SOC stands for System and Organization Controls, a voluntary compliance standard for tech-based companies that store data in the cloud. It’s a suite of services developed by the American Institute of CPAs (AICPA) which outlines how organizations should manage customer data.
Entech recently completed our SOC 2 Type II examination, so we wanted to explain what it means to our customers and why it’s so important.
SOC 2 compliance is based on specific criteria for managing customer data correctly. This consists of the following five Trust Services Categories:
Security: Protect against unauthorized access using firewalls, detection, or multi-factor authentication.
Availability: Identify threats, measure usage, monitor minimum acceptable performance
Processing integrity: Data processing should be timely, accurate, valid, and authorized.
Confidentiality: Identify and destroy confidential information, including all customer data
Privacy: Data must be processed following AICPA’s Generally Accepted Privacy Principles.
Before being assessed, many companies will meet with an auditor to help develop a SOC 2 roadmap, which will help them reach the standards outlined by the AICPA. Many companies do not naturally have these roadmaps in place, so having an expert assist them in developing these policies and procedures is helpful.
Once a company has its policies and procedures that comply with SOC 2, a CPA will conduct the formal audit. Each company should have systems that alarm a cybersecurity incident, continuous monitoring, and immediate response to intrusions. Once a company has the SOC 2 certification, it must continuously adopt best practices to ensure maximum protection. Annual audits will be conducted annually to ensure these practices are still in place.
According to the AICPA, there are two types of SOC 2 reports that an organization can pursue to enhance its cybersecurity protocols: Type I and Type II.
Type I reports on “management’s description of a service organization’s system and the suitability of the design of controls.
Type II, which is what we at Entech just completed, reports on “management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.”
Of the two reports, Type II is far more difficult to achieve as your company has to demonstrate not only the design of the controls but the organizational implementation of said controls over an approximate 30-day period for every audit cycle.
The certification demonstrates that the tech company you work with has a safe and secure data management system in place. SOC 2 compliance is voluntary so those that take this extra step are serious about data protection.
Business continuity and disaster recovery plans, sometimes abbreviated to “BCDR”, are measures taken to ensure that your company can prevent, respond to, and recover from a human or natural disaster.
Working with a company like Entech that has completed a SOC 2 examination is a significant differentiator, offering added peace of mind to customers who can rest easy knowing that their sensitive data is secure and protected. And, that corrective action plans are in place for if and when an incident were to occur. With over 2,200 cyber attacks per day, no business is immune—no matter how small—and these attacks are getting more costly with every passing year.
Entech is a full-service IT company that serves small and medium-sized businesses in Florida and we are proud to be one of the only SOC 2 Type II managed technology & cybersecurity service providers in the region.
Contact us and let’s get your BCDR plans in place.