Service Organization Control (SOC) compliance has been a buzzword in the finance space since SOC reports were first introduced in 2011. There are currently three types of SOC reports: SOC 1, SOC 2, and SOC 3.
SOC 1 reports deal with financial transactions.
SOC 2 reports deal with technology and cloud computing entities, and will be our focus today.
SOC 3 reports are public documents that summarize SOC 2 reports without divulging protected information.
SOC 2 compliance
For cloud software companies, SOC 2 compliance is the most relevant of the three in 2018. The five criteria of such a report are: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- Security
This deals with protection against unauthorized access. - Availability
This deals with accessibility of the system. - Processing Integrity
This deals with whether or not the system meets its requirements (like delivering data according to set stipulations). - Confidentiality
This deals with security and confidentiality of data transmission. - Privacy
This deals with the system’s use and retention of personal information.
It is important to note that SOC 2 reports are unique; providers review requirements, make a determination on which of the requirements are relevant to their business, and then write the controls to satisfy those requirements. As such, an audit of an SOC 2 report is completely subjective. An audit provides an auditor’s opinion of how well the company is fitting the requirements. For this reason, the auditor’s reputation is extremely important to provide a sound and fair audit.
Why is SOC 2 so important?
SOC 2 compliance is so relevant in today’s market because the public is so interested in whether or not data providers can be trusted with confidential information. When a company receives a clean SOC 2 report, the company is trusted as a secure and compliant host.
For organizations that are looking to outsource finance information or data storage, being SOC 2 compliant is especially important. And as a consumer, if you seek a vendor who is unwilling to provide their SOC 2 reports, you may want to consider partnering with someone else. An unwillingness to provide this report to customers can be viewed as a red flag.
Flexi
Flexi is interested in helping your organization remain compliant to help propel your business forward. Learn more about joining forces with Flexi today to see how Flexi can help your business succeed. Call 800-353-9492.