Clients and vendors want to know that your business can be trusted with sensitive data. While you can certainly give them your word that you will store and manage data securely, this strategy will only get you so far. This is why SOC 2 Type 2 certification is such an important and revered achievement for SaaS businesses. With SOC 2 Type 2 certification, you can show prospective clients and vendors that your business has passed a thorough audit and was deemed sound in its infrastructure, processes, and overall data security. Not only will this make your business look better, but it will also help you secure more (and better) clients going forward.
For better or worse, SOC 2 Type 2 compliance is not a cut-and-dry concept. Every business is unique, which means that auditors will develop specific requirements and tests for each audit and each company. We’ll go into more detail about the technical aspects of acquiring SOC 2 certification a little later on. For now, let’s look at the general principles underlying SOC 2 Type 2 certification:
SOC 2 Type 2 certification is just about the best way to demonstrate your company’s ability to manage data and security processes effectively. Developed by the AICPA, SOC 2 Type 2 certification is one of several attestations that companies can acquire through third-party auditors. Both SOC 1 and SOC 3 certifications can show a certain degree of competence and understanding of best practices related to data management, but neither holds the same weight as SOC 2. Thus, it is often much more productive to pursue SOC 2 certification, since it is much easier to become SOC 1 certified or SOC 3 certified.
As you could probably guess, there are two types of SOC certification: Type 1 and Type 2. SOC 2 Type 1 certification tests all of the same processes and controls as Type 2, though Type 2 is far more thorough. Generally speaking, SOC 2 Type 1 certification shows that a company is compliant at a specific point in time, while SOC 2 Type 2 certification demonstrates a company’s ability to implement and maintain controls over a set period of time. As a result, SOC 2 Type 2 certification is more complex, time-consuming, and expensive. However, SOC 2 Type 2 certification will also do a lot more to grow your business and help you stand out amongst the competition.
So, what is SOC 2 compliance? As previously mentioned, the SOC 2 auditing process varies for every business. Consequently, there’s no perfect SOC 2 Type 2 checklist that will guarantee compliance and certification. However, if your business has already worked to execute certain engineering procedures and data security protocols, you’ll have a much better chance of passing the test. Moreover, investing in data security now could help you save on costs down the road.
It’s important to note that the SOC 2 Type 2 audit provides an opportunity to improve. Typically, the auditor will identify what your business is already doing right and what it could be doing better. If you can make the necessary changes (as outlined in the audit report), you can still attain SOC Type 2 certification. Thus, you can really only “fail” in SOC 2 Type 2 audit if you show a disregard for security practices or little interest in improving your existing systems.
So, what are SOC 2 auditors looking for? In essence, they want to make sure that your business can be trusted with sensitive data. To reach this conclusion, auditors will look at all of the following criteria:
Every SaaS company needs to have a system of checks and balances. In order to do so, each business must have official, written rules and procedures to ensure the safety of data and the strength of internal processes. If a breach of protocol occurs, there must be individuals or teams responsible for identifying and rectifying the issue.
However, oversight does not just entail retroactive methods for “fixing” errors. It also encompasses continual performance reviews to ensure that employees are educated on company-wide protocols and are acting with good judgment when handling sensitive data. Moreover, employees and even external parties with access to sensitive data should undergo thorough background checks to avoid future problems or conflicts of interest.
Internal oversight is meaningless if it’s not backed up by the right technical infrastructure. This generally requires you to set up controls for your system, services, website, and/or application. Here are a few of the most common infrastructure requirements that SOC 2 Type 2 auditors will look out for:
-Encryption - Above all else, auditors will want to know that user data is encrypted and securely managed by your company. This applies when data is at rest and when it is in transit. At a minimum, your website or application will need to have an SSL certification and a description of all encryption protocols.
-Backups - Whenever your company logs data, you’ll need to ensure that it is stored in a safe place. This can be a customized flat-file database or a similar setup that ensures regular backups.
-Application Monitoring Systems - Internal oversight should not be susceptible to human error. This means that auditors will look for some kind of Application Performance Management (APM) system. An APM system provides automated monitoring to identify security risks or breaches in real-time. Auditors will want to know whether or not your business can identify and quickly resolve issues as they arise, which can’t always happen with human oversight alone.
-Data Exposure - While the aforementioned elements will all help protect data and create a secure environment, you will still need to demonstrate how your company handles vulnerability. In other words, your team must actively look for risks of data exposure or compromised systems. You must also allow for third-parties to contact your business in the event that they find a weak point and show a willingness to fix it.
The Software Development Life Cycle (SDLC) is the process in which a business creates, tests, and implements an information system. For SOC 2 Type 2 certification, it’s especially important that you have issue tracking and viable testing methods. While you can always develop an in-house issue tracking system, there are dozens of products on the market to help your business fulfill this requirement, including highly-popular options like JIRA.
You’ll need to build a review cycle for any changes you make to your website, application, or platform. This way, you can quickly test changes and address any errors, bugs, or potential security risks that occur. The auditor will just want to make sure that you have a software engineer ready to revise the code as needed and a step-by-step process for SDLC changes.
While it’s extremely important to review how data is handled, it’s just as important to review who is handling it. Auditors want to know that only team members who need access to data have it, and that there’s a system in place to revoke access when necessary. For example, if an employee is fired from your company, they should no longer be able to access sensitive client data.
Regardless of the cloud software you use, you’ll need to make sure that administrative controls are clearly defined. If you’re using AWS, you can easily set up IAM users and grant varying degrees of access based on the structure and requirements of your business. This will show the auditor that you are actively managing access controls and preventing unauthorized personnel from making any changes.
As a last defense against unauthorized access, you should implement two-factor authentication and remote device management. The former will help make sure that only team members with administrative access can see or edit data using more than one security measure (email or text verification, authenticator app, etc), while the latter will help protect sensitive data in the event that a device is lost or stolen.