By Bruce Hall, Director of Managed Services
Have you heard about SOC 2 and SOC 3 validation? If you’re storing data in the cloud (or considering it) it’s a business imperative. We’ve recently completed a Service Organization Control 2 (SOC 2) and Control 3 (SOC 3) validation process. While we’re proud of our achievement, it’s important to explain what this means for our customers. When researching an enterprise cloud or managed service solution, it’s essential to not only check for compliance with SOC 2 and SOC 3, but also to review the actual report. Prospective service providers should be more than willing to share their report.
Seeing the report assures you that the service provider complies with SOC 2 and SOC 3 processes, but like anything written by auditors, it can be a little dry. So let’s dive into what it means and why it’s critical for any cloud or managed service you are planning to consume. SOC 2 and SOC 3 compliance deals with five key areas of cloud computing: security, availability, processing integrity, confidentiality, and privacy. These validations ensure that users can trust the service they are consuming and that the data they are storing is always available and secure.
With SOC 2 and SOC 3 validation, users can be assured that the effectiveness of the controls the service provider has in place adhere to the highest standards in guarding data privacy. You should verify that your service provider has completed both as it highlights their commitment to superior data security and privacy standards that mandate:
- Security – The service and data is protected from unauthorized access. This includes physical access as well as logical.
- Availability - The systems in place are available for use as agreed.
- Processing Integrity - System processing is timely, accurate, complete, and authorized.
- Confidentiality - Information that is designated as confidential is protected as agreed.
- Privacy - In conformity with agreements, personal information is collected, used, stored, disclosed, and destroyed as outlined in your service provider’s privacy notice. This is set forth with criteria generally accepted by the CICA and AICPA.
Make SOC 2 and SOC 3 a “Must-Have”
As I mentioned, the SOC 2 and SOC 3 report validates internal controls and processes to maintain data integrity and privacy even in the cloud. It assures customers that the proper processes are in place to ensure data privacy and data integrity and helps to reduce risks.
If you haven’t heard much about SOC 2 and SOC 3 it could be because it’s no small achievement. It’s a rigorous and thorough process that many service providers cannot pass, but it clearly benefits any company that is considering a cloud or managed service solution. So make it a requirement in your organization before you sign up with any service provider.