Scribd Logo
Upload

Welcome to Scribd!

  • Soc2 Compliance and Certification

    Uploaded by

    Greeshma Certvalue
    23 views13 pages

    Original Title

    soc2 compliance and certification

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    23 views13 pages

    Soc2 Compliance and Certification

    Uploaded by

    Greeshma Certvalue

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    SOC 2 COMPLIANCE &

    CERTIFICATION
    CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
    Go beyond the auditor’s checklist to:
    Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.

    • Demonstrate compliance more efficiently


    and cost effectively (cost certainty)
    • Improve efficiencies
    1,000+ 10,000+ 275+
    ⁃ Do more with less resources and gain
    compliance peace of mind
    • Free up your internal resources to focus
    on their priorities
    CLIENTS IT SECURITY SECURITY
    • Offload much of the compliance burden to CERTIFICATIONS EXPERTS
    a trusted compliance partner

    2
    What does SOC stand for?

    System and Organization Controls (SOC)

    SOC represents a set SOC Audits aim There are 3 SOC


    of compliance standards to examine the policies, Audits & Reports.
    developed by the American procedures, and internal
    Institute of CPAs (AICPA) – controls of an organizations. • SOC 1
    a network of over 400,000 • SOC 2
    CPA professionals across
    the
    globe.

    © 2021 ControlCase. All Rights Reserved. 3


    What are the 3 types of SOC Reports?

    SOC 1 (Financial Controls) SOC 2 (Process/ IT Controls)

    • Reports on the processes and • Designed for service organizations.


    controls that influence the
    organization’s internal control over • Reports on non-financial controls.
    financial reporting (ICFR). • Focuses on five key trust services
    • This is because …the choices a criteria (formerly called trust
    company makes as a service services principles), or TSCs.
    organization may affect the • SOC 2 outlines the standards that
    financial reporting their users’ are necessary to keep sensitive
    organizations. data private and secure while it’s
    • Standard assessment report in transit or at rest.
    required by user entities to comply
    with Sarbanes-Oxley Act (SOX)

    © 2021 ControlCase. All Rights Reserved. 4


    What is SOC 2 Compliance?

    SOC 2 focuses on SOC 2 aims to protect SOC 2 compliance helps


    non-financial reporting the confidentiality and service providers show that
    of internal controls privacy of data that’s stored the security, privacy,
    and systems. in cloud environments. confidentiality
    and integrity of their customers’
    data is a priority.

    © 2021 ControlCase. All Rights Reserved. 5


    Who does SOC 2 Compliance apply to?

    SOC 2 applies to any organization wanting to Third-party service providers such


    effectively demonstrate to associated as cloud storage, web hosting, and
    organizations; controls associated with the software-as-a-service (SaaS) companies.
    selected Trust Service Criteria as part of third-
    party relationships.
    Any organization that stores its
    customer data in the cloud.

    © 2021 ControlCase. All Rights Reserved. 6


    What are the SOC 2 Trust Service Criteria?

    SOC 2 defines criteria for managing customer data based on 5 “Trust Service Criteria” (TSCs):

    1 2 3 4 5

    SECURITY AVAILABILITY CONFIDENTIALITY PROCESSING PRIVACY


    INTEGRITY

    © 2021 ControlCase. All Rights Reserved. 7


    Examples of what is included in the Security TSC

    Penetration tests
    Application security Intrusion detection
    and vulnerability Firewalls
    measures systems (IDS)
    assessments

    Application and
    Multi factor Computer Use
    Access Control Network Security
    authentication tools Policies
    Measures

    © 2021 ControlCase. All Rights Reserved. 8


    Examples of what is included in the Availability TSC

    Performance and incident Disaster response Secure data


    monitoring and response. and recovery. backups.

    Replication and
    redundancy

    © 2021 ControlCase. All Rights Reserved. 9


    Examples of what is addressed in the Confidentiality TSC

    Digital access Physical access Network and application Cryptographic


    controls controls firewalls solutions

    © 2021 ControlCase. All Rights Reserved. 10


    Examples of what is included in the Processing Integrity TSC

    Quality Assurance Process Monitoring Systems

    © 2021 ControlCase. All Rights Reserved. 11


    Examples of what is addressed in the Privacy TSC

    Notice and
    Choice and Use, retention,
    communication Collection
    consent and disposal
    of objectives

    Disclosure and Monitoring and


    Access Quality
    notification enforcement

    © 2021 ControlCase. All Rights Reserved. 12


    What is a SOC 2 Report?

    There are 2 types of SOC 2 reports:

    SOC 2 Type 1 SOC 2 Type 2


    Outlines management’s description of Focuses not just on the description and
    a service organization’s system and the design of the controls, but also actually
    suitability of the design and operating evaluating operational effectiveness.
    effectiveness of controls.”
    The report evaluates controls over an
    This report evaluates the controls extended period retrospectively to ensure
    at a specific point in time. the effectiveness of the controls (normally
    no less than 6 months and no more than
    12).

    You might also like