SOC 2 Compliance Security Awareness Requirements

As malicious actors continue to find increasingly sophisticated ways to exploit vulnerabilities in both our systems and employees, the need to demonstrate compliance with information security best practice continues to grow. The simplest way of easily demonstrating information security compliance to internal and external stakeholders is by achieving a set compliance standard that is maintained and assessed by an external body. One such standard is the Service Organization Controls 2 (SOC 2) certification.

What is SOC 2 Compliance?

Developed by the American Institute of CPAs (Certified Public Accountants) (AICPA), the SOC 2 certification defines criteria for the proper use and handling of customer data based on a model of five “Trust Service Principles”

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

Security

Security pertains to the measures the organisation has in place to prevent unauthorised access to systems. These include risk management solutions such as firewalls, access controls, intrusion detection and two-factor authentication. Implementing these SOC 2 requirements demonstrates that the organisation has effective measures in place to prevent improper use of information, unauthorised data removal, or software use by nefarious actors.

Availability

The availability principle for SOC 2 compliance ensures that the organisation has ensured that measures have been implemented that ensure their product or service’s availability is guaranteed to the customer as stipulated by the service level agreement in place between both parties.

Crucial to the meeting of this principle is ensuring that network performance is stringently monitored, and that site failover procedures are in place to maintain expected service levels at all times.

Processing Integrity

Processing integrity refers to the ability to ensure that systems achieve their purpose, particularly in the case of how data is stored and processed. Regular monitoring of how your organisations systems process data is imperative to this principle, as are quality assurance procedures that ensure integrity of data processing. Notably this principle doesn’t refer to data integrity which is not the purview of the processor.

Confidentiality

Confidentiality of sensitive data is crucial for SOC 2 certification, and the confidentiality of data held by your organisation can be demonstrated by the use of strong encryption, firewalls, and access controls to ensure that the data can’t be accessed by parties with malicious intentions.

Privacy

To meet the SOC 2 certification privacy principle, your organisations systems must protect all personally identifiable information such as names, addresses, health information, national insurance numbers and information relating to race and sexual orientation cannot be accessed by any employee without sufficient need or outside actors. Usually, an additional level of protection on personal data is required to guarantee its privacy.

To earn the SOC 2 certification, the organisation must undergo an external audit of their data processing practices against these five principles, demonstrating their adherence to each to their assessor. The output are internal SOC 2 reports which provide you, regulators and your supply chain visibility into how your organisation manages data in line with the principles.

There are two types of SOC reports:

What are type I and type II Reports?

Type I SOC 2

Type II SOC 2

Why would I wish to pursue SOC 2 compliance?

There are many good reasons to achieve SOC 2 compliance. Firstly, it demonstrates your commitment to ensuring the security of the information you collect and how your IT infrastructure works to keep your customers information safe.

Secondly, unlike other compliance standards, the SOC 2 reports that are required are unique to each organisation that undergoes them as they must reflect specific data management processes exactly. The flexible and bespoke nature of the certification make it a useful opportunity to reassess your processes and infrastructure. SOC 2 applies an intelligent approach to compliance requirements.

Thirdly, The SOC standard is a widely used U.S. security standard and the reports are increasingly becoming part of organisation’s vendor management policies. As such, the certification will act as assurance to current customers but also accelerate and smooth the process of winning new customers.

How can information security awareness training help achieve SOC 2 certification?

Organisations must comply with AICPA’s common criteria 2.2 to “communicate information to improve security knowledge and awareness and to model appropriate security behaviours to personnel through a security awareness training program.”

Investing in information security awareness training for your employees is therefore a requirement of the SOC 2 certification, however not all security awareness training is created equal. Many training providers will provide a solution that offers tutorials with no means of testing employee awareness. These solutions are sometimes deemed as enough as the organisation can provide a record that staff have viewed them, but these solutions stop short of creating a secure workplace culture.

To ensure that behavioural change results for security awareness training, a holistic approach to awareness is required. Tutorials must inform the employee of potential dangers and offer challenging tasks that require the employee to demonstrate their knowledge. A solution that includes a learning management system can not only help quantify the level of awareness held by employees, but also group this awareness level by department to help your IT or security teams identify any areas for improvement that will need to be addressed before your SOC 2 audit. SOC 2 audit training helps prevent data breaches as well as fulfilling compliance for security awareness training requirements.

Further to comprehensive training and reporting, phishing simulation is an invaluable tool in further demonstrating that when faced with a threat, your employees are equipped to act accordingly. Whilst not always suited to smaller organisations due to the level of management required, phishing simulation can further demonstrate your organisation’s resilience when faced with a potential threat.

Case Study: Cyber Security Awareness Training for SOC 2

SaaSquatch, a Canadian based marketing SAAS solution, chose Hut Six as a means to strengthen their internal initiatives toward SOC 2 compliance.

Recognising that in order to ensure proper data security a secure culture must be formed over and above simply securing systems, SaaSquatch undertook Hut Six training to help build a secure culture to bolster their SOC2 compliance application.

Read Full SaaSquatch Case Study Here.