Compliance: Cybersecurity Assurance OR How to Gain the Trust of Your Business Partners
By Mustapha Berrabaa – CTO at Fortica
Information security is a concern for all organizations, including those that outsource key business operations to third-party vendors (examples: SaaS, cloud service providers). Poorly managed data can expose companies to attacks such as data theft, extortion and malware installation. Increasingly, clients are including IT security criteria in their tenders. In this context, a variety of security questionnaires, controls and audits have been introduced to help vendors provide security assurances to their business partners.
The SOC 2 Report
For many, the Service Organisation Control (SOC 2) report, issued by a qualified auditor, has become the quality standard of choice. SOC 2 is an audit procedure that ensures your service vendors are managing your data securely to protect your organization's interests and customers' privacy. For security-conscious organizations, SOC 2 compliance is a minimum requirement when reviewing a SaaS vendor, so much so that many organizations now contractually require vendors to provide SOC 2 reports on an annual basis.
What SOC 2 is not
It's important to note that SOC 2 compliance is not a government-regulated certification. There is no penalty for not following declared policies, and auditors will not charge you a fine-they will point out your shortcomings and help you resolve them.
Although it covers the major departments and processes that interact with sensitive data, SOC 2 does not stipulate standards. And SOC 2 compliance should not be confused with actual security best practices.
Why become SOC 2 compliant?
The primary motivation for organizations to become SOC2 compliant is to facilitate business, sales. The decision to become SOC 2 certified is voluntary, and so it is not driven by mandatory compliance or other regulations and standards such as PCI-DSS.
The motivation to become compliant, for an organization, may come from concerns expressed by your customers about the security of their business partners who want to be assured that their sensitive data is safe in your data center or infrastructure. Some may sometimes ask for more detailed technical information about the protection of your cloud environment (is it protected by an intrusion detection/prevention system, and properly guarded?).
When a startup sells to a large enterprise, two key questions often come up "Is your infrastructure secure?", "If we give you our data, will you leak it on the Internet?“
Finally SOC 2 is a report you can share with your clients that says: "Yes our infrastructure is secure, we had an auditor come in to look at our practices, and it’s all written here, we're on top of our game.”
SOC 2 demonstrates to clients that you have the right people, policies and procedures in place to not only handle a security incident, but to respond accordingly.
The 5 pillars of SOC 2
To understand what SOC 2 compliance is, it is helpful to understand the criteria known as the five Trust Services Criteria:
- Processing Integrity
- Data protection
This principle provides the client with reasonable assurance that their data is safe and secure, and demonstrates that systems are protected from unauthorized access (both physical and digital).
Availability is the second most common principle chosen for the SOC 2 review. It focuses on systems being available for operation and use.
3. Processing integrity
This principle focuses on system processing being complete, accurate and valid.
The confidentiality principle ensures that information deemed confidential is protected as agreed.
5. Data protection
You don't have to follow all the principles, but you will select those that are relevant to the services you provide to clients. For example: you provide cloud storage services, and the data processing is done by your clients in their systems, so the processing integrity principle does not apply to you.
The audit report
A SOC 2 report can be
- Type 1: the opinion covers only the design of the controls, at a specific point in time
- or Type 2: the opinion covers a defined period of time to ensure the operating effectiveness of the controls over time, i.e., the proper application or execution
Invest in people for better results
One person with a conviction would do more than a hundred who only have an interest: commitment is therefore the key to staying the course and completing the compliance project, and conviction always precedes commitment.
At the highest level, what differentiates one organization from another is its conviction and vision of the role of compliance in its business.
Does your organization view compliance as a series of boxes to be checked, or does it view compliance as playing a positive role in the growth of the business?
Just think about how you would answer the following questions on behalf of your organization:
- Does the leadership team set the tone and believe that compliance is important to the company?
- Is there training to ensure employees know what is expected of them?
- Is there an alignment between business objectives and compliance objectives?
- Do you have dedicated staff with the skills and experience to plan, design, implement and maintain your compliance program?
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.