I’m Mathew Grace, managing partner at Flying Donkey IT. A client came to me recently and requested assistance with meeting SOC 2 Compliance. In case you aren’t aware of SOC 2, it stands for Service Organization Controls. Today I’m going to discuss some of the most important questions regarding SOC.
What is SOC 2?
Service Organization Controls are the name of reports created by American Institute of Certified Public Accountants to help companies and consumers better understand and judge which service companies they should trust the processes and technology in place to help companies and customers understand know how well companies are managed. The SOC 2 looks not only at a moment in time, but ongoing procedures.
The SOC is an American standard. Why does the SOC matter in Australia?
The SOC is a best practice taking in to account finance, business practices, cyber security, insurance, and other areas of your business. The SOC may be required for your organisation by a major client who has business in America or Australia may adopt something similar. For instance, government contracting jobs typically require very similar requirements to the requirements for SOC compliance.
What factors does the SOC take into consideration?
The SOC takes into consideration the following requirements:
- Security – This aspect will always be in the report. It includes physical and remote access to information
- Availability – Is the system available during the promised times?
- Processing – making sure any processing is done accurately, in full and on time.
- Confidentiality – Are access control policies defined, implemented, and monitored for changes?
- Privacy – How does the company collect, use, retain, disclose, and destroy information? This may be governed by both contract and law.
Who can certify a company for SOC compliance?
Only a CPA can certify that a company meets the requirements for compliance with SOC reporting, but you will also need software developers and human resource involvement to make sure both the technical and policy requirements are met.
What should I do to become SOC Compliant?
Becoming SOC compliant is a multi-step process. The list below includes the steps, we’d recommend taking.
- Review an actionable checklist to see what areas you are compliant already and which need attention. If you don’t have access to a checklist, reach out for a free consultation.
- Contact a CPA with experience dealing with SOC 2.0 compliance so they can be involved in the process and advise your staff or contractors.
- Assign people in your organisation or hire independent companies to implement solutions for areas where you are non-compliant.
- Implement changes.
- Have someone who did not work on the changes verify that the changes have been appropriately made.
- Have the CPA conduct the review for certification and receive your report.
- Provide access to view your certification on your website so that clients can review it to understand how your company conducts business.
Why do I need a software developer for SOC compliance?
Many of the requirements in the SOC require technical solutions to be cost effective. In our checklist, we utilise 44 of the requirements require a network administrator or software developer to be implemented in the most effective manner. These requirements include aspects such as:
- User Access Controls: Settings and databases to control, document, monitor, and remove access to sensitive information.
- Two Factor Authentication: Used to verify that the person trying to access the data is the person the claim they are. This may be through sending a verification email to another contact point or biometrics (finger print, eye scan, facial recognition, etc.
- Data encryption: Install , monitor, and update encryption on all data that could be compromised.
- Monitoring and Notifications Software: Integration, setup, and updating of software will need to be completed.
- Firewall Setup: Settings are appropriate to secure data.
- Vulnerability Tests: Tests conducted to make sure your system is secure.
- Change logs: Many processes will need change log databases setup.
- Training: Training of all employees on procedures is required. This can be done in person or via online resources which can track who watched the videos, completed the tests, and meets the requirements.
- Separation of Duties: Having an outside development team you have an ongoing relationship with will help with the separation of duties requirements.
As you can see software development and IT is a crucial part of this process. Including a skilled DevOps team ensures that you have someone with knowledge of both software and infrastructure to complete the necessary tasks. If you need any help becoming SOC compliant, contact us for a consultation.
I’m Mathew Grace.
Don’t forget to follow us for more information on the SOC in following blogs.