SOC, or System and Organization Controls, is the brainchild of the American Institute of Certified Public Accountants (AICPA). SOC 1 looks exclusively at financial controls, while SOC 2 is a broader standard that applies to most organizations that store client data. More specifically, SOC 2 is an auditing standard used to assess data security as it relates to cloud-based storage of customer information. It mostly focuses on third-party service providers, but any data-processing company can consider SOC 2 certification.
Some data security standards, such as PCI DSS and HIPAA, can have very rigid rules. For example, PCI DSS includes firm rules about minimum password lengths. SOC 2 takes a different approach. Instead of offering pre-defined rules, SOC 2 specifies five core trust principles, which you're free to implement as you see fit.
In this article, we will describe the standards of SOC 2 and discuss the difference between the two types of SOC 2 reports. Finally, we will discuss the SOC 2 audit process as it relates to Integrate.io as well as the steps we take to keep our customers' data as secure as possible.
Table of Contents
- The Five Trust Principles of SOC 2
- Who Should Have a SOC 2 Report?
- SOC 2: Type 1 vs. Type 2
- What Information Does a SOC 2 Report Contain?
- Integrate.io's SOC 2 Audit
- What Does a SOC 2 Audit Cost?
- Get SOC 2 Compliant ETL with Integrate.io
The SOC 2 Five Trust Principles
On the back-end, the organization needs to establish safeguards to protect PII. This includes access control and activity logging on databases. You'll also need multi-factor authentication for log-in, and strong encryption when PII is in transit.
In addition to PII, organizations also handle sensitive business information. This includes strategy documents, financial records, client profiles, and intellectual property. If an unauthorized party gains access to this information, it could pose a material risk to the business.
If you're processing this data, you need to ensure adequate security at all times. This means having robust firewalls that prevent unauthorized external access, as well as access control and multi-factor authentication for users.
All data-processing companies need a robust security infrastructure. This includes firewalls, intrusion detection, strong user verification, access control, and active monitoring. Physical security is also essential. The organization needs to have a robust data security policy that prevents unauthorized access or removal of data.
Because security threats are continually evolving, organizations need a proactive approach to security. You should have a process for regular risk assessments, and a strategy for mitigating any risks you identify. You'll also need to think about change management, so that system improvements don't inadvertently leave you exposed.
Security sometimes comes at the price of performance. Organizations have to balance these factors so that data is safe, and services are always available. Service providers have to ensure that they're consistently reaching the level of availability specified in their Service Level Agreement (SLA).
SOC 2 auditors look at a number of factors when assessing availability, such as network performance, service uptime, and response time when dealing with security incidents. They'll also look at your disaster recovery protocols.
5) Processing Integrity
When data is passing through your service, you have to ensure that it gets to the right place at the right time. You also have to ensure that this happens in the most efficient way possible, especially if this impacts the customer's bill. Your data processing protocols must be complete, valid, accurate, timely, and authorized.
Service organizations are not necessarily responsible for data quality, so auditors won't need to look at inputs or outputs. Instead, they want to review data handling processes, such as ETL and active data pipelines.
Who Should Have a SOC 2 Report?
SOC 2 compliance is essential for any organization that handles other people's data. Whether you're a B2B organization offering services to other business, or you're a company that hosts customer data in the cloud, SOC 2 certification will let people know that they can trust you. Without this verification, you may not be able to compete in the market.
SOC 2 is not a regulatory requirement. In fact, there are no hard rules to follow if you want to be SOC 2 compliant.
Instead, to meet the SOC 2 standard, you have to demonstrate that you've adhered to the five trust principles. A SOC 2 audit is complex, but it boils down to these five key questions:
- Is business information confidential?
- Is there a sound security infrastructure?
- Does availability meet the SLA?
- Is data processing reliable?
Because SOC 2 is a common-sense standard that's based on real-world expectations, it should come as no surprise that the audit is based on the kinds of questions that most clients ask when looking for a trustworthy business partner.
It takes time and effort to receive a successful SOC 2 report. But doing this proves to clients that you take security seriously.
SOC 2: Type 2 vs. Type 1
In the first section, we discussed the differences between SOC 1 and SOC 2 reports. However, are also two types of SOC 2 reports:
- SOC 2 Type 1: This takes a detailed look at how your organization meets the five trust principles. Auditors provide a snapshot of the current state of your systems.
- SOC 2 Type 2: This adds an extra degree of dimensionality by assessing systems over time.
Type 2 reports allow for a deeper analysis of data security. For example, auditors can monitor availability and threat mitigation protocols over an extended period.
Usually, companies will begin by performing a readiness review. This means working with the auditor to make an initial assessment of the current state. The readiness review will decide whether you're prepared for a full SOC 2 audit, or if you need to make some organizational changes before proceeding.
Once the review is complete, the SOC 2 auditor will perform a full inspection and prepare a SOC 2 Type 1 report. This confirms that your infrastructure meets the five trust principles as it stands right now.
After that, you may go forward with a SOC 2 Type 2 report. This typically takes between six to twelve months, although it can vary depending on the nature of the organization.
What Information Does a SOC 2 Report Contain?
Type 1 and Type 2 reports include the same kind of information, though the period of time varies per type. This information includes:
- Organization's Assertions: Your description of your existing infrastructure, software, people, procedures, and data.
- Independent Service Auditor's Report: An executive summary of the audit findings. This will confirm that the organization aligns with the trust principles, or it will outline the improvements required to meet that standard.
- System Description: Details of the organization infrastructure, including IT assets and associated processes.
- Testing Protocols: Information about the testing procedures that the auditors used.
- Test Results: Detailed outcomes of each test.
- Other Information Not Covered by Auditor: Additional context from the organization.
Although the SOC 2 report focuses on its five trust principles, not every principle gets equal importance. Each report will vary per company or industry in the way it prioritizes these principles, but there are some basic rules to be aware of:
- Security: Every SOC 2 report must cover security, as every organization is potentially subject to attacks.
- Availability: The report will always look at availability, although prioritization will depend on the SLA. If you promise an always-on service, then this will be a major area of scrutiny.
- Privacy: This is a focus for organizations that handle PII, including data about customers and employees.
- Confidentiality: This principle applies if your processes handle sensitive corporate information. This includes data that may impact prices, market valuations, or intellectual property.
- Processing integrity: The auditor will consider two things. First, the complexity of any processing. For example, if you transform data during transit, they will want to see a high level of processing integrity. Also, they will look at customer expectations. If your clients require an extremely high degree of accuracy, the auditor will want to see reliable data processing protocols.
No two organizations are the same, so no two SOC 2 reports are the same. The independent auditor won't judge you against other companies. Instead, they'll look at your unique setup and objectively assess whether you're adhering to the principles of SOC 2.
Integrate.io's SOC 2 Audit
SOC 2 Policies
SOC 2 requires that an organization has detailed, up to date policies available to and read by their team. Our SOC 2 policies include the following:
- Onboarding and Termination Policy
- Disaster Recovery Policy
- Products and Services Narrative
- Application Security Policy
- Encryption Policy
- Employee Escalation Policy
- Employee Handbook
- Remote Access Policy
- Availability Policy
- Incident Response Policy
- Removable Media and Cloud Storage Policy
- Business Continuity Policy
- Information Security Policy
- Risk Assessment Policy
- Code of Conduct Policy
- Log Management Policy
- Security Architecture Narrative
- Confidentiality Policy
- Office Security Policy
- Software Development Lifecycle Policy
- Control Environment Narrative
- Organizational Narrative
- System Architecture Narrative
- Cyber Risk Assessment Policy
- Password Policy
- System Change Policy
- Data Classification Policy
- Policy Training Policy
- Vendor Management Policy
- Data Retention Policy
- Privacy Management Policy
- Workstation Policy
- Datacenter Policy
- Processing Integrity Policy
Integrate.io uses strongDM’s excellent Open Source Comply framework and based many of our policies on their templates. They run a Slack community that discusses SOC 2. All our policies are written in markdown and versioned in Github. We generate our policies as PDFs and store them in a GDrive (so our whole team has access).
Here is one policy example, our internal password policy.
Internal Security Training
SOC 2 audits require documented proof of the team’s ongoing security and professional training. We track employee training with a spreadsheet and with our security training system.
Everyone in our team is required to take security training when they join the team, and then renew it annually.
Security Penetration Test (Pen Test)
We contract with Strontium to perform an annual pen test on our application and infrastructure. These pen testers access to our staging environment with user-level and admin-level credentials. The initial test typically takes 2 weeks to perform, plus an additional two weeks to generate a detailed technical report.
Most pen test reports contain a summary of issues found plus a very detailed breakdown of each issue, and how to reproduce the security issue. We review the findings, quickly mitigate the important issues, then ask for a re-test to confirm the fixes. The report is given to the SOC 2 auditors and a summary made available to customers (under NDA).
We make sure that all our databases, message queues, and Kubernetes data nodes are all encrypted at rest, and that we encrypt all data in transit.
Infrastructure Security Tools
We run Nessus scans, Tripwire, AWS GuardDuty, AWS SecurityHub to sending alerts to PagerDuty. We proactively monitor our security (per policy) and provide this evidence as part of the SOC 2 audit process.
Scheduling Compliance Tasks
There are many regular tasks (defined in our policies) that need to be actioned and documented by the team throughout the year, such as regular backup tests. We maintain a SOC2 group calendar that contains all the events, and each event contains all the details needed for the completion of the compliance task.
Employee laptops are always a security risk, especially during a time when so many employees are working from home. All our laptops are encrypted (Filevault), run Carbon Black antivirus, use NordVPN, have a screensaver with a password enabled, and run the latest version of MacOS. All passwords are stored encrypted with 1Password and are 20+ characters long.
The SOC 2 Audit
Integrate.io's SOC 2 auditor is A-lign, and they give us a month to gather all the data needed for the audit and upload it to their portal. We manage the tasks on a monday board (for team assignment & tracking) and stage the data to a shared Google Drive. The data is then reviewed by senior management and uploaded to the audit portal.
Here is the A-lign audit process:
- One month to gather the data and upload 80%+ to the auditor's portal
- Audit kick-off meeting
- Audit call(s) on Control Environment, Communications & Information, Risk Assessment & Risk Mitigation, and Control Activities
- Audit call(s) on Monitoring Activities, Logical & Physical Access and System Operation
- Audit call(s) on Change Management
- Audit close meeting
- Review of the draft audit report
- Delivery of the final audit report
The multiple auditors on the calls ask questions to get clarification on the data submitted and our process. Sometimes additional information is needed, which is then provided on the call or by uploading more supporting evidence to their portal.
The total audit process lasts around 2 months. One month is very intense and needs the team’s focus to keep to this tight schedule.
Our auditor’s portal for the data gathering.
What Does a SOC 2 Audit Cost?
The following table contains indicative costs of a SOC 2 Audit for a SaaS company. These audits also require every employee to spend some amount of time verifying the security status of their equipment and completing their annual training. It is important not to view these costs as expenditures, but investments in your company's security process.
|Security penetration test & re-test
|$10,000 per year
|SOC 2 Type 1 audit
|$15,000 per year
|$30,000 per year
|1 month per year x 3 people
Get SOC 2 Compliant ETL with Integrate.io
SOC 2 compliance is not a set-it-and-forget-it deal. You have to re-certify annually, which means that you have to keep reviewing and upgrading your systems. Without a valid SOC 2 report, you simply can't promise your clients the best data protection possible.
Fortunately, you can trust Integrate.io data security when it comes to your data workflows. A cloud-based, no-code Extract, Transform, Load (ETL) platform, Integrate.io offers SOC 2-compliant integrations with a vast library of data sources.
Behind the scenes at Integrate.io, we've got some of the most advanced security on the market, including:
- Physical infrastructure hosted by accredited Amazon Web Service (AWS) technology
- Advanced preparations to meet EU General Data Protection Regulation (GDPR) standards
- SSL/TLS encryption on all our websites and microservices
- Field Level Encryption
- Constant verification of our security certificates and encryption algorithms
- Operating system access limited to Integrate.io staff and requiring a username and key authentication
- Firewalls that restrict access to systems from external networks and between systems internally
With Integrate.io as part of your infrastructure, you can operate with confidence knowing our annual SOC 2 audit and security penetration test will keep your data safe.
Want to experience Integrate.io for yourself? Schedule an introductory call with one of our customer service representatives for a platform demo and risk-free trial.