A recent post by Kendra Cooley led to a lively discussion around the value of SOC2 attestations. She followed this up with an article that goes into a bit more depth.
Discussion around these sorts of issues is always educational. The devil is in the details. When one discusses SOC without clarifying the details, the waters get muddy very fast. There are 3 different types of SOC reports: SOC1, SOC2, and SOC3. A SOC1 report examines the internal controls of a service organization and the effect those controls may have on a user entity’s financial statements. Some of those controls might be security related but the scope is limited.
A SOC2 report comes in two flavors: SOC2 Type 1 and SOC2 Type 2. Both types of SOC2 Reports address one or more of the five Trust Services Principles – Security, Availability, Processing Integrity and Privacy. Organizations choose which of the five areas they wish to include in an audit with security being required.
A SOC2 Type 1 report is a point in time audit that validates that an organization has a defined set of policies and procedures in place and can verify thorough audit evidence that they have implemented the policies and are executing what the policies require.
A SOC2 Type 2 report has the same requirements as a SOC2 Type 1 but covers a defined period of time. The audit is more in depth and should include submission of evidence (sometimes called artifacts) proving that the controls have been in place and operationally effective for the term of the audit. A SOC2 Type 2 report is backwards looking.
A SOC3 is nothing more than an abbreviated version of a SOC2 Type2 report that includes a certificate. Companies sometimes choose to share their SOC3 certificate as proof of an existing SOC2 Type 2 report.
Another important distinction is a SOC2 audit is that is not a prescriptive audit. PCI-DSS is a prescriptive audit meaning that there are specific technical controls that must be in place in order to pass the audit. If any one of the required controls is not implemented or if the entity cannot provide evidence proving the implementation of the control, the company fails the audit.
SOC2 is a risk-based audit that seeks to help organizations understand how to properly implement governance, conduct risk assessments and reduce the highest risks to an acceptable level of the business. SOC2 is certainly not the only indication of an organizations security posture but give a choice between two service providers, one with and one without a SOC2 Type 2 reports, the maturity win goes to the former.
A good SOC 2 Type 2 audit will also serve to help mature the organization being audited. Businesses fail to get a SOC2 Type 2 report only when an auditor finds what is known as a qualifying exception. Auditors are not looking to fail their clients. A good auditor will work with the client to ensure their company implements the policies and processes that set them up for success.
Any company that believes simply checking the right boxes for SOC 2 compliance is all they need to do needs to reevaluate their approach. As security leaders, we need to uncover gaps in our service provider security posture and flush out those the box checkers. That takes effort. That effort isn’t accomplished by forcing a vendor to complete frivolous questionnaires. It involves understanding the impact the vendor has on your business, the types of data the vendor holds and the risks the vendor poses to the business. Its not hard to flush out weaknesses in vendor security practices. Posing the right questions and evaluating responses sheds light on many checkbox fliers!