.
- Possibly publishing the plan on your website, so customers feel reassured that their private information is safe.
By establishing your oversight plan, you’ll be able to monitor and detect data security threats whether they’re coming from internal or external sources. That gives you the ability to respond to dangers before they develop into a cloud data security breach.
2) Create an Alerting System
Now that you’ve established the oversight parameters, you need to determine what happens when “security incidents” occur – because, inevitably, they will. The alert system should notify your team of threats like unauthorized access (or authorized suspicious access) to your cloud servers. The alarm system should immediately notify the appropriate person who can secure the data system quickly and effectively.
The biggest challenge to your alerting system will be false alarm distractions. If alerts are too sensitive, your staff will investigate so many false positives that they’ll start to ignore important alerts or waste time investigating non-events. That’s why baselining normal user behavior is essential to monitoring activity. It allows your alerting systems to trigger only when user activity falls outside the norm.
SOC 2 requires alerts for suspicious file transfers, unauthorized exposure of customer data, suspicious changes to server configurations, and unauthorized modification of client files. Alerts should also trigger after unauthorized logins or suspicious access to privileged accounts and files.
Fine-tune your alerting system by:
- Baselining what constitutes normal user activity.
- Listing and addressing all incidents that indicate a threat.
- Establishing risk profiles to trigger alerts.
- Making sure the right people receive alerts so they can respond immediately.
3) Develop a System for Recording Audit Trails
Having a system for recording audit trails is essential to understanding a security breach after it occurs. Audit trails provide deep insight into the minutiae of what happened so you can combat an active security breach, and quickly resolve a vulnerability after an attack.
Audit trails should track and record all cloud server activity so you can have the following information to understand the context of an attack:
- Who carried out the attack?
- Under whose access credentials did the attack occur?
- What happened during the attack?
- What files were accessed?
- What server configurations changed?
- What malware was installed?
- What was the impact of the attack?
- When did the attack happen?
- Where did the attack originate (was it an inside job or from somewhere else)?
- How did the attackers succeed?
When your audit trails provide these details, your team will have the best chance of initiating quick and successful remediation.
4) Speed Up Threat Remediation Time
It’s not enough to have a database security monitoring plan, an accurate alerting system, and detailed audit plans. Your speed and success when it comes to remediating threats is essential to SOC 2 compliance. Therefore, you must ensure that your data security processes practically support your ability to prevent and resolve security problems.
Measuring the success of your SOC 2 compliance plan in this regard requires you to religiously track your “Mean Time to Detect” (MTTD) and “Mean Time to Remediate” (MTTR) statistics. These metrics will allow you to measure how well your data security oversight plan is working.
According to the 2019 SANS Incident Response Survey, 19.5% of organizations had an MTTD of two to seven days, and only 52.6% had an MTTD of 24 hours or less. Worse, 22.8% of organizations took between a week and a year to respond to threats. Regarding the time from detection to containment, 67% of organizations contained threats within 24 hours or less. As for the time from containment to remediation, 68.7% remediated the threat within 24 hours or less.
How does your team measure up in relation to these MTTD and MTTR statistics?
There’s always room for improvement and your data team should continually work to improve their response times. The faster you can detect problems with alerts – and the more actionable and precise your audit trail data is – the faster and more efficient your data security team will become.
Common Questions about SOC 2 Compliance
What is a SOC 2 Readiness Assessment?
A readiness assessment prepares you for a compliance audit. It helps you identify security gaps and other weak spots in your network. It describes the readiness of your internal controls. Most importantly, it identifies which controls could fail, exposing sensitive customer information in the process.
It’s only possible to identify security gaps if you are thoroughly aware of the:
- Commitments you’ve made to third-party vendors and/or clients
- Data delivery channels employed
- Kinds of data you generate, use, store and destroy
- Operating environment of your system
- Nature of all operations and technology
Some of those preparing for a SOC 2 audit for the first time find the process somewhat daunting. It is common to ask a number of questions. What is the full scope of the audit? What documentation do you need? What company resources does the audit require?
In a readiness assessment, an organization learns what it needs to do to remedy inadequacies before a SOC 2 audit.
Who Needs to Demonstrate SOC 2 Compliance?
Service organizations that store, process, and/or manage sensitive customer data must safeguard it. A SOC 2 report demonstrates a service organization's commitment to security and privacy. It attests to the fact that you have the proper controls in place to protect customers. A SOC 2 report helps ensure that your clients receive the secure, high-quality services they expect.
SOC 2 compliance is often a competitive advantage in the marketplace. SOC 2 compliance benefits a variety of enterprises, including:
- Data centers
- SaaS providers
- Data analytics providers
- Document production
User organizations want service organizations to confirm the effectiveness of their internal controls. SOC 2 reports are an invaluable resource in assuring clients that their sensitive data is protected. If you are a user organization looking at prospective service providers, think of SOC 2 compliance as a basic requirement.
The demand for SOC 2 reports expands as enterprises increasingly rely on cloud hosting providers and data centers. For example, Google Cloud is subject to third-party audits to ensure the compliance of its products.
Who Performs SOC 2 Audits?
There are a variety of professional accounting firms capable of completing SOC 2 audits. Understand that not all SOC 2 reports are equal. It’s important to perform your due diligence when you look for a third-party auditing firm. Check the references of those you’re considering. You want a CPA firm that specializes in IT audits.
Also, don’t hesitate to request information about the specific auditors who will complete the SOC 2 report. It’s vital that auditors have the requisite skills and expertise to do the job. Ideally, consider those with CISA and/or CISSP certifications.
What Does a SOC 2 Report Look Like?
The structure of a SOC 2 report is similar to that of a SOC 1 report. It typically includes the opinion letter, assertions by management, system description, outline of testing protocols, and the results of the testing.
Consequently, a SOC 2 report typically:
- Addresses monitoring of attempts at unauthorized access
- Confirms the existence of detailed audit trails
- Notes the presence of actionable forensics
As a part of a SOC 2 report, the selected CPA firm delivers a professional opinion on the design of controls and their effectiveness over time. It attests that the organization is meeting the selected criteria.
How are SOC 2 Reports Used?
SOC 2 reports are used in a variety of ways, including to:
- Manage internal risks
- Confirm contractual commitments are met
- Manage vendors
- Address regulatory requirements
They are only intended for a service organization and its clients. In that regard, they are different from SOC 3 reports. Those are available to the public and are often used for marketing.
How Much does a SOC 2 Report Cost?
The cost of SOC 2 audits depend on a number of factors:
- Scope of services included
- Particular TSCs selected
- Organization size
- The quantity and scope of systems
Mapping to relevant existing frameworks often reduces the cost of SOC 2 compliance.
Integrate.io: Encrypted ETL for SOC 2 Compliance
SOC 2 certification is vital for protecting client data and building a strong relationship of trust with your customers. However, attaining and maintaining SOC 2 compliance is not a one-off event. It requires long-term planning, constant monitoring, and diligent adherence to your internal security practices.
Finally, since SOC 2 compliance applies to the process of sending, receiving, transforming, and integrating sensitive client information across cloud networks, it's important to consider whether your ETL (extract, transform, load) process supports your overall data security agenda.
At Integrate.io, data security and compliance are two of the most important aspects of our automatic ETL service. That's why we've incorporated the most advanced data security and encryption technology into our platform, such as:
- Physical infrastructure hosted by accredited Amazon Web Service (AWS) technology
- Advanced preparations to meet EU General Data Protection Regulation (GDPR) standards
- SSL/TLS encryption on all our websites and microservices
- Field Level Encryption
- Encryption of sensitive data anytime it's “at rest” in the Integrate.io platform using industry-standard encryption
- Constant verification of our security certificates and encryption algorithms
- Operating system access limited to Integrate.io staff and requiring a username and key authentication
- Firewalls that restrict access to systems from external networks and between systems internally
If you'd like to know more about our data security standards, contact the Integrate.io team now.