Guide to SOC-2 Compliance
Information Security Compliance Standard
What is SOC-2 Compliance?
SOC-2 Compliance is a standard for vendors that process the information of their client’s key business operations.
SOC was developed by the American Institute of Certified Public Accountants or AICPA. It was created to secure the financial information of clients and has since been expanded.
Who should be SOC-2 Compliant?
Any software used by vendors for the processing of data must be SOC compliant as to protect client information.
Accounting firms process high volumes of client financial data.
Cloud & Data Services
Cloud computing and Data Services used to process information must be SOC compliant as they are used by other industries for sensitive data.
What does SOC-2 Compliance consist of?
Unlike other compliance standards which require rigid requirements, SOC-2 compliance allows each organization to determine its own controls as they align with the five trust principles.
The Five Trust Principles of SOC-2 Compliance
- Access Control
- Two-Factor Authentication
- Network / Application Firewalls
- Intrusion Detection
- Performance Monitoring
- Disaster Recovery
- Incident Response
- Quality Assurance
- Network Firewalls
- Identity Management
The privacy trust principle involves an organization’s collection, use, storage, disclosure and disposal of personal information. Each organization should have an active privacy notice and maintain information in compliance with their notice as well as the criteria in the AICPA’s generally accepted privacy principles or GAPP.
Personal identifiable information or PII refers to any data that can distinguish an individual. This includes name, phone number, address, etc. Any additional information that relates to a person’s health, sexuality, race or religion is subject to an extra level of protection. Your system must include controls that protect all PII.
The security trust principle refers to the access, use, and protection of an organization’s system and data. An organization must prevent potential system abuse, theft or unauthorized use of data, misuse of software, and improper alteration or disclosure of information.
The availability principle involves monitoring network performance and availability, the use and availability of infrastructure redundancy, and security and incident response and recovery.
Processing Integrity involves information being used and processed properly. This includes authorization, timeliness, accuracy, and validation.
Processing integrity does not imply data integrity.
The confidentiality principle assures that company data is restricted to a specific organization or persons. This includes business plans, intellectual property, internal price lists and other types of sensitive financial information.
What is our approach to compliance?
Our team conducts a series of interviews and a network audit to determine data access and usage.
A Gap Analysis identifies the missing pieces necessary to achieve compliance.
A remediation plan is put forth and executed with action steps towards compliance based on priority level.
ITonDemand then monitors system usage and provides the service and support to maintain compliance.
Compliance+ in Action / Florida Manufacturing Firm
A small north Florida manufactures CNC close tolerance machined parts, custom components, and assemblies for the defense sector. Given the sensitive nature of the parts being manufactured, it was vital that communications and manufacturing specifications were secure while organizational infrastructure was put in place and maintained to NIST Compliance.
Read how ITonDemand made it happen.
Secure payment systems ensure your customers that you can be trusted with their payment information. PCI Compliance puts measures in place to prevent a data breach or loss of consumer financial information.
The 12 Points to meet PCI Compliance
PCI Compliance can be achieved by meeting 12 points that follow the usage, storage, and transportation of information.
SOC-2 compliance is a necessary security
Who should be SOC-2 Compliant?
Those using online portals should ensure XYZ blah blah blah
Businesses receiving payment via credit card