Category: Managed Services

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and other organizations that handle sensitive information for the DoD have adequate cybersecurity controls in place. The CMMC framework includes three- levels of cybersecurity maturity, with Level 1 representing the most entry-level of cybersecurity and Level 3 representing the highest level, expert.

CMMC version 2.0 is the latest version of the framework, which was released in 2021. It includes several updates and improvements over previous versions, including:

1. CMMC 2.0 streamlined model focuses on the most critical requirements. In addition, CMMC 2.0 reduces the model from 5 to 3 compliance levels and is aligned with NIST cybersecurity standards.
2. A new certification process: CMMC 2.0 introduces a new certification process designed to be more streamlined and efficient. This process includes assessments and audits by third organizations accredited by the CMMC Accreditation Body (CMMC-AB).
3. A focus on supply chain security: CMMC 2.0 includes a greater emphasis on supply chain security, with specific requirements for protection against the introduction of malicious software and other cyber threats through the supply chain.

If you are a small business that works with the DoD or handles sensitive information for the DoD, it is crucial to comply with CMMC 2.0 to protect your organization and your customers from cyber threats. Failure to comply with CMMC 2.0 could result in lost contracts and other negative consequences for your business.

In addition to helping protect your business and your customers, complying with CMMC 2.0 can also have other benefits, such as:

1. Improved cybersecurity: By implementing the cybersecurity practices outlined in CMMC 2.0, you can improve your overall cybersecurity posture and reduce your risk of cyber incidents.
2. Enhanced reputation: By demonstrating your commitment to cybersecurity through CMMC 2.0 compliance, you can enhance your reputation as a reliable and trustworthy business partner.
3. Increased competitiveness: As more organizations begin implementing CMMC 2.0, compliance may become necessary for doing business with the DoD and other government agencies. Demonstrating compliance can increase your competitiveness and position your business for future growth.

Cybersecurity Maturity Model Certification 2.0 recently entered the Defense Department’s rulemaking process. The rulemaking process is the final step before it becomes an official requirement. However, despite questions about the industry’s cybersecurity capabilities and the challenging documentation process, defense companies could be required to comply with CMMC for new contracts as soon as May 2023.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

There are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments (NIST Cybersecurity Framework, HIPAA, GDPR, etc.) and hiring a fractional virtual Chief Information Security Officer (vCISO).

First and foremost, outsourcing Cybersecurity Framework Assessments can provide higher education institutions with access to a greater level of expertise and experience. Cybersecurity Framework Assessments, such as NIST Cybersecurity Framework, HIPAA, GDPR, etc., are a comprehensive set of security and privacy controls used by many organizations, including higher education institutions, to ensure the confidentiality, integrity, and availability of their systems and data. However, conducting these assessments can be a complex and time-consuming process that requires specialized knowledge and skills. By outsourcing these assessments to a qualified third party, higher education institutions can leverage the expertise and experience of professionals who have a deep understanding of numerous Cybersecurity Frameworks and how to implement their controls effectively.

Another reason to outsource Cybersecurity Framework Assessments is to ensure that the evaluation is conducted unbiasedly and objectively. In organizations that perform internal assessments, the risk of bias or subjectivity creeps into the process. Unfortunately, this can lead to an incomplete or inaccurate measurement of the organization’s security posture; in turn, this can increase the chances of an incident, such as a breach or intrusion, that may result in the loss, damage, or disclosure of assets. By outsourcing the assessment to a third party, higher education institutions can ensure that the evaluation is performed unbiasedly and objectively, providing a more accurate picture of their security posture.

After a cybersecurity framework assessment has been conducted, it’s paramount that a Governance, Risk, and Compliance Program is put in place to manage risk moving forward. In addition, a security program and plan need to be developed to track and remediate deficiencies identified during the assessment. Therefore, CAG recommends hiring a fractional vCISO to guide higher education institutions through the Governance, Risk, and Compliance minefields. A fractional vCISO is a professional who works remotely part-time or on a contract basis, providing expert guidance and support to the organization’s security efforts. In addition, a fractional vCISO can offer a range of services, including conducting risk assessments, developing, and implementing security policies and procedures, and providing guidance on compliance with regulatory requirements such as NIST, GDPR, HIPAA, and FERPA.

In conclusion, there are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments and hiring a fractional vCISO. These approaches can provide higher education institutions access to greater expertise and experience, ensure that assessments are conducted unbiased and objectively, and build a robust Governance, Risk, and Compliance program through a fractional vCISO. In addition, by leveraging these resources, higher education institutions can strengthen their security posture and better protect their systems and data.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

The use of location-based Wi-Fi data can be an excellent tool for higher education facilities planning for several reasons:

Improved understanding of how facilities are being used: By analyzing location-based Wi-Fi data, higher education institutions can gain a better understanding of how their facilities are being used by students, faculty, and staff. This can include things like which areas are most popular, how long people stay in different locations, and which times of day are busiest. This information can be valuable for identifying areas of the campus that may be underutilized or overcrowded, and for making informed decisions about how to optimize the use of facilities.

Better planning and resource allocation: By analyzing location-based Wi-Fi data, higher education institutions can better plan and allocate resources for facilities and services. For example, they may be able to identify areas of the campus where additional study spaces or resources are needed, or where certain services (such as printing or charging stations) are being heavily used. This information can be used to inform decisions about where to allocate resources and which facilities or services to prioritize.

Enhanced safety and security: By analyzing location-based Wi-Fi data, higher education institutions can improve safety and security on their campuses. For example, they may be able to identify areas of the campus that are particularly vulnerable to crime or other safety risks and take steps to address those issues. Similarly, they may be able to use location data to track the movements of individuals on campus and respond more quickly to emergencies or other safety concerns.

Improved student experience: By using location-based Wi-Fi data to understand how students are using facilities and services, higher education institutions can improve the overall student experience on campus. For example, they may be able to identify areas where students are having trouble accessing resources or services and take steps to improve those areas. Additionally, they may be able to use the data to identify opportunities for enhancing the student experience through new or improved facilities or services.

Overall, the use of location-based Wi-Fi data can provide higher education institutions with valuable insights that can inform their facility’s planning and help them optimize the use of resources, improve safety and security, and enhance the student experience.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

The Transportation Security Administration (TSA) is a U.S. government agency that is responsible for providing security for the nation’s transportation systems, including the aviation, rail, and highway sectors. As part of its mission, the TSA has established cybersecurity standards and requirements for certain transportation systems to ensure that they are secure and compliant with federal regulations.

The TSA Cybersecurity Pipeline Compliance (TSACPC) requirement applies to certain transportation systems that are considered critical infrastructure.  Owner/Operators impacted should have received a memorandum. This requirement is designed to ensure that these systems have robust cybersecurity controls in place to protect against cyber threats and vulnerabilities.

To meet the TSACPC requirement, transportation systems must implement a range of cybersecurity controls and practices, including:

• • Institutions must have a defined Cybersecurity Implementation Plan
  • Network segmentation: Systems must be segmented and access to sensitive areas of the network must be restricted.  Logical zones must be defined based on criticality and risks.
  • Access Control: Must be based on the principles of least privilege and separation of duties, or compensating controls must be defined.
  • Encryption: Data transmitted over networks must be encrypted to protect against unauthorized access.
  • Network security monitoring: Systems must be monitored for security threats and vulnerabilities.
  • Vulnerability management: Systems must be regularly tested for vulnerabilities and any identified vulnerabilities must be promptly addressed.
  • Multi-factor authentication for access to industrial control workstations or specify what compensating controls are in place.
  • Security incident response: Institutions must have a plan in place for responding to security incidents, including containment, preservation, recovery, and annual testing.

Assessment Program: Measuring the effectiveness of the Cybersecurity Program, performing architectural design reviews, and other assessment capabilities such as penetration testing. Overall, the TSACPC requirement is designed to help ensure that critical transportation systems are secure and compliant with federal regulations and can protect against cyber threats and vulnerabilities.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

What is TAC 202?

Texas Administrative Code Chapter 202 (TAC §202) is a set of rules and regulations that outline the minimum information security and cybersecurity responsibilities and roles at state agencies and institutions of higher education in Texas. This chapter is designed to protect the confidentiality, integrity, and availability of information systems and data within these organizations and ensure they are secure against potential cyber threats.

One of the critical provisions of TAC §202 is the requirement that agencies and institutions of higher education use the TAC §202 Security Controls Standards Catalog. This catalog is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, R4, a widely-recognized security standard for information systems. The security controls catalog is designed to provide a common language and minimum standards for implementing security measures, which helps to ensure that all agencies and institutions use consistent and effective security practices. By adhering to these standards, these organizations can reduce their risk of cyber-attacks and data breaches, which can seriously affect their operations and reputation. Additionally, using a centrally-managed controls catalog can help streamline the implementation of security measures, as it provides a clear set of guidelines that can be followed.

One of the primary responsibilities of agencies and institutions of higher education under TAC §202 is to implement appropriate security measures to protect their information systems and data. Institutions should conduct regular risk assessments to identify potential vulnerabilities and implement controls to mitigate those risks. It also includes implementing measures to protect against unauthorized access to systems and data, such as firewalls and intrusion detection systems.

TAC §202 also requires agencies and institutions of higher education to have robust incident response plans to effectively respond to and recover from cyber attacks or data breaches. An Incident Respons Plan is a document that outlines an organization’s procedures, steps, and responsibilities of its incident response program. In addition, these organizations need to have a strategy to communicate with stakeholders about the incident to minimize any potential impacts on their operations or reputation.

In addition to implementing security measures, TAC §202 also requires agencies and institutions of higher education to have a strong focus on cybersecurity awareness and training. Security awareness includes providing regular training to employees on how to identify and prevent cyber threats and report potential incidents. It is also essential for these organizations to have a culture of cybersecurity in which employees are encouraged to be vigilant about protecting information systems and data.

Overall, TAC §202 is an essential set of rules and regulations that help to ensure the security and integrity of information systems and data within state agencies and institutions of higher education in Texas. By following the standards outlined in the TAC §202 Security Controls Standards Catalog, these organizations can effectively protect themselves against cyber threats and maintain the trust and confidence of their stakeholders. TAC §202 plays a vital role in the cybersecurity landscape of Texas.

SOC 2 compliance refers to a set of privacy and security standards for service providers designated by the AICPA (American Institute of Certified Public Accountants). Although complying with SOC 2 is not mandatory, customers often demand it from organizations they interact with, especially cloud-based services, to ensure that their data is protected. Organizations looking to meet compliance standards must ensure specific service controls and procedures regarding their information systems’ confidentiality, security, availability, and processing integrity. The systems include the organization’s people, processes, technology, physical infrastructure, and servers.

What is a SOC 2 Report?

To get a SOC 2 report, an organization providing services must undergo a third-party audit. The SOC 2 auditor will be either an American Institute of Certified Public Accountants (AICPA) certified firm or a CPA (Certified Public Accountant). They will evaluate your security posture and determine if your controls, policies, and processes comply with the SOC 2 requirements.

The audit reports assess if the service providers undergoing the review have drafted and implemented effective procedures meeting the SOC 2 objectives. Enterprises that successfully pass the SOC 2 audit use the compliance designation to demonstrate that they are committed to the security and privacy of their customers and stakeholders.

SOC 2 is one of the three types of SOC reports. The other two are SOC 1 and SOC 3. A brief description of all three follows:

• SOC 1 Reports: AICPA mainly developed the SOC 1 framework targeting third-party service providers, which assures your clients that you are handling their financial information safely and securely. SOC1 reports giving your clients an objective evaluation regarding controls addressing compliance, operations, and internal controls over financial reporting.
• SOC 2 Reports: The SOC 2 framework helps businesses demonstrate their compliance with security controls. After organizations started measuring the effectiveness of their security controls through the SAS 70 audit standard, AICPA developed SOC 2 with an emphasis on security. It is rooted in the Trust Services Criteria or TCS (discussed later). Iassuresut the internal controls related to TSC and comprehensive information on auditor’s testing in an organization.
• SOC 3 Reports: The AICPA says that an organization prepares a SOC 3 report to meet the requirements of clients who want assurance regarding the controls related to processing integrity, security, availability, privacy, or confidentiality of a service provider but do not know how to use a SOC 2 report effectively. Thus, SOC 3 contains the same information as SOC 2 but is drafted for a general audience.

Understanding SOC 2 Reports:

• SOC 2 Type 1: This report focuses on the ‘design’ of an enterprise’s security controls at a specific moment. It describes the existing controls and procedures, reviewing the documents around these controls. Furthermore, it validates the adequacy of all administrative, logical, and technical controls.
• SOC 2 Type 2: It focuses on the ‘design’ and ‘operating effectiveness’ of controls and takes longer to assess the controls, typically between 3-12 months, and includes the auditor running penetration tests to monitor how the organization handles data security risks over a period. The independent review confirms that the enterprise strictly complies with the requirements outlined by AICPA. The SOC 2 Type 2 audit process includes:
  • Reviewing the audit scope
  • Creating a project plan
  • Testing controls for design and operational effectiveness
  • Authenticating the results
  • Delivering the organization’s report.

Organizations new to compliance can easily confuse SOC 2 Type 1 and Type 2 reports. SOC 2 Type 1 differs from Type 2 in that it assesses the security setup and process design at a specific time. On the other hand, the Type 2 report (also written as “Type II”) estimates how adequate the controls are over a more extended period by observing operations for usually six to 12 months.

Why Would You Need to Comply with SOC 2?

Following are the six reasons why organizations must obtain a SOC 2 compliance report:

• Cost-effectiveness: Some businesses might think that audit costs are high. However, a SOC 2 audit helps avoid security breaches that are far costlier. For instance, in 2021, a data breach cost more than $4.2 million on average – a figure rising yearly.
• Competitive advantage: A SOC 2 report will give you an edge over competitors who cannot demonstrate compliance.
• Peace of mind: Passing the stringent SOC 2 audit assures improved security posture for your networks and information systems.
• Regulatory compliance: SOC 2’s requirements sync with other frameworks, like the International Organization for Standardization’s ISO 27001 and Health Insurance Portability and Accountability Act (HIPAA). Thus, the certification can boost your organization’s overall compliance efforts.
• Insights: A SOC 2 report gives valuable insights into your business’s risk and security posture, internal controls governance, vendor management, regulatory oversight, and more.

What is Required for SOC 2 Compliance?

You can attract more business with security covered. However, those operating in the finance or banking sector or an industry where confidentiality and privacy are paramount must achieve a higher compliance standard. AICPA defines SOC 2 based on the Trust Services Criteria, which have the following principles:

• Security: It focuses on operational/governance controls to protect your data and demonstrate that systems at a service organization are protected against unauthorized access and other risks that could impact the service organization’s ability to provide the services promised to clients. All SOC 2 requirements are optional except those that fall under Security. Selecting additional SOC 2 principles may vary based on the type of data you store or process,
• Availability: It focuses on the accessibility of the system and how you maintain and monitor your infrastructure, data, and software to ensure you have the system components and processing capacity to meet your business objectives.

SOC 2 compliance requirements in the ‘Availability’ category include:

1. Measuring current usage: Establishing a capacity management baseline to evaluate the risk of availability caused by capacity constraints.
2. Identifying environmental threats: Assessing ecological threats that can impact system availability, like adverse weather, power cuts, fire, or failure of environmental control systems.

• Processing integrity: It focuses on delivering the correct data at the right time and place. Furthermore, data processing must be accurate, valid, and authorized.

SOC 2 compliance requirements in the ‘Processing integrity’ category include:

1. Creating and maintaining records for system inputs: Compiling accurate records of all the system input activities.
2. Defining processing activities: This ensures that the products or services meet specifications.

• Confidentiality: It restricts disclosure of and access to private data so that only specific, authorized organizations or people can view it. Confidential data can include business plans, sensitive financial information, customer data, or intellectual property.

SOC 2 compliance requirements in the ‘Confidentiality’ category include:

1. Identifying confidential information: Implementing procedures to identify personal and sensitive information when you create or receive it and determine how long you must retain it.
2. Destroying confidential information: Implementing procedures to erase sensitive information identified and marked for destruction.

• Privacy: It focuses on the organization’s adherence to the client’s privacy safeguards and AICPA’s generally accepted privacy principles (GAPP). The SOC category considers methods for collecting, using, and retaining personal information and the process for the disposal and disclosure of data.

SOC 2 compliance requirements in the ‘Privacy’ category include:

1. Using clear and conspicuous language: The organization’s privacy notice must be clear and coherent, leaving no chance for misinterpretation.
2. Collecting information from reliable sources: The organization confirms third-party data sources are trustworthy and operates its data collection process legally and fairly.

Additional SOC 2 Compliance Checklist

SOC 2 compliance bases itself on the five Trust Services Categories: availability, processing integrity, confidentiality, privacy, and security. Security forms the SOC 2 compliance baseline and includes broad criteria familiar to all trust service categories.

The security principle focuses on the service’s asset and data protection against unauthorized access or use. Organizations can implement access controls to prevent unauthorized data removal, malicious attacks, misuse of the organization’s software, or unsanctioned disclosure of organizational information.

The essential SOC 2 compliance checklist (that will satisfy the auditor) should address these controls:

• Physical and logical access controls: How the organization restricts and manages physical and logical access to prevent unauthorized access.
• System operations: How the organization manages its system operations to detect and prevent deviations from set procedures.
• Change management: How the organization implements a controlled change management process and mitigates unauthorized changes.
• Risk management: How the organization identifies and develops risk mitigation activities while navigating business disruptions and using vendor services.

Does Law Require SOC 2 Certification?

Generally, you do not need SOC 2 compliance certification legally. However, most Software-as-a-system (SaaS) and business-to-business (B2B) vendors should consider getting certified if they haven’t already because SOC 2 is a crucial requirement in vendor contracts.

Can You Use Software to Speed Up SOC 2 Compliance?

As mentioned, SOC 2 primarily revolves around policies and processes and is concerned little about technical tasks. Hence, there is no dedicated, automated tool that will quickly make your business SOC 2 compliant.

Furthermore, the SOC 2 requirements are not prescriptive; hence you must define your processes and controls for SOC 2 compliance and then use automated tools to make their implementation easy. Thus, a system will monitor and alert you whenever a technical control failure occurs. For example, suppose one of the limits of your control offers access to your systems to specific administrators. You can deploy a tool that tracks and retrieves the status of permissions in real-time.

For every implemented control, think of the evidence you will present to the auditor. You must remember that defining a rule is merely a part of the SOC 2 compliance requirements; you must demonstrate that it works effectively. 

SOC 2 Vs. SOC 1: How To Determine if the SOC 2 Audit is for You?

CPAs may choose to go for either a SOC 1 or SOC 2 compliance audit. You must comply with SOC 2 Type 2 if you store customer data. To determine if you require a SOC 2 audit, you must start by knowing how SOC 2 differs from SOC 1.

• SOC 1: SOC 1 compliance considers controls relevant to an organization’s internal control over financial reporting. The reports can be either Type 1 or Type 2. The Type 1 report signifies that the enterprise suitably defines and implements the rules in operation. The Type 2 report would offer these assurances, including an opinion if the controls were adequate throughout an extended period.
• SOC 2: SOC 2 compliance is voluntary for service organizations who wish to demonstrate their commitment to information security. Same as above, SOC 2 reports are also of two types.

Your organization must pursue SOC 1 if your services affect your clients’ financial reporting. For example, if your enterprise creates software processing your clients’ collections and billing data, you are impacting their financial reporting, and hence a SOC 1 is appropriate. Another reason enterprises prefer SOC 1 is that their clients demand a “right to audit.” Without SOC 1, it can be a time-intensive and costly process for both parties, especially if a few of your clients ask to submit a similar request. Additionally, you must comply with SOC 1 as a compliance requirement.

On the other hand, no compliance framework like HIPAA or PCI-DSS requires you to be SOC 2 compliant. In other words, if your business does not process financial data but only hosts or processes other data types, you require the SOC 2 report. With today’s business environment becoming extraordinarily aware and sensitive regarding data breaches, your clients will want proof that you are taking adequate precautions to protect their data and prevent any leaks.

Thus, the choice to pursue either SOC 1 or SOC 2 certification depends on your organization’s operational profile. A critical determining factor when choosing between SOC 1 and SOC 2 is your organization’s controls affecting your client’s control over financial reporting. You can engage an audit firm to determine whether SOC 1 or SOC 2 certification (or both) is the right fit for your enterprise.

A thorough understanding of the difference between SOC 2 Type 1 and SOC 2 Type 2 reports will help service providers handle their customers’ data with appropriate security. They must consider investing in the technical audit necessary for a SOC 2 report to protect their clients’ non-financial yet confidential and sensitive data. Many clients today expect SOC 2 compliance from their service providers, and if you are SOC 2 compliant, it demonstrates your dedication to cybersecurity. 

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

References

1. Brown, S. (2022, October 11). SOC 2 Type 1 guide: Everything you need to know. Retrieved January 1, 2023, from Strongdm.com website: https://www.strongdm.com/blog/what-is-soc-2-type-1
2. Harrington, D. (2022, August 26). SOC 2 compliance definition & checklist. Retrieved January 1, 2023, from Varonis.com website: https://www.varonis.com/blog/soc-2-compliance
3. Johnson, B. (2022, September 30). The Differences Between SOC 1 vs SOC 2. Retrieved January 1, 2023, from Strongdm.com website: https://www.strongdm.com/blog/soc-1-vs-soc-2
4. Picotte, A. (2020, May 5). SOC 2 compliance requirements: Essential knowledge for security audits. Retrieved January 1, 2023, from Uptycs.com website: https://www.uptycs.com/blog/soc-2-compliance-requirements
5. SOC 2 compliance requirements. (n.d.). Retrieved January 1, 2023, from Secureframe website: https://secureframe.com/hub/soc-2/requirements
6. SOC 2 Type II: Compliance and certification. (n.d.). Retrieved January 1, 2023, from Getkisi.com website: https://www.getkisi.com/guides/soc-2-type-ii

Reciprocity. (2022, November 9). 6 Reasons Why You Need SOC 2 Compliance. Retrieved January 1, 2023, from Reciprocity.com website: https://reciprocity.com/blog/6-reasons-why-you-need-soc-2-compliance/

Protecting customers’ data is crucial for any business in today’s cyber-risky digital world. Hence, organizations must ensure compliance with System and Organization Controls (SOC 2) and demonstrate that they follow the best data security practices. Understanding the difference between SOC 2 Type 1 and Type 2 reports and implementing them can help businesses maintain peace of mind while ensuring adequate data protection.

SOC 2 compliance refers to a set of privacy and security standards for service providers designated by the AICPA (American Institute of Certified Public Accountants). Although complying with SOC 2 is not mandatory, customers often demand it from organizations they interact with, especially cloud-based services, to ensure that their data is protected. Organizations looking to meet compliance standards must ensure specific service controls and procedures regarding their information systems’ confidentiality, security, availability, and processing integrity. The systems include the organization’s people, processes, technology, physical infrastructure, and servers.

What is a SOC 2 Report?

To get a SOC 2 report, an organization providing services must undergo a third-party audit. The SOC 2 auditor will be either an American Institute of Certified Public Accountants (AICPA) certified firm or a CPA (Certified Public Accountant). They will evaluate your security posture and determine if your controls, policies, and processes comply with the SOC 2 requirements.

The audit reports assess if the service providers undergoing the review have drafted and implemented effective procedures meeting the SOC 2 objectives. Enterprises that successfully pass the SOC 2 audit use the compliance designation to demonstrate that they are committed to the security and privacy of their customers and stakeholders.

SOC 2 is one of the three types of SOC reports. The other two are SOC 1 and SOC 3. A brief description of all three follows:

• SOC 1 Reports: AICPA mainly developed the SOC 1 framework targeting third-party service providers, which assures your clients that you are handling their financial information safely and securely. SOC1 reports giving your clients an objective evaluation regarding controls addressing compliance, operations, and internal controls over financial reporting.
• SOC 2 Reports: The SOC 2 framework helps businesses demonstrate their compliance to security controls. After organizations started measuring the effectiveness of their security controls through the SAS 70 audit standard, AICPA developed SOC 2 with an emphasis on security. It is rooted in the Trust Services Criteria or TCS (discussed later). It provides assurance about the internal controls related to TSC and comprehensive information on auditor’s testing in an organization.
• SOC 3 Reports: The AICPA says that an organization prepares a SOC 3 report to meet the requirements of clients who want assurance regarding the controls related to processing integrity, security, availability, privacy, or confidentiality of a service provider but do not know how to use a SOC 2 report effectively. Thus, SOC 3 contains the same information as SOC 2 but is drafted for a general audience.

Understanding SOC 2 Reports:

• SOC 2 Type 1: This report focuses on the ‘design’ of an enterprise’s security controls at a specific moment. It describes the existing controls and procedures, reviewing the documents around these controls. Furthermore, it validates the adequacy of all administrative, logical, and technical controls.
• SOC 2 Type 2: It focuses on the ‘design’ and ‘operating effectiveness’ of controls and takes longer to assess the controls, typically between 3-12 months, and includes the auditor running penetration tests to monitor how the organization handles data security risks over a period. The independent review confirms that the enterprise strictly complies with the requirements outlined by AICPA. The SOC 2 Type 2 audit process includes:
  • Reviewing the audit scope
  • Creating a project plan
  • Testing controls for design and operational effectiveness
  • Authenticating the results
  • Delivering the organization’s report.

Organizations new to compliance can easily confuse SOC 2 Type 1 and Type 2 reports. SOC 2 Type 1 differs from Type 2 in that it assesses the security setup and process design at a specific time. On the other hand, the Type 2 report (also written as “Type II”) estimates how adequate the controls are over a more extended period by observing operations for usually six to 12 months.

Why Would You Need to Comply with SOC 2?

Following are the six reasons why organizations must obtain a SOC 2 compliance report:

• Cost-effectiveness: Some businesses might think that audit costs are high. However, a SOC 2 audit helps avoid security breaches that are far costlier. For instance, in 2021, a data breach cost more than $4.2 million on average – a figure rising yearly.
• Competitive advantage: A SOC 2 report will give you an edge over competitors who cannot demonstrate compliance.
• Peace of mind: Passing the stringent SOC 2 audit assures improved security posture for your networks and information systems.
• Regulatory compliance: SOC 2’s requirements sync with other frameworks, like the International Organization for Standardization’s ISO 27001 and Health Insurance Portability and Accountability Act (HIPAA). Thus, the certification can boost your organization’s overall compliance efforts.
• Insights: A SOC 2 report gives valuable insights into your business’s risk and security posture, internal controls governance, vendor management, regulatory oversight, and more.

What is Required for SOC 2 Compliance?

You can attract more business with security covered. However, those operating in the finance or banking sector or an industry where confidentiality and privacy are paramount must achieve a higher compliance standard. AICPA defines SOC 2 based on the Trust Services Criteria, which have the following principles:

• Security: It focuses on operational/governance controls to protect your data and demonstrate that systems at a service organization are protected against unauthorized access and other risks that could impact the service organization’s ability to provide the services promised to clients. All SOC 2 requirements are optional except those that fall under Security. Selecting additional SOC 2 principles may vary based on the type of data you store or process,
• Availability: It focuses on the accessibility of the system and how you maintain and monitor your infrastructure, data, and software to ensure you have the system components and processing capacity to meet your business objectives.

SOC 2 compliance requirements in the ‘Availability’ category include:

1. Measuring current usage: Establishing a capacity management baseline to evaluate the risk of availability caused by capacity constraints.
2. Identifying environmental threats: Assessing ecological threats that can impact system availability, like adverse weather, power cuts, fire, or failure of environmental control systems.

• Processing integrity: It focuses on delivering the correct data at the right time and place. Furthermore, data processing must be accurate, valid, and authorized.

SOC 2 compliance requirements in the ‘Processing integrity’ category include:

1. Creating and maintaining records for system inputs: Compiling accurate records of all the system input activities.
2. Defining processing activities: This ensures that the products or services meet specifications.

• Confidentiality: It restricts disclosure of and access to private data so that only specific, authorized organizations or people can view it. Confidential data can include business plans, sensitive financial information, customer data, or intellectual property.

SOC 2 compliance requirements in the ‘Confidentiality’ category include:

1. Identifying confidential information: Implementing procedures to identify personal and sensitive information when you create or receive it and determine how long you must retain it.
2. Destroying confidential information: Implementing procedures to erase sensitive information identified and marked for destruction.

• Privacy: It focuses on the organization’s adherence to the client’s privacy safeguards and AICPA’s generally accepted privacy principles (GAPP). The SOC category considers methods for collecting, using, and retaining personal information and the process for the disposal and disclosure of data.

SOC 2 compliance requirements in the ‘Privacy’ category include:

1. Using clear and conspicuous language: The organization’s privacy notice must be clear and coherent, leaving no chance for misinterpretation.
2. Collecting information from reliable sources: The organization confirms third-party data sources are trustworthy and operates its data collection process legally and fairly.

Additional SOC 2 Compliance Checklist

SOC 2 compliance bases itself on the five Trust Services Categories: availability, processing integrity, confidentiality, privacy, and security. Security forms the SOC 2 compliance baseline and includes broad criteria familiar to all trust service categories.

The security principle focuses on the service’s asset and data protection against unauthorized access or use. Organizations can implement access controls to prevent unauthorized data removal, malicious attacks, misuse of the organization’s software, or unsanctioned disclosure of organizational information.

The essential SOC 2 compliance checklist (that will satisfy the auditor) should address these controls:

• Physical and logical access controls: How the organization restricts and manages physical and logical access to prevent unauthorized access.
• System operations: How the organization manages its system operations to detect and prevent deviations from set procedures.
• Change management: How the organization implements a controlled change management process and mitigates unauthorized changes.
• Risk management: How the organization identifies and develops risk mitigation activities while navigating business disruptions and using vendor services.

Does Law Require SOC 2 Certification?

Generally, you do not need SOC 2 compliance certification legally. However, most Software-as-a-system (SaaS) and business-to-business (B2B) vendors should consider getting certified if they haven’t already because SOC 2 is a crucial requirement in vendor contracts.

Can You Use Software to Speed Up SOC 2 Compliance?

As mentioned, SOC 2 primarily revolves around policies and processes and is concerned little about technical tasks. Hence, there is no dedicated, automated tool that will quickly make your business SOC 2 compliant.

Furthermore, the SOC 2 requirements are not prescriptive; hence you must define your processes and controls for SOC 2 compliance and then use automated tools to make their implementation easy. Thus, a system will monitor and alert you whenever a technical control failure occurs. For example, suppose one of the limits of your control offers access to your systems to specific administrators. You can deploy a tool that tracks and retrieves the status of permissions in real time.

For every implemented control, think of the evidence you will present to the auditor. You must remember that defining a rule is merely a part of the SOC 2 compliance requirements; you must demonstrate that it works effectively. 

SOC 2 Vs. SOC 1: How To Determine if the SOC 2 Audit is for You?

CPAs may choose to go for either a SOC 1 or SOC 2 compliance audit. You must comply with SOC 2 Type 2 if you store customer data. To determine if you require a SOC 2 audit, you must start by knowing how SOC 2 differs from SOC 1.

• SOC 1: SOC 1 compliance considers controls relevant to an organization’s internal control over financial reporting. The reports can be either Type 1 or Type 2. The Type 1 report signifies that the enterprise suitably defines and implements the rules in operation. The Type 2 report would offer these assurances, including an opinion if the controls were adequate throughout an extended period.
• SOC 2: SOC 2 compliance is voluntary for service organizations who wish to demonstrate their commitment to information security. Same as above, SOC 2 reports are also of two types.

Your organization must pursue SOC 1 if your services affect your clients’ financial reporting. For example, if your enterprise creates software processing your clients’ collections and billing data, you are impacting their financial reporting, and hence a SOC 1 is appropriate. Another reason enterprises prefer SOC 1 is that their clients demand a “right to audit.” Without SOC 1, it can be a time-intensive and costly process for both parties, especially if a few of your clients ask to submit a similar request. Additionally, you must comply with SOC 1 as a compliance requirement.

On the other hand, no compliance framework like HIPAA or PCI-DSS requires you to be SOC 2 compliant. In other words, if your business does not process financial data but only hosts or processes other data types, you require the SOC 2 report. With today’s business environment becoming extraordinarily aware and sensitive regarding data breaches, your clients will want proof that you are taking adequate precautions to protect their data and prevent any leaks.

Thus, the choice to pursue either SOC 1 or SOC 2 certification depends on your organization’s operational profile. A critical determining factor when choosing between SOC 1 and SOC 2 is your organization’s controls affecting your client’s control over financial reporting. You can engage an audit firm to determine whether SOC 1 or SOC 2 certification (or both) is the right fit for your enterprise.

A thorough understanding of the difference between SOC 2 Type 1 and SOC 2 Type 2 reports will help service providers handle their customers’ data with appropriate security. They must consider investing in the technical audit necessary for a SOC 2 report to protect their clients’ non-financial yet confidential and sensitive data. Many clients today expect SOC 2 compliance from their service providers, and if you are SOC 2 compliant, it demonstrates your dedication to cybersecurity.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

References

1. Brown, S. (2022, October 11). SOC 2 Type 1 guide: Everything you need to know. Retrieved January 1, 2023, from Strongdm.com website: https://www.strongdm.com/blog/what-is-soc-2-type-1
2. Harrington, D. (2022, August 26). SOC 2 compliance definition & checklist. Retrieved January 1, 2023, from Varonis.com website: https://www.varonis.com/blog/soc-2-compliance
3. Johnson, B. (2022, September 30). The Differences Between SOC 1 vs SOC 2. Retrieved January 1, 2023, from Strongdm.com website: https://www.strongdm.com/blog/soc-1-vs-soc-2
4. Picotte, A. (2020, May 5). SOC 2 compliance requirements: Essential knowledge for security audits. Retrieved January 1, 2023, from Uptycs.com website: https://www.uptycs.com/blog/soc-2-compliance-requirements
5. SOC 2 compliance requirements. (n.d.). Retrieved January 1, 2023, from Secureframe website: https://secureframe.com/hub/soc-2/requirements
6. SOC 2 Type II: Compliance and certification. (n.d.). Retrieved January 1, 2023, from Getkisi.com website: https://www.getkisi.com/guides/soc-2-type-ii

Reciprocity. (2022, November 9). 6 Reasons Why You Need SOC 2 Compliance. Retrieved January 1, 2023, from Reciprocity.com website: https://reciprocity.com/blog/6-reasons-why-you-need-soc-2-compliance/