LISTEN TO THE LESSON

|

What are the SOC 2 trust services criteria?

A SOC 2 report can test against five Trust Services Criteria: security, availability, confidentiality, privacy, and processing integrity. When you engage an auditor, you decide which of the five you’d like tested, if not all. These decisions are often influenced by what enterprise buyers request.

What is the importance of each SOC 2 trust services criteria?

Let’s break down the five components together.

Security
Also known as the “common criteria,” security is the foundational criteria required in a SOC 2 assessment. Security focuses on the protection of information and systems against unauthorized access. It tests if your customers’ information is protected at all times (collection, creation, use, processing, transmission, and storage) along with the systems that handle it.

Security is required in any SOC audit because it not only sets overarching security standards for your company, but also overlaps with the others: setting security controls for availability, confidentiality, privacy, and processing integrity.

Availability
Availability addresses network performance, downtime, security event handling, etc. This criterion makes sure your systems are secure and available for customers to use when they expect to. This is important for startups that promise customers access to their data and services at key times.

For example, your team worked hard to get your platform’s uptime to 99.31%. By validating your uptime and other availability considerations with the availability criteria, you’re further demonstrating your reliability to your customers.

Confidentiality
Confidentiality addresses the handling and protection of information, personal or not, that you’ve agreed to designate confidential and secure for your customers (think of proprietary information like business plans, financial or transaction details, legal documents, etc.)

In addition to the protections outlined in the security criteria, the confidentiality criteria provide guidance for identifying, protecting, and destroying confidential information.

For example, your platform manages a customer’s documentation about their trade secrets and intellectual property. For obvious reasons, they only want people within the company (and only some of them) to have access to this sensitive information. The confidentiality criteria signal that you’re set up to protect that information and secure access as desired. It also shows that you’re set up to appropriately destroy confidential information if, say, the customer decides to stop using your platform.

Privacy
Privacy addresses the secure collecting, storing, and handling of personal information, like name, address, email, Social Security number, or other identification info, purchase history, criminal history, etc.

Similar to confidentiality, the privacy criteria test whether you effectively protect your customers’ personal information. Confidentiality, on the other hand, applies to any information you agreed to keep confidential.

Processing Integrity
Processing integrity addresses processing errors and how long it takes to detect and fix them, as well as the incident-free storage and maintenance of data. It also makes sure that any system inputs and outputs are free from unauthorized assessor manipulation. This criterion helps businesses make sure their services are delivered in an accurate, authorized, and timely manner.

For example, the processing integrity criteria demonstrate to customers that your data, processes, and system work as intended, so they don’t have to worry about inaccuracies, delays, errors and whether only authorized people can use your product.

Which trust services criteria should I include in my SOC 2 audit?

Even though the security criteria is the only necessary TSC for a SOC 2 audit, you may choose to test the other criteria that are relevant to your startup and how you serve your customers.

In our experience, most enterprise customers want to work with startups that are SOC 2 compliant in security and confidentiality. If you’re struggling to decide which criteria to tackle in your first audit, security and confidentiality make a good starting point. Otherwise, add on the criteria your target customers want and are asking for.

How is the COSO framework different from Trust Services Criteria?

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, created tighter controls that all businesses must implement in order to achieve a SOC 2 report.

While the Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system, the COSO framework addresses the following components:

  1. Risk assessments: How does an organization assess all types of risk?
  2. Information and communication: How do businesses internally and externally communicate what is expected?
  3. Existing control activities: What existing controls does a business currently have in place? How effective were the controls over a period of time?
  4. Monitoring activities: How do businesses oversee the entire organization? How do they identify and fix processes that aren’t working?
  5. Control environments: How does a business create procedures that guide the company? How do they make sure that all controls are operating effectively?

Both the TSC and COSO framework provides a way for businesses to assess internal controls. However, not all TSC’s need to be met, and organizations must meet the five COSO components and their relevant controls to achieve a SOC 2 report.

SOC 2 has a long list of controls that each business pursuing a SOC 2 report needs to implement. But first, let’s talk about where this controls list comes from.  SOC 2 controls are based on the Trust Services Criteria deemed applicable to your organization. A SOC 2 report focuses on non-financial criteria related to security, availability, confidentiality, processing integrity, and privacy.  Modeled around policies, communications, procedures, and monitoring, Trust Services Criteria each have corresponding controls. 

What are SOC 2 requirements? 

SOC 2 requirements change according to the type of information a business needs to secure. 

An organization should select the Trust Services Criteria requirements relevant to their business and the commitments they make to their customers. However, security is required and referred to as “Common Criteria.” 

The SOC 2 controls we list here are an overview of those you may need to implement for your SOC 2 report. The ones that are relevant to your business should be selected by your CISO and management team. 

 

SOC 2 Controls List 

While there are many controls associated with each of the five TSCs, controls associated with the common criteria include common IT general controls. 

Control Environment
These SOC 2 controls relate to a commitment to integrity and ethical values. Involvement of the board of directors and senior management’s oversight relating to the development and performance of internal control. Hold individuals accountable for their internal control responsibilities in the pursuit of objectives. 

Communication and Information
This includes SOC 2 controls related to the internal and external use of quality information to support the functioning of internal control.

Risk Assessment
This requests the identification and assessment of risk relating to objectives, including fraud. 

Monitoring Activities
Place controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct parties. 

Control Activities
These relate to the control activities contributing to risk mitigation and policy and procedure establishment. 

Logical and Physical Access Controls
Related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives. 

  • Issuing of credentials to new internal and external users 
  • Authorization, modification, or removal of access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design 
  • Restriction of physical access to facilities and protected information assets to authorized personnel to meet its objectives 
  • Implementation of controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet its objectives. 

System Operations
SOC 2 controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities. 

  • Response to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. 
  • Monitoring of system components and the operation of those components for anomalies indicative of malicious acts, natural disasters, and errors 

Change Management
Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives. 

Risk Mitigation
Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

 

Additional SOC 2 Criteria for Privacy, Processing Integrity, Confidentiality, Availability 

In addition to the requirements attached to Security, businesses should fulfill the controls for other relevant categories based on the commitments they make to their customers. 

Find examples of additional SOC 2 control categories and control types that satisfy these categories below. 

Privacy: Provides notice of privacy practices to relevant parties.
The notice is updated and communicated in a timely manner, including changes in the use of personal information. 

Processing Integrity: Obtains or generates, uses, and communicates relevant, quality information regarding the SOC 2 objectives related to processing.
This includes definitions of processed data, and product and service specifications, to support the use of products and services. 

Confidentiality: Identifies and maintains confidential information to meet SOC 2 objectives related to confidentiality. 

  • Retention and Classification 
  • Disposal of Information 

Availability: Maintains, monitors, and evaluates current processing capacity and use of system components like infrastructure, data, and software. 

  • System Capacity 

Maintaining processing capacity and use of system components (infrastructure, data, and software) to manage demand and enable the implementation of additional capacity to help meet objectives. 

  • Backups and environmental controls 
  • Recovery controls 

How does my business fulfill SOC 2 controls? 

There isn’t one path to fulfilling SOC 2 controls and prepping for audit. The process should include policy implementation and technical and operational procedures. 

Policies: For SOC 2 Type 1, auditors ask to examine authored policies, who they’ve been distributed to, and the procedures put in place to execute the policy. In a Type 2 audit, auditors examine the functionality of controls over a 6-12 month time period. A comprehensive report is written based on the evidence provided. 

Technical Procedures: SOC 2 controls primarily focus on policies and procedures instead of technical tasks; however, the implementation of technical procedures typically involves building or managing new tools, like endpoint security. These procedures are monitored over time for effectiveness and relayed to audit teams while pursuing a SOC 2 report. 

Operational Procedures: Just as important as technical processes, operational procedures involve managing vendors and due diligence, creating uniform onboarding and termination procedures, and collecting evidence on their effectiveness. These procedures are crucial to creating a risk assessment for auditors and understanding the business’ risk appetite.