SOC II is a standard for managing customer based data to prevent theft and data misuse. Is specially formulated to apply to companies that use the cloud for data storage. Unlike other standards such as ISO or NIST, SOC II does not provide certifications as SOC II is a report. SOC II is also a baseline for some of the other standards, some of the current standards evolved from the SOC reports. The reports of SOC II uses five different categories called “trust service principles/ criteria” that are flexible for organizations to interpret. With this flexibility, companies are able to create their own controls to be unique to each company’s needs, while being able to fit the necessary standards. The five sections include:
In order to have a report organization must construct strict polices and procedure that are/ will be, appropriately handled and followed through on regarding the trust service principles. The first initial report must have a minimum of 6 months of prior data, then review of the prior years metrics on an annual basis.
Access Controls, Two-Factor Authentication, Encryption
The privacy portion of SOC II focuses on the system’s collection, use, retention, disclosure and disposal of personal information to ensure that it conforms to the organization’s privacy notice as well as the criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal info is defined as name, address, Social Security number, or other potentially sensitive data such as race, gender, sexuality, and religion. Or any data that requires an extra level of protection.
Network/Application Firewalls, Two-factor Authentication, Intrusion detection
Security refers to the protection of the system against unauthorized access through the use of access controls. They are used to prevent possible abuse, misuse, theft, unauthorized removal, unauthorized tampering or discloser of information. Security is also the fundamental Trust Service Criteria thus you cannot scope out Security Criteria, however you can have a report with just Security, all Trust Criteria, or a mix of the five.
Performance Monitoring, Disaster Recovery, Security Incident Handling
Availability speaks to just how accessible the system and the products/services are based on the minimum acceptable performance level for system availability is set by both parties. It includes, monitoring network performance and availability, site failover and security incident handling are critical in this context.
Encryption, Access Controls, Network/Application Firewalls
Refers to the data that is accessible but should not be disclosed to specific people or groups of people as it is intended for company personnel or specific company personnel groups. These may include things like business plans, intellectual property, internal price lists, and other types of sensitive financial information.
Quality Assurance, Process Monitoring
This field addresses whether or not the system achieves its purpose, in which a system should diver the right data at the right price at the right time if that is what the system is intended for. The data proccing should be complete, valid, accurate, timely, and authorized.