SOC 2 Compliance

Apr 14, 2020

SOC 2 Compliance: What is it?

SOC 2 compliance and certification is a non-obligatory, auditing procedure developed by the American Institute of CPAs (AICPA) which ensures secure management of data by service providers, protecting the interest of organizations and its privacy of clients.  This is extremely important in today’s online, cloud-based world where mishandled data – in the way of installed malware, extortion and data theft – can leave companies and private citizens exposed to attack.

The auditing process an organization must go through to obtain SOC 2 compliance and certification is quite strenuous.  The AICPA delves deep into financial statements and system and internal controls to ensure the way a company processes and secures data is up to their rigorous standards. Every aspect of the business is scrutinized.

SOC 2 is defined by five basic “trust service principles” of managing customer data: security, availability, processing integrity, confidentiality, and privacy.

Security being that there is network and application firewalls are in place, 2 factor authentication, and intrusion detection. Security is the only principle required for SOC 2 compliance. When security is in place, the other four principles are also met.

Availability is defined as performance monitoring, security incident handling and disaster recovery.

Processing integrity is quality assurance and process monitoring.

Confidentiality includes data encryption, access controls in place and also firewalls.

Privacy is keeping personal information collected, used, saved, disclosed, and disposed of properly.

Part of SOC 2 compliance is having alerts set up if there is exposure or modification to data, controls or any configurations; when there are unscheduled file transfers; and/or unknown privileged filesystem, account, or login access.

FirstLink Technology is proud of keeping up with these controls and prescribing to these audits for our clients. We feel this is an important measure to take to ensure the integrity of systems and the security of the data for our clients.