SOC It 2 Me: What Vendor SOC 2 Compliance Means – and Why You Should Care

Choosing a suite of tools to help secure your network can be a daunting task, but how a company can secure your network/data/etc. is not the only consideration – how do they secure their own?  This is especially true for cloud-based providers – when you think about it you’re putting an awful lot of trust in someone else’s security practices.  You don’t want to get burned like Tesla did in 2021 – they used security startup Verkada to implement security cameras in their factories and offices, but a data breach exposed not only their live feeds but several years of archived security footage.

MGM Grand suffered a huge data breach in 2019, with more than 10.6 million hotel guests having their personal information leaked onto the web.  Like Tesla, the actual victim of the breach was not MGM themselves, but a company called DataViper, which provides a service that monitors the web for data leaks (Oh, the irony…)

Now, a data breach can happen to the best of us, but….neither of these companies was the best of us in terms of security practices.  In fact, in both cases, the data breach resulted from credentials being posted publicly online.

Who Watches the Watchmen?

So when you’re choosing a security provider, it’s clearly important to choose one that takes their own security seriously and doesn’t do silly things like post Admin credentials on the internet (which you would think would be obvious, but…)

However, you can’t really just ask a provider what their security practices are and expect an unbiased answer…we all think we’re great at security until a hacker proves us wrong.  Thankfully, organizations like the American Institute of Certified Public Accountants developed a way to help independently verify the security practices of software vendors.  Enter SOC 2!

SOC 2 to the Rescue

System and Organization Controls, aka SOC, is the name of a suite of reports produced during an audit as defined by the American Institute of Certified Public Accountants.  These reports are validated by external third-party auditors regarding the internal controls of the information systems of any organization that provides information systems as a service to other organizations.

That definition is pretty heavy, so let’s break it down.

SOC 2 reports on 5 categories called the Trust Service Criteria:

1. Security: Information and systems are protected against unauthorized access and disclosure.

Some examples of things an organization would have to have to be in compliance with this:

• Firewalls
• IDS (Intrusion Detection System)
• Multi-factor authentication

2. Availability: Information and systems are available for operational use.

Some compliance examples:

• Performance monitoring
• Disaster Recovery
• Incident Handling procedures

3. Confidentiality: Information is protected and available on a legitimate need-to-know basis.

Some compliance examples:

• Encryption
• Access Controls
• Audit Tracking

4. Processing integrity: System professing is complete, valid, accurate, timely, and authorized:

Some compliance examples:

• Quality assurance
• Process monitoring
• Adherence to principle

5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of according to policy. Note that this applies only to personal information.

• Access controls
• Consent forms
• Data retention policies

There are 3 types of SOC compliance:

SOC 1: Internal control over financial reporting

SOC 2: Trust Services Criteria

SOC 3: Trust Services Criteria for General Use Report

SOC 1 pertains specifically to outsourced services relevant to the company’s financial reporting.  SOC 2 focuses on security controls and is typically what you see among information technology vendors, especially cloud-based service providers.  SOC 3 is a more generalized version of SOC 2.

What makes SOC 2 valuable is that the reporting must be done by either a Certified Public Accountant OR a certified technical expert from an audit firm licensed by the AICPA.  It’s not something a company can just claim based on their own internal opinion of themselves. SOC 2 reports are meant to be shared with potential customers, so any vendor who claims to be SOC 2 compliant should be able to provide you with their SOC 2 reports.  And SOC 2 is valid for 12 months, so once a year a company should undergo a new audit to retain their certification.

Obviously, nothing can guarantee protection against a breach, but the huge benefit of choosing a SOC 2 compliant vendor is that it shows they not only take cyber security seriously, but they are willing to put their money where their collective mouths are by bringing in a third party auditor to ensure they are meeting the current industry standards.

SOC 2 compliance is neither easy nor cheap for a company to achieve, so it shows a strong commitment to security.  In fact, if we go back to our two examples, Verkada got their SOC 2 certification about a year after the data breach to show that they had improved their internal security policies and procedures.  Be sure to check that all your security vendors are SOC 2 certified as well.