Information security is a cause for subject for all organizations, which include those that outsource key commercial enterprise operation to third-party providers (e.g., SaaS, cloud-computing providers). Rightfully so, considering the fact that mishandled data—especially by way of application and network security providers—can go away companies vulnerable to attacks, such as statistics theft, extortion and malware installation.
SOC 2 is an auditing procedure that ensures your service carriers securely control your data to protect the pastimes of your organization and the privacy of its clients. Specifically for security-minded corporations, getting compliant with SOC 2 is a least and fundamental need when taking into account a SaaS provider.
Developed by the American Institute of CPAs (AICPA), SOC 2 defines standards for managing customer statistics based totally on five “trust carrier principles”—security, availability, processing integrity, confidentiality and privacy.
Unlike PCI DSS, which has very inflexible requirements, SOC 2 reviews are unique to every organization. In line with specific commercial enterprise practices, each designs its very own controls to comply with one or greater of the have confidence principles.
These internal reports furnish you (along with regulators, business partners, suppliers, etc.) with important records about how your service provider manages data.
There are two sorts of SOC reports:
SOC 2 certification is issued with the aid of external auditors. They assess the extent to which a supplier complies with one or extra of the 5 trust standards based totally on the structures and processes in place.
Trust standards are broken down as follows:
The protection principle refers to safety of system sources towards unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized elimination of data, misuse of software, and improper alteration or disclosure of information.
IT protection equipment such as network and internet application firewalls (WAFs), two thing authentication and intrusion detection are useful in preventing protection breaches that can lead to unauthorized get entry to of structures and data.
The availability principle refers to the accessibility of the system, products or services as stipulated through a contract or service level agreement (SLA). As such, the minimum acceptable overall performance stage for system availability is set by using both parties.
This precept does now not address system functionality and usability, however does contain security-related standards that can also affect availability. Monitoring network performance and availability, website failover and safety incident handling are essential in this context.
The processing integrity precept addresses whether or not a system achieves its cause (i.e., delivers the proper data at the right fee at the right time). Accordingly, data processing need to be complete, valid, accurate, timely and authorized.
However, processing integrity does not always imply information integrity. If information contains errors prior to being input into the system, detecting them is now not typically the accountability of the processing entity. Monitoring of data processing, coupled with first-class assurance procedures, can assist make sure processing integrity.
Data is considered exclusive if its access and disclosure is confined to a specific set of persons or organizations. Examples may also encompass information meant solely for corporation personnel, as nicely as enterprise plans, mental property, inner charge lists and different types of touchy monetary information.
Encryption is an necessary control for defending confidentiality all through transmission. Network and application firewalls, collectively with rigorous access controls, can be used to protect facts being processed or saved on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of non-public records in conformity with an organization’s privacy notice, as properly as with standards set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) (like, Gender, name, address, Social Security number). Some private information related to health, race, sexuality and religion is additionally regarded sensitive and commonly requires an more level of protection. Controls ought to be put in place to protect all PII from unauthorized access.
While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its function in securing your data cannot be overstated.
Imperva undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant. Compliance extends to all services we provide, including web application security, DDoS protection, content delivery through our CDN, load balancing and Attack Analytics.