SOC 2 Compliance

There are Major Ramifications in Regulations That Impact How Businesses Operate.

Defining SOC 2​

As a greater number of individuals and companies have begun using cloud-based technology, it has become important to ensure that the data stored in these processors and storage systems are properly protected and secured.

The American Institute of CPAs (AICPA) created the System and Organizational Control 2 (SOC 2), which is an audit that analyzes detailed requirements regarding the security of customer data. 

SOC 2 is not limited to cloud-based providers, but it is one of the ways one can ensure that a provider is committed to secure data storage.

SOC 2 Criteria

Acting in a similar manner to frameworks like ISO 27001, SOC 2 has a flexible model that allows a business to follow only certain SOC 2 criteria and meet only those applicable compliance standards. Therefore, SOC 2 audits will look different for each entity. 

There are five SOC 2 criteria an entity can comply with, and they are referred to as the trust service criteria or principles: security, availability, processing integrity, confidentiality, and privacy.

Busy SRE teams save time by partnering with trusted third parties

You may have been relying on your already strained SRE teams to automatically embed security into the SDLC. This is why security is usually pushed right. By partnering with a third party like CDG, you are able to free your SRE teams to ensure your main business is functioning, while leaning on us to shift your security left.

For the security principle, the audit examines the organization’s safeguards against unauthorized access of data and the security policies/tools in place.

The availability principle deals with the accessibility of the organization’s system. Per any contracts or obligations in place, can parties to the previous access the system or service as stipulated? Availability requires a positive answer.

When a system promises a certain speed and quality of data storage and delivery, they must comply with that promise. The processing integrity principle addresses just that – the entity has to ensure the system is processing data according to the guidelines it has set.

In specific situations or industries, certain data can be restricted to only a few people, deeming the data confidential. Confidential data includes protected health information, personal information, and financial information – among many others. The organization should have proper mechanisms in place to ensure confidentiality of said data.

The privacy principle deals with the use, collection, and removal of data. The organization should be following best practices as delineated in its privacy notice. The privacy controls in place should protect the data according to privacy principles.

SOC 2 Compliance 1

Make SOC2 Compliance as Painless as Possible:

Meeting SOC 2 Compliance

SOC 2 report

Following an independent audit, a company or organization will receive an SOC 2 report with the results of their security mechanisms in place. Organizations looking to meet SOC 2 compliance prior to an audit are encouraged to contact CDG for personalized and expert guidance on the creation and maintenance of security procedures and frameworks.

Cyber Defense Group

If you are interested in learning more about how we can help with SOC 2 Compliance, please call us or fill out the contact form provided. We look forward to helping you.

Security Compliance Types

ISO27001

ISO27001 is an international standard for information security, published by the International Organization for Standardization. Organizations that meet ISO27001 criteria can be certified against the standard to demonstrate their ongoing commitment to data protection and information security.

SOC2

SOC2 was developed by the AICPA for managing customer data based on “trust service principles”. SOC2 is primarily used for companies operating within the United States.

DFARS/CMMC

CMMC is a standard for organizations in the United States which work with the Department of Defense (DoD). The CMMC covers the cybersecurity controls for Confidential Unclassified Information (CUI).

NIST 800-53

In order to prevent mass variance, the National Institute of Standards and Technology (NIST) – a non-regulatory part of the Department of Commerce – constructed a set of standards for all federal agencies to follow: the NIST Special Publication 800-53.

HIPAA

The Health Insurance Portability and Accountability Act is a US law enacted in1996 which governs the data protection and privacy of health records.

GDPR

The European General Data Protection Regulation is a data protection and privacy regulation for EU citizens. Any company operating within the EU borders must conform to this regulation.

CCPA

The California Consumer Protection Act is a California data protection and privacy law for residents of California. Most companies which hold information on California residents are subject to this regulation.

CIS 20

The CIS 20 is a list of 20 actions and practices an organization’s security team can take on such that cyberattacks, or threats, are minimized and prevented.

Protected Clients

We protect our clients from cyber criminals, and we create robust security programs which can withstand current and future threats.

Contact CDG

We mobilize and launch a complete investigation of any suspected incident within 24 hours.

  • Determining the extent of a breach
  • Performing a full-scope response from Identification to Recovery
  • Incident Response retainer services, including IR preparation for your team

Incident Response

If you have been the victim of a cyber attack, contact us right now.

  • Determining the extent of a breach
  • Performing a full-scope response from Identification to Recovery
  • Incident Response retainer services, including IR preparation for your team