Protecting your organization’s data is critical, but it’s rare that it stays within the confines of your organization’s technical infrastructure. Your vendors, to some or a considerable extent, may have access to or help manage your data, as well, which means that it’s imperative that the vendors you choose have measures in place to protect them.
Security assessments are a crucial piece of the vetting process for new vendors, and on an ongoing basis- yearly is typical. However, there are third-party assessments that organizations can rely on to have even higher confidence that their vendors are meeting rigorous standards for data protection and security. A SOC 2 assessment is one of those.
If your vendor holds a SOC 2 attestation, here’s what this means for the security of your data.
For starters, what is a SOC 2 assessment?
A SOC 2 assessment verifies that an organization is in compliance with requirements relevant to security, processing integrity, availability, confidentiality, and privacy. It is designed for service providers, like EverCheck, that hold, store, or process private data on behalf of their clients.
The SOC 2 assessment process was developed by the American Institute of CPAs (AICPA), which defined criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.
Unlike PCI DSS, another major security standard with uniform and rigid requirements, SOC 2 assessments are tailored to individual organizations to allow operational flexibility in addressing these overriding principles.
What criteria must a service provider meet in a SOC 2 assessment?
A SOC 2 assessment is performed by an independent third-party auditing firm and evaluates a service organization’s key non-financial reporting controls as they pertain to upholding the five “trust service principles.” A SOC 2 audit ensures a service organization has not only designed controls- for example, through drafted policies- but that those controls are actually being followed by the organization and, most importantly, that the controls are effective at protecting client data.
A list of potential controls that aim to protect your data may include the following:
- Security protocols are observed at data storage facilities (e.g., cameras, visitor requirements, and logging, and procedures to add and remove access to the centers).
- Use of two-factor authentication when signing into the platform.
- The employee handbook is reviewed annually, employee background checks are performed, annual employee performance reviews are conducted, and employee sanction policies are in place.
- The organizational chart, internal control matrix, employee job descriptions, and training records are reviewed and maintained.
- Internal and 3rd party risk-assessments are performed, compliance reports are reviewed to verify a framework is in use, change management processes are reviewed,
- All or some of the following are established, maintained, and effective: KPIs, Service Level Agreements (SLAs), security policies and processes, IDS processes, proper controls for firewalls, data disposal processes, and incident management.
While this is not an exhaustive list, it provides a sense of the depth of the review that a service provider undergoes as part of a SOC 2 Type 2 audit.
What are the advantages of utilizing SOC 2 service providers?
Simply stated, a SOC 2 report (also known as an “attestation”) demonstrates that a service provider, such as EverCheck, has the systems and controls in place to protect your organization’s information and interests. Customers, insurers, and investors alike look to the SOC 2 assessment process to limit their exposure to risk from third-party service providers.
An organization derives value from its service provider’s SOC 2 attestation as proof of your organization’s focus on professionalism, security, and accountability across the organization.
Further, business leaders are accountable for how private information is transmitted and stored, including information handled by third-party service providers, and new federal regulations mandate controls for and timely disclosure of data breaches. So, if your organization relies upon service providers to manage, secure, or host your data, you should care deeply about whether your service providers, like EverCheck, have undergone a SOC 2 audit.
Plus, the Cost of Data Breach Study commissioned by the Ponemon Institute estimated the average total cost of an organizational data breach to be in the millions. With so much at stake, a growing number of organizations require their vendors at risk of data breaches to prove that they are properly protected by completing a SOC 2 audit.
Overall, a SOC 2 attestation is a symbol of a service provider's level of sophistication and degree of security, such as EverCheck. It demonstrates the degree to which a service organization values its reputation, professionalism, and that of its clients.
About the contributing authors
John McCormack serves as the Information Security Manager and CSO for EverCheck. He has worked in the information security field for over 20 years. He has held similar positions with several fortune 100 firms in that time frame. John performs all aspects of information security for EverCheck, including risk assessments, policy updates, SOC 2 assessments, and HIPAA compliance.
Aaron Prom serves as EverCheck's Chief Administrative Officer & Counsel. With 11 years of experience in business and commercial law counseling both public and private companies, Aaron guides EverCheck's back-end processes, focusing on risk analysis, compliance, and strategic planning.
Click here to see a quick summary of the EverCheck solution for ensuring caregivers are always clear to work.
