I was a kid in the ’60s, a decade of war, protests, and constant challenges to authority and propriety. Some activities—such as the civil rights movement and women’s rights—were deadly serious. But some were downright fun, such as the censorship-testing TV show “Laugh-In.”
The show was full of so much silliness that we Thomas kids couldn’t always tell when something was naughty. It was our parents’ reaction that would fill us in. “Hello, is this the party to whom I am speaking?” Lily Tomlin’s voice as Ernestine seemed to be simply silly. Wiggling and giggling like Goldie Hawn was questionable. But adding the show’s signature shout-out: “Sock it to me, baby!” was sure to elicit parental shushes.
To tell you the truth, my brothers, sister and I never were sure we knew what “Sock it to me!” really meant. But that was OK, as long as we understood the intent behind our Dad’s “control yourselves!” warning.
Fast forward to today. There’s a new compliance concern in town called SOC 2. In this case, SOC stands for Service Organization Controls, a report from the American Institute of Certified Public Accountants (AICPA). Your organization may decide to opt for SOC 2 reports if you’ve been issuing SAS 70 reports to clients or if you handle sensitive data for your customers.
The easiest way to understand the intent of SOC 2 is to compare it to the controls, attestations, and audits required by the Sarbanes-Oxley (SOX) act. While SOX is concerned exclusively with controls over financial data, SOC aims to demonstrate controls over non-financial data that needs to meet compliance requirements for security and privacy.
A SOC 2 report is prepared by an external auditor who reviews a written assertion by management of the effectiveness of their system’s controls. The auditor examines the control environment, following guidance by AICPA, and issues an opinion about whether the controls were designed appropriately and operating effectively throughout the examination period.
The SOC 2 report may prove to be an important assurance tool for cloud computing providers, healthcare providers, and any other organization that needs to demonstrate they have adequate controls to ensure the confidential treatment of the data entrusted to them. This report may be used to address multiple compliance requirements, as it assesses risks that could impact operations, security, contractual or regulatory requirements, HIPAA, confidentiality requirements, and privacy mandates.
A SOC 2 report should demonstrate that examined systems and their controls meet the AICPA’s Trust Principles. SOC 2 Trust Principles include:
- Security against unauthorized access or appropriation, either physical or virtual
- Availability of operations or access to the system as agreed
- Processing integrity, including complete, accurate, and timely processing
- Confidentiality of information designated as confidential
Sound familiar? It should. The concerns encapsulated in the SOC 2 Trust Principles are the same ones most organizations have been sweating over during this current decade of security breaches, information leaks, and privacy mishaps.
If your organization processes data that belongs to others, then it’s a good bet your leadership has started fielding some uncomfortable questions:
- How can you prove that you will treat my confidential data the right way?
- Why should I trust your operations?
- What does “Sock it to me, baby” mean, anyway?
OK, so some questions might not deserve an answer. But others do. And a SOC 2 report might just serve as a mechanism to help your leadership answer many customers’ (and potential customers’) questions in one easy report.
Your soundbite: SOC 2 reports are like SOX 404 reports, but for non-financial data.