The SOC 2 standard is maintained by the AICPA, and is a measure of trust and accountability in a business’s data handling practices. With the news full of stories about businesses which failed to properly handle their customers’ data, it’s no surprise that businesses want partners whose data security and handling policies are as robust as possible.
One aspect of SOC 2 compliance is that a SOC 2-certified operation cannot hand over data to a non-SOC 2 group. So, becoming SOC 2 compliant could mean opening up entirely new markets, such as the medical field or government contracting, which require SOC 2 certification.
Main Areas That SOC 2 Certification Covers
First, an SOC 2-certified business must be able to fully monitor system access and usage, along with associated network matters such as user access privileges. On top of that, they should strive to have the best possible systems in place to monitor and guard against unauthorized access, whether from human hackers or by software attacks. This can often be achieved by creating baseline models of standard activity, and looking for substantial deviations from that model.
No business today can expect to go too long without some sort of security incident occurring. There are just too many threats out there. SOC 2 doesn’t expect impossible perfection, but rather you have robust alert systems to notify you and\or associates if a breach has occurred. In particular, you are expected to have alerts guarding against unauthorized file transfers, account access, or changes to data.
This goes hand in hand with the first two points: To be SOC 2-certified, you must have auditing systems capable of producing detailed logs of system access, changes, and alerts. This is the only way to backtrack the source of an intrusion, or determine the full extent of any harm done. You should have audit trails covering modification of system components, data changes, and the source of incoming connections.
Finally, with those three points in place, you can demonstrate your forensic abilities – quickly responding to threats, backtracking their source, understanding the scope of the attack, and hopefully being able to predict the next move of the attacker. Having such forensics systems in place will allow you to offer assurance that any attacks will be dealt with via best security practices, with an eye towards minimizing any harm done.
Type 1 vs Type 2
You might be wondering about the difference between Type 1 and Type 2 certification. The qualifications are the same, but the basic difference is “on paper” vs “in practice.”
- Type 1 certification means a business has implemented policies and standards and technology that adhere to SOC 2 expectations.
- Type 2 involves a much more rigorous auditing process by licensed AICPA auditors that demonstrates true real-world adherence to those policies. Type 2 is, obviously, more difficult and expensive to obtain, but also far more useful – particularly if you’re aiming for lucrative business in high-security fields.
Trust Your Data With LogicBay
If your organization needs a partner-management solution which is SOC 2 Type 2 certified, LogicBay is here to provide the systems and expertise you need. Please feel free to contact us directly to discuss our security and data-handling policies.