The System and Organization Control (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), provides internal control reports and assessments to evaluate the risk management associated with outsourced services. SOC certifications demonstrate a service provider's commitment to security and help build trust with customers. These certifications involve third-party auditors assessing security and privacy controls as well as reviewing IT operations management.
- SOC 1 reports (Types 1 and 2) assess controls related to the processing of financial information.
- SOC 2 reports (Types 1 and 2) focus on security controls for data processing, based on the Trust Service Criteria.
- SOC 3 reports provide public assurance about data security but with less operational detail compared to SOC 2 reports.
Both SOC 1 and SOC 2 reports can be categorized as either Type 1 or Type 2. The Carbide Platform incorporates both SOC 2 Type 1 and Type 2 reports.
SOC 2 Overview and Types
SOC 2 criteria are integrated into the Carbide Platform to provide organizations with detailed information and assurance about the design and controls that protect and store data.
There are two types of SOC 2 reports:
- Type 1 reports evaluate whether the system design meets the control criteria of the Trust Services Criteria at a specific point in time.
- Type 2 reports assess the design of systems against the control criteria of the Trust Services Criteria and evaluate the operational effectiveness of that design over a period of time.
Breakdown of Trust Services Criteria
The SOC 2 audit process includes five categories of Trust Services Criteria:
- Security: This category is mandatory and covers a set of internal controls related to information security. It is often referred to as the "Common Criteria"
- Privacy: Pertains to the use, collection, retention, disclosure, and destruction of personal information according to the organization's privacy objectives.
- Availability: Focuses on maintaining an agreed-upon level of performance and includes disaster recovery methods and incident response as protective measures.
- Processing Integrity: Ensures that there are no processing errors.
- Confidentiality: Protects confidential data from compromise and ensures its privacy.
When undergoing a SOC 2 audit, organizations can decide which of the five criteria will be included in the scope. While Security is mandatory, organizations may choose to include privacy, availability, processing integrity, and/or confidentiality based on their specific needs.
Control Breakdown of Common Criteria
The Common Criteria (CC) is an international set of guidelines used for evaluating information technology operational security. It ensures that technical products' specifications, implementation, and evaluation meet trustworthy standards. The Common Criteria is mandatory for organizations conducting business with the US government. Details regarding the control breakdown of Common Criteria can be found here.
|
|
|
|
CC 1: Control Environment COSO Principle 1. Demonstrates commitment to integrity and ethical values COSO Principle 2. Exercises oversight responsibility COSO Principle 3. Establishes structure, authority, and responsibility COSO Principle 4. Demonstrates commitment to competence COSO Principle 5. Enforces accountability |
CC 4: Monitoring Activities COSO Principle 16. Conducts ongoing and/or separate evaluations COSO Principle 17. Evaluates and communicates deficiencies |
|
CC 2: Communication & Information COSO Principle 13. Uses relevant information COSO Principle 14. Communicates internally COSO Principle 15. Communicates externally |
CC 5: Control Activities COSO Principle 10. Selects and develops control activities COSO Principle 11. Selects and develops general controls over technology COSO Principle 12. Deploys policies and procedures |
|
CC 3: Risk Assessment COSO Principle 6. Specifies suitable objectives COSO Principle 7. Identifies and analyzes risk COSO Principle 8. Assesses fraud risk COSO Principle 9. Identifies and analyzes the significant change |
|
By understanding SOC and SOC 2 certifications, organizations can demonstrate their commitment to security, build trust with customers, and ensure compliance with relevant industry standards.
Content found within this document is based on Carbide’s understanding of and the information provided by the official website and documentation of the AICPA