I often get into discussions with both IT and Business leaders who are wondering how to best address the question of security as it relates to technical solutions they use to run their business. Often times the discussions relate to the minutia, such as software architecture, network architecture, database platform, private or public cloud, encryption, etc… These discussions are often interesting but almost always leave leadership still wondering… Are we secure?
Fortunately, the same rigor we’ve grown to trust as applied to financial accounting audits is also available for technology audits. These audits result in what’s called the SOC 2 Report.The SOC 2 audit ensures that the proper considerations related to Infrastructure, Software, People, Procedures and Data have been applied to the following 5 principles. These principles are called the Trust Service Principles (TSPs)
1- Security
The system is protected, both logically and physically, against unauthorized access.
2- Availability
The system is available for operation and use as committed or agreed to.
3- Processing Integrity
System processing is complete, accurate, timely, and authorized.
4- Confidentiality
Information that is designated “confidential” is protected as committed or agreed.
5- Privacy
Personal information is collected, used, retained and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
As a result of the audit, there are two types of reports that can be produced.
SOC 2 Type 1
This audit ensures that the proper criteria (design) have been established to ensure the 5 TSP’s are met. It does not actually audit the application of those criteria. The risk with only producing this type of report is that there is no proof that the solution is doing what they say they should do.
SOC 2 Type 2
This audit not only ensures that the proper criteria have been established to ensure the 5 TSP’s, but it also audits the practice of following those criteria.
Kingland has been audited annually and produced a SOC 2 Type 2 report since 2012. As an IT leader, it’s reassuring to know that we have established proper design and practice to ensure the highest level of security. Next time you are wondering if your Solution is secure, I would encourage asking for a copy of the SOC 2 Type 2 report.