Guide to SOC-2 Compliance
What Is It?
What Is SOC-2 Compliance?
SOC-2 Compliance is a standard for vendors that process the information of their client’s key business operations.
SOC was developed by the American Institute of Certified Public Accountants or AICPA. It was created to secure the financial information of clients and has since been expanded.
Who We Serve
Who Should Be SOC-2 Compliant?
SAAS Company
Any software used by vendors for the processing of data must be SOC compliant as to protect client information.
Accounting Firms
Accounting firms process high volumes of client financial data.
Cloud & Data Services
Cloud computing and Data Services used to process information must be SOC compliant as they are used by other industries for sensitive data.
The Principles
What does SOC-2 Compliance consist of?
Unlike other compliance standards which require rigid requirements, SOC-2 compliance allows each organization to determine its own controls as they align with the five trust principles.
The privacy trust principle involves an organization’s collection, use, storage, disclosure and disposal of personal information. Each organization should have an active privacy notice and maintain information in compliance with their notice as well as the criteria in the AICPA’s generally accepted privacy principles or GAPP.
Personal identifiable information or PII refers to any data that can distinguish an individual. This includes name, phone number, address, etc. Any additional information that relates to a person’s health, sexuality, race or religion is subject to an extra level of protection. Your system must include controls that protect all PII.
The security trust principle refers to the access, use, and protection of an organization’s system and data. An organization must prevent potential system abuse, theft or unauthorized use of data, misuse of software, and improper alteration or disclosure of information.
The availability principle involves monitoring network performance and availability, the use and availability of infrastructure redundancy, and security and incident response and recovery.
Processing Integrity involves information being used and processed properly. This includes authorization, timeliness, accuracy, and validation.
Processing integrity does not imply data integrity.
The confidentiality principle assures that company data is restricted to a specific organization or persons. This includes business plans, intellectual property, internal price lists and other types of sensitive financial information.
Our Approach
Our 4-Step Approach to IT Compliance
1. Compliance Audit
Our team conducts a series of interviews and a network audit to determine data access and usage.
2. Gap Analysis
A gap analysis identifies the missing pieces necessary to achieve compliance.
3. Remediation Plan
A remediation plan is put forth and executed with action steps towards compliance based on priority level.
4. Management
ITonDemand then monitors system usage and provides the service and support to maintain compliance.
Compliance In Action
Florida Manufacturing Firm
A small north Florida manufactures CNC close tolerance machined parts, custom components, and assemblies for the defense sector. Given the sensitive nature of the parts being manufactured, it was vital that communications and manufacturing specifications were secure while organizational infrastructure was put in place and maintained to NIST Compliance.
Contact Us For Support
Trusted By Organizations Across The Country
Need More From Your IT Services Provider?
ITonDemand is a division of eResources: your expert partner in digital transformation and growth, providing IT services, software development, marketing and branding. Learn more about the benefits of a vertically-integrated IT services partner.