What does it mean to be SOC 2 compliant?

Written by
Russell Greenwald

Go Back

As a Finance, HR, and IT outsourcing firm, we take security seriously. In 2021 we achieved
SOC 2 Type 2 security compliance status. For those unfamiliar with this credentialing protocol, here’s a quick overview.

Service Organization Control (SOC) 2 is a set of compliance requirements and auditing processes designed for service providers. A type 2 status is an attestation of the controls over a minimum of six months, whereas type 1 focuses on a specific point in time.

A type 2 status conveys more assurance that an organization is secure. It was developed to help service companies identify their processes and put in place procedures to secure their systems and protect data. This is particularly important as service providers are handling a significant amount of client data housed on the cloud.

SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) to protect client data and minimize system vulnerability to hackers and other bad actors. The process defines criteria for managing customer data based on five “trust service principles” – security, availability, processing integrity, confidentiality, and privacy.

In simpler terms, the process requires service providers, Insource in this case, to:

    • Create checks and balances in its technology oversight infrastructure to assure user
      permission procedures are rigorous, unusual activity is detected and acted upon based on established prioritization protocols, and that system changes are pre-authorized through an established chain of command.

 

    • Establish an emergency response system when unusual activity is detected. Unusual
      activity in this context includes data exposure or modification, file transfers and file/account/login unauthorized access attempts (or successes). This emergency response system must demonstrate that the system will be immediately alerted in a situation of access or breach and that there is a standard response plan in place, ready to mobilize and protect access and data quickly.

 

  • Develop a way to track an incident so that a response can be well organized. Audit paths within SOC 2 plans help identify, the who, what, when, where and how of an incident so you can intelligently formulate a response. Plans must address how you’ll track the source of the attack, the parts of the system impacted and the actual consequences of the breach. Without a detailed plan ready to activate, these attacks can be overwhelming to investigate. With a strong plan, systems can be quickly locked down, damages assessed, remediation implemented, and the result can be to further secure the overall infrastructure.

For more information about what you can do to increase your system security, contact Insource today for a Security Assessment at insource@insourceservices.com or call us on (781) 235-1490.

You can also follow us on social media here:

Facebook

Twitter

LinkedIn

For anything else, email us at insource@insourceservices.com or call us on (781) 235-1490.