SOC 2 Compliance Security Awareness Requirements

As malicious actors continue to find increasingly sophisticated ways to exploit vulnerabilities in both our systems and employees, the need to demonstrate compliance with information security best practice continues to grow. The simplest way of easily demonstrating information security compliance to internal and external stakeholders is by achieving a set compliance standard that is maintained and assessed by an external body. One such standard is the Service Organization Controls 2 (SOC 2) certification.

What is SOC 2 Compliance?

Developed by the American Association of Certified Public Accountants (AICPA), the SOC 2 certification defines criteria for the proper use and handling of customer data based on a model of five “Trust Service Principles

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

Security

Security pertains to the measures the organisation has in place to prevent unauthorised access to systems, such as firewalls, access controls, intrusion detection and two-factor authentication. Implementing these SOC 2 requirements demonstrates that the organisation has effective measures in place to prevent improper use of information, unauthorised data removal, or software use by nefarious actors.

Availability

The availability principle for SOC 2 compliance ensures that the organisation has ensured that measures have been implemented that ensure their product or service’s availability is guaranteed to the customer as stipulated by the service level agreement in place between both parties.

Crucial to the meeting of this principle is ensuring that network performance is stringently monitored, and that site failover procedures are in place to maintain expected service levels at all times.

Processing Integrity

Processing integrity refers to the ability to ensure that systems achieve their purpose, particularly in the case of how data is stored and processed. Regular monitoring of how your organisations systems process data is imperative to this principle, as are quality assurance procedures that ensure integrity of data processing. Notably this principle doesn’t refer to data integrity which is not the purview of the processor.

Confidentiality

Confidentiality of sensitive data is crucial for SOC 2 certification, and the confidentiality of data held by your organisation can be demonstrated by the use of strong encryption, firewalls, and access controls to ensure that the data can’t be accessed by parties with malicious intentions.

Privacy

To meet the SOC 2 certification privacy principle, your organisations systems must protect all personally identifiable information such as names, addresses, health information, national insurance numbers and information relating to race and sexual orientation cannot be accessed by any employee without sufficient need or outside actors. Usually, an additional level of protection on such data is required to guarantee its privacy.

To earn the SOC 2 certification, the organisation must undergo an external audit of their data processing practices against these five principles, demonstrating their adherence to each to their assessor. The output are internal SOC 2 reports which provide you, regulators and your supply chain visibility into how your organisation manages data in line with the principles.

There are two types of SOC reports:

What are type I and type II Reports?

Type I SOC 2

Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles as of a specified date.

Type II SOC 2

Type II details the operational effectiveness of those systems throughout a specified period.

Why would I wish to pursue SOC 2 compliance?

There are many good reasons to achieve SOC 2 compliance. Firstly, it demonstrates your commitment to ensuring the security of the information you collect and how your IT infrastructure works to keep your customers information safe.

Secondly, unlike other compliance standards, the SOC 2 reports that are required are unique to each organisation that undergoes them as they must reflect specific data management processes exactly. The flexible and bespoke nature of the certification make it a useful opportunity to reassess your processes and infrastructure. SOC 2 applies an intelligent approach to compliance requirements.

Thirdly, The SOC standard is a widely used U.S. security standard and the reports are increasingly becoming part of organisation’s vendor management policies. As such, the certification will act as assurance to current customers but also accelerate and smooth the process of winning new customers.

How can information security awareness training help achieve SOC 2 certification?

Organisations must comply with AICPA’s common criteria 2.2 to “communicate information to improve security knowledge and awareness and to model appropriate security behaviours to personnel through a security awareness training program.”

Investing in information security awareness training for your employees is therefore a requirement of the SOC 2 certification, however not all security awareness training is created equal. Many training providers will provide a solution that offers tutorials with no means of testing employee awareness. These solutions are sometimes deemed as enough as the organisation can provide a record that staff have viewed them, but these solutions stop short of creating a secure workplace culture.

To ensure that behavioural change results for security awareness training, a holistic approach to awareness is required. Tutorials must inform the employee of potential dangers and offer challenging tasks that require the employee to demonstrate their knowledge. A solution that includes a learning management system can not only help quantify the level of awareness held by employees, but also group this awareness level by department to help your IT or security teams identify any areas for improvement that will need to be addressed before your SOC 2 audit. Cybersecurity awareness training helps prevent data breaches as well as fulfilling compliance requirements.

Further to comprehensive training and reporting, phishing simulation is an invaluable tool in further demonstrating that when faced with a threat, your employees are equipped to act accordingly. Whilst not always suited to smaller organisations due to the level of management required, phishing simulation can further demonstrate your organisation’s resilience when faced with a potential threat.

Case Study: Information Security Awareness Training for SOC 2

SaaSquatch, a Canadian based marketing SAAS solution, chose Hut Six as a means to strengthen their internal initiatives toward SOC 2 compliance.

Recognising that in order to ensure proper data security a secure culture must be formed over and above simply securing systems, SaaSquatch undertook Hut Six training to help build a secure culture to bolster their SOC2 compliance application.

Read Full SaaSquatch Case Study Here.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Securing Work from Home

Top 10 Security Tips for Remote Work

Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.

InfoSec Round-Up: December 6th

InfoSec Round-Up: December 6th - Hut Six

iOS Wi-Fi Exploits, School Ransomware & Vaccine Supply Chain Targeted - InfoSec Round-Up Dec 6th

Business Case for Security Awareness Training

Building a Business Case for Information Security Awareness Training

Building a Business Case for Information Security Awareness Training blog by Information Security Awareness Training provider Hut Six.

InfoSec Round-Up: November 29th

InfoSec Round-Up: November 29th - Hut Six

€50M Ransomware Attack, Spotify Details Exposed & Man-United Breach - InfoSec Round-Up Nov 29th

Zero Trust Security

How Zero Trust Works

How Zero Trust Works - Zero Trust Security blog by Information Security Awareness Training provider Hut Six Security.

InfoSec Round-Up: November 22nd

InfoSec Round-Up: November 22nd - Hut Six

Facebook Scammers, $2M in Stolen Crypto & Russian Cybercrime Surge - InfoSec Round-Up Nov 22nd

Writing a Cyber Job Specification

How to Write a Cyber Job Specification

How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.

InfoSec Round-Up: November 15th 2020

InfoSec Round-Up: November 15th 2020 - Hut Six

Relationship Fraud, DoppelPaymer Attack & DWP Leak - InfoSec Round-Up Nov 15th

InfoSec Round-Up: November 8th 2020

InfoSec Round-Up: November 8th 2020 - Hut Six

Marriott Breach, eBay USB Drives & Possible Capcom Ransomware - InfoSec Round-Up, Nov 8th

Building your Cyber Security Team

How to Build a Cyber Team

How to Build a Cyber Team - Top Points to Consider When Building Your Team. Blog by Information Security Awareness solution Hut Six Security.