Whereas SOC 1 audits comprise internal controls over financial reporting, SOC 2 audits focus on controls at a service organization relevant to five Trust Services Principles and Criteria. The AICPA has issued the following guidance based on the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy presents control criteria:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
Security refers to the protection of:
i. Information during its collection or creation, use, processing, transmission, and storage and
ii. Systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removals of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.
Availability: Information and systems are available for operation and use to meet the entity's objectives.
Availability refers to the accessibility of information used by the entity's systems, as well as the products or services provided to its
customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance.
Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.
Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.
Confidentiality: Information designated as confidential is protected to meet the entity's objectives.
Confidentiality addresses the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding the collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property.
Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives. Although confidentiality applies to various types of sensitive information, privacy applies only to personal information.
The privacy criteria are organized as follows:
i. Notice and communication of objectives. The entity provides notice to data subjects about its objectives related to privacy.
ii. Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects.
iii. Collection. The entity collects personal information to meet its objectives related to privacy.
iv. Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy.
v. Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy.
vi. Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy.
vii. Quality. The entity collects and maintains accurate,
viii. Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.
Unlike most CPA and professional service firms, we do not view ourselves as a simple third-party vendor who is tasked with helping you seek a means to an end. Rather, our team establishes a very close-knit relationship with your team, becoming a trusted partner to your business. CyberGuard Compliance always keeps your goals and priorities at the forefront of our services delivery process.
As your trusted service partner, we are your one-stop shop for all your IT compliance and cybersecurity needs. Our tailored compliance solutions and efficient auditing methods allow your company to not only save on audit and compliance costs, but more importantly, reduces your internal level of effort and time your key personnel spend on annual compliance projects. Contact us today to speak to one of our team members and experience the CyberGuard Compliance difference.
To learn about the SOC 2 audit and the benefits it provides, please watch our videos: