SOC 2 Academy: Designing and Implementing Environmental Protections

by Joseph Kirkpatrick / March 22nd, 2019

Understanding Availability Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why organizations should be designing and implementing environmental protections.

Designing and Implementing Environmental Protections for SOC 2 Compliance

Whether natural or man-made, disasters hit when we’re least expecting it. That’s why organizations need to account for environmental disasters when implementing internal controls over the availability of their system. Is your organization or a vendor of your organization located in an area where it could be impacted by environmental disasters like fires, floods, hurricanes, tornadoes, power outages, or storms? Almost all organizations are, and if environmental protections are not designed and implemented properly, businesses could face severe consequences.

As part of complying with this criterion during a SOC 2 audit, an auditor will expect to find that an organization is designing and implementing environmental protections. They’ll assess an organization’s compliance with availability criteria 1.2 by considering these points of focus:

  • Does the entity identify environmental threats?
  • Does the entity design detection measures?
  • Does the entity implement and maintain environmental protection mechanisms?
  • Does the entity implement alerts to analyze anomalies?
  • Does the entity response to environmental threat events?
  • Does the entity communicate and review detected environmental threat events?
  • Does the entity determine data requiring backup?
  • Does the entity perform data backup?
  • Does the entity address offsite storage?
  • Does the entity implement alternate processing infrastructure?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 availability criteria 1.2 is about environmental protections. Do you know what environmental threats affect your organization? Fires, floods, power outages, storms – there are various types of events that could occur that could take your business down, so you need to consider the type of controls that you put into place. Again, a lot of people really miss out on this one because they say, “Well, our systems are at a data center” or “Our systems are in the cloud, so we don’t need to be concerned about that because we won’t be affected by these environmental events.” But what if some of the critical business functions within your organization were affected by that? We had a situation one year where a client had customer service representatives, and a hurricane affected their environment to the point where they did not have power for over a week in their office. It didn’t matter that their systems were in the cloud, because the employees who provided customer service were not available to perform their tasks and answer their phones for their clients. These are the kinds of scenarios that you would want to think through about how environmental issues could potentially take your business down. You want to put things into place to help you continue operations through those types of environmental disasters. Certainly systems and technology, raised floors and generators, fire alarms, smoke detectors, sprinkler systems – all of these kinds of things are musts to protect your people, processes, and systems, but you also have to think about the people that you have in your organization that would need to be able to get to work and would need to be able to do their work to carry out your mission as an organization.