Understanding Availability Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why organizations should be designing and implementing environmental protections.

Designing and Implementing Environmental Protections for SOC 2 Compliance

Whether natural or man-made, disasters hit when we’re least expecting it. That’s why organizations need to account for environmental disasters when implementing internal controls over the availability of their system. Is your organization or a vendor of your organization located in an area where it could be impacted by environmental disasters like fires, floods, hurricanes, tornadoes, power outages, or storms? Almost all organizations are, and if environmental protections are not designed and implemented properly, businesses could face severe consequences.

As part of complying with this criterion during a SOC 2 audit, an auditor will expect to find that an organization is designing and implementing environmental protections. They’ll assess an organization’s compliance with availability criteria 1.2 by considering these points of focus:

  • Does the entity identify environmental threats?
  • Does the entity design detection measures?
  • Does the entity implement and maintain environmental protection mechanisms?
  • Does the entity implement alerts to analyze anomalies?
  • Does the entity response to environmental threat events?
  • Does the entity communicate and review detected environmental threat events?
  • Does the entity determine data requiring backup?
  • Does the entity perform data backup?
  • Does the entity address offsite storage?
  • Does the entity implement alternate processing infrastructure?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 availability criteria 1.2 is about environmental protections. Do you know what environmental threats affect your organization? Fires, floods, power outages, storms – there are various types of events that could occur that could take your business down, so you need to consider the type of controls that you put into place. Again, a lot of people really miss out on this one because they say, “Well, our systems are at a data center” or “Our systems are in the cloud, so we don’t need to be concerned about that because we won’t be affected by these environmental events.” But what if some of the critical business functions within your organization were affected by that? We had a situation one year where a client had customer service representatives, and a hurricane affected their environment to the point where they did not have power for over a week in their office. It didn’t matter that their systems were in the cloud, because the employees who provided customer service were not available to perform their tasks and answer their phones for their clients. These are the kinds of scenarios that you would want to think through about how environmental issues could potentially take your business down. You want to put things into place to help you continue operations through those types of environmental disasters. Certainly systems and technology, raised floors and generators, fire alarms, smoke detectors, sprinkler systems – all of these kinds of things are musts to protect your people, processes, and systems, but you also have to think about the people that you have in your organization that would need to be able to get to work and would need to be able to do their work to carry out your mission as an organization.

Understanding Availability Criteria 1.1

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they need to comply with the additional criteria for availability. Availability criteria 1.1 says, “The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why preparing for current and future availability needs is important.

The Importance of Preparing for Current and Future Availability Needs

In the simplest terms, the availability category for SOC 2 compliance asks organizations if their system is available for operation and used as agreed upon. For organizations that need to include availability in their SOC 2 audits, such as cloud service providers or storage facilities, preparing for current and future availability needs is a necessity. For example, if a data center doesn’t maintain, monitor, or evaluate the current processing capacity of their system, they might have an outage that would make their systems unavailable, which would greatly impact their customers’ business continuity. Because of this, when an auditor assesses an organization’s compliance with availability criteria 1.1, they’ll use the following points of focus as a guide:

  • Does the entity measure the current usage to establish a baseline for capacity management?
  • Does the entity forecast the expected average and peak use of their system components?
  • Does the entity make changes to their system based on the forecasts?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

The SOC 2 Trust Services Criteria provides additional criteria for the categories that are outside of the common criteria that apply to all five categories. We’re going to start now with availability criteria 1.1. The availability category relates to how your organization meets its commitments to be available in the service that it’s providing to your customers. Availability criteria 1.1 says that the entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. This means that you are aware of your current capacity and you answer the question, “Are you meeting the current demand? Is your system doing today what is should be doing for the users of your system?” Are you also making forecasts? Are you able to look into the future and say, “A year, 3 years, or 5 years from now, we’re going to need to meet X demand or capacity, and where are we on that scale?” To use a very basic example: storage space. You are storing data for your clients through the application that you’re hosting, and they’re uploading information into it. You’re very familiar at the rate at which that storage is growing, you’re forecasting that, and you’re requiring the systems and the upgrades that are necessary to meet the demand so that you don’t fall down and have to have an outage for a period of time while you’re upgrading the system. Your auditor will ask you questions about how you plan for future capacity, so think about those examples and how you can accomplish that within your organization.

Common Criteria 9.2

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s discuss the difference between identifying your vendor as carve-out or inclusive and why it matters during a SOC 2 audit.

Should You Identify Your Vendor as Carve-Out or Inclusive?

Third-party vendors often play critical roles in helping businesses perform their day-to-day business operations, but they also can pose major risks to organizations’ security postures. When pursuing SOC 2 compliance, it’s important that third-party vendors not be an afterthought. Why? Because service organizations have a responsibility to keep their customers’ data secure, and if they’re not performing their due diligence to ensure that the third-parties they use are also doing their part to keep that data safe, there could be serious financial, reputation, and operational consequences.

During a SOC 2 audit, organizations will be faced with identifying their vendors as either carve-out or inclusive. If an organization wants to show that they are dedicated to performing their due diligence of verifying that the third parties they use are secure, then identifying that vendor as inclusive would be the best option. By identifying a vendor as inclusive, an organization can have their audit firm perform an assessment of the vendor’s internal controls. On the other hand, some organizations might opt to identify their vendors as carve-out. This could mean one of two things. First, this could mean that the third-party vendor has already undergone an independent attestation and can provide an audit report over their internal controls for review. Second, this could mean that the organization does not want to validate the third-party’s internal controls or doesn’t verify that the vendor does what they say they’re going to do.

How to Comply with Common Criteria 9.2

Identifying your vendor as carve-out or inclusive is only a small factor in complying with common criteria 9.2. During a SOC 2 audit, an auditor will use the following points of focus to determine an organizations compliance with common criteria 9.2.

  • Does the entity establish requirements for vendor and business partner engagements?
  • Does the entity assess vendor and business partner risks?
  • Does the entity assign responsibility and accountability for managing vendors and business partners?
  • Does the vendor establish communication protocols for vendors and business partners?
  • Does the entity establish exception handling procedures from vendors and business partners?
  • Does the entity assess vendor and business partner performance?
  • Does the entity implement procedures for addressing issues identified during vendor and business partner assessments?
  • Does the entity implement procedures for terminating vendor and business partner relationships?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Let’s say that you’re using a third-party service provider to perform a very critical task for you. Let’s say that it is an application development firm, or it is a managed IT provider, or it is outsourced human resources. There’s any number of services that you can get for a third party that are very critical to the achievement of your compliance and information security objectives. This is where these types of things can affect common criteria 9.2. So, try not to have the attitude that your vendors are just vendors or think that they don’t have any access to critical data. We hear that a lot, especially when it relates to a data center provider, IT provider, or an application developer. We hear things like, “They’re just an application developer. They don’t have access to the production database where all of the sensitive data is.” That specific thing might be true, but what if the development company doesn’t follow best practices and secure coding standards, and they introduce code into your environment that introduces a vulnerability into the environment that has access to the secure data base where you have your sensitive data? You would care about that control failing that really was under the jurisdiction and control of the third-party service provider. You need to be more inclusive in your third-party relationships in your audit arrangement with us. I know sometimes our clients are afraid of the fees, time, and trouble for sending us to Europe or Asia to visit someone who is doing coding for them, but it’s a big risk and issue these days. What are they doing at the location where they control these critical tasks for you? There are two ways to handle this third-party relationship during your SOC 2 engagement: you can identify your vendor as carve-out or inclusive. You can carve-out a third-party service provider. You can say that the audit firm is not issuing an opinion on this third-party. The audit firm is not testing any of the controls at the third-party. That’s an appropriate way handle it. The implication is that once you hand that report to your client, the client will ask how you validate the controls of that third-party? The answer might be that you don’t, because you didn’t send your auditor to do it and you’re not doing it yourself, and so you don’t have any proof that they’re doing what they say they’re doing. The other method of handling it is the inclusive method. That’s where the third-party service provider also provides and assertion, just like management of your organization does. They’re asserting certain things about their controls and their environment, and they are being tested just like you are in your engagement and we, as your auditor, can perform that testing. A third option in the carving out method could be if the third-party has an audit report that’s been executed by their independent auditor, so when you hand in your report that says it’s carved out, and your client asks you how you validate the third parties, you can say that you do it by reviewing the results of their audit engagement. One way or the other, you need to be responsible for these third-parties and that you’re making sure that you understand what they’re doing, how they’re doing it, and that you address that particular risk by making sure that the controls are operating effectively and that you’re satisfied with how they’re operating for you and your business objectives.

Common Criteria 9.2

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.2 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s take a look at key ways organizations can manage vendor risk.

Managing Vendor Risk for SOC 2 Compliance

It’s rare in today’s society that organizations operate without utilizing third-party vendors to carry out some sort of their business function. From payroll processors to electricians, managing vendor risk is paramount to ensuring that a service organization is secure. Think of it like this: what would be the impact if a third-party vendor was impacted by a natural disaster and couldn’t fulfill a critical function of an organization’s business? What if a third-party vendor hosted all of an organization’s sensitive data and was later breached? It’s happened before, and it will happen again. This is why during a SOC 2 audit, an auditor will validate that organizations comply with common criteria 9.2 by using the following points of focus as a guide to ensure that organizations are managing vendor risk.

  • Does the entity establish requirements for vendor and business partner engagements?
  • Does the entity assess vendor and business partner risks?
  • Does the entity assign responsibility and accountability for managing vendors and business partners?
  • Does the entity establish communication protocols for vendors and business partners?
  • Does the entity establish exception handling procedures from vendors and business partners?
  • Does the entity assess vendor and business partner performance?
  • Does the entity implement procedures for addressing issues identified during vendor and business partner assessments?
  • Does the entity implement procedures for terminating vendor and business partner relationships?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Common criteria 9.2 for the 2017 SOC 2 Trust Services Criteria has to do with assessing and managing risks with vendors and business partners. This world has completely changed in the last three years in relation to the third-parties we do business with. Gone are the days where we simply have a written agreement with our client or we have an NDA signed, and that’s really the extent of our knowledge of what the vendor does or how they operate. So many compliance standards, like SOC 2, have changed to specifically address how organizations should deal with risk from third-party vendors or business partners. What are the things that could happen on their side that could impact us? We need to take ownership of those risks, because they’re our risks. If the third-party has some type of threat that’s realized in their environment, it’s going to impact you, so you need to account for it. You can’t abdicate responsibility and leave the responsibility solely in the third-party vendor’s hands. Moving beyond the written agreements with clients involves truly understanding what the third-party vendor does for you and what are the risks that the relationship poses? Once you understand what they do and how they could impact your organization, you can design a way to manage that risk. For example, you might request a specific report from third-parties before engaging with them, you might want to be notified if the organization experiences turnover, or you might even decide to do site visits to verify the controls they have in place or send an auditor to assess their controls. You’re really trying to think more specifically; you don’t want to apply one way of managing vendors for all vendors because every environment is different. You really need to get to a place where you can do an assessment of what they’re doing for you and how they’re doing it, so then the controls that you’ve put into place are relevant to the information that you’re asking them to provide to you.

Common Criteria 9.1

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss why organizations need to mitigate risks that lead to business disruptions.

How to Comply with Common Criteria 9.1

It’s inevitable that businesses will encounter some type of security incident. Whether it’s a big or small incident, organizations who mitigate risks that lead to business disruptions will be better prepared. That’s where common criteria 9.1 comes into play. For service organizations committed to delivering secure services, they’ll need to demonstrate to their auditor during a SOC 2 audit that they mitigate risks that lead to business disruptions. How can they do that? We suggest two ways: creating a business continuity plan and purchasing insurance.

It’s critical that organizations have a business continuity plan in place in the event of a natural or man-made disaster. What would happen if a power outage, tornado, or data breach hit your organization and you didn’t have a plan in place? How would your organization function in the event of a disaster? Disasters hit when organizations are least excepting it, so establishing and practicing a disaster recovery plan will help organizations comply with common criteria 9.1.

Likewise, purchasing insurance should be a key consideration. If disaster strikes, what would be the financial impact to your business? An organization might have vendors, clients, employees, and other personnel that would be impacted. By purchasing insurance, organizations can be better prepared for when, not if, disaster hits and can effectively mitigate risks that lead to business disruptions.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 Trust Services Criteria common criteria 9.1 is about risk mitigation. It says that the entity considers the types of mitigation activities that need to be put into place to cover from business disruptions. This type of disruption could happen from a security event or some type of disaster or natural event that occurs, but it’s important to identify what potential business disruptions could occur within your organization that could keep you from meeting your objectives. If you are a print services provider and can’t output any media because of an event that occurred, that’s obviously a big impact to an organization like that. If you are hosting an application that people rely on and must get access to, and your application is down because of a denial-of-service attack, and no one can get to your application to use it the way you said they should be able to, that’s obviously a major business disruption. If you provide managed services to your clients and you’re not able to access your system because you’ve gone through a ransomware attack and your employees can’t get to the database or access the resources needed to work, that’s a major business disruption. You want to think about alternative capabilities in order to recover from those business disruptions in order to comply with common criteria 9.1. What are the other ways that you can put things into place? This really stems from a good business continuity plan. It’s really about continuity. This has been affected and we’re now operating in a less-than-desirable state, so how do we continue operations during this less-than-desirable situation that we’re in until we can fully recover from it? Identifying potential disruptions and the impact they would have on you is a way to prioritize the types of mitigation activities you put into place. Insurance is also something to consider. When you think about if you’re down and can’t generate revenue, you’re going to have a huge financial risk, and insurance is a way to mitigate the financial impact of the disruption to your organization. Talk to your auditor. Be sure to check with us about advice, tips, and example that would apply to your environment to help with any potential business disruptions that you might face.