History of the SOC 2 Trust Services Principles
The Service Organization Control 2 (SOC 2) Report focuses on non-financial controls at an organization as they relate to security, availability, processing integrity, confidentiality, and privacy. These are also known as the Trust Services Principles. In 2014, the SOC 2 Trust Services Principles were updated, and one of the major changes was to the SOC 2 security principle. This change to the Common Criteria helped to eliminate the overlap between the Trust Services Principles (TSPs). Before this update, a lot of SOC 2 reports had the same controls repeated over and over in order to address the overlapping requirements between the Trust Services Principles. Since the update in 2014, they have developed what are known as the Common Criteria that apply to all SOC 2 audit reports.
What is the SOC 2 Security Principle?
The SOC 2 Security Principle is a must, and should be included in any non-privacy principle SOC 2 engagement. The Security Principle now consists of Common Criteria to all TSPs within the audit report, and includes the following seven categories:
- Organization and Management: How is your company structured? How do you oversee the services your organization performs?
- Communication: How do you communicate to your internal and external users about how your system works? How do you communicate policies, procedures, and expectations to authorized users and other parties?
- Risk Assessment and Risk Management: How are you implementing controls to manage known risks? How do you select the controls that are put in place to meet the criteria? A risk assessment must be performed in order to determine what controls are necessary to address the risks that your organization is dealing with.
- Monitoring: Monitoring is a follow up to risk management. Once you’ve put a control in place, how are you monitoring it to know that it is operating effectively and appropriately addressing the risk? Do any changes or remediations need to be made?
- Physical and Logical Access: How do you control access to sensitive data and systems within your organization? You should be implementing physical controls, such as a door leading to an area that contains sensitive information that is controlled by a card reader or a lock and key. You should also be implementing logical controls such as implementing passwords or requirements for identifying a user before they are authorized to access a system.
- System Operations: This criteria deals with how your organization manages day-to-day processes and procedures. This includes what you do on a daily, weekly, and monthly basis to execute your services.
- Change Management: Lastly, when you have to make changes to your system or services, how are these changes being documented? How are you testing those changes and addressing any new risks that may be associated with these changes? How are they approved prior to making the change in your environment?
These common criteria should be reviewed by all organizations before being audited against the SOC 2 security principle and must be in place for your auditor to review. For more information on preparing for your SOC 2 audit or help with meeting these common criteria, contact us today.
In 2014, the SOC 2 Trust Services Principles were updated and one of the major modifications is the Security Principle, which is really referred to now as having the common criteria for all of the Trust Services Principles within the SOC 2 Audit Report. What that means is that everything was condensed, all of the redundancies were taken out of the process, so that we could focus on this common criteria that applies to any of the Principles, so that a Service Organization would not have to repeat themselves over and over again throughout the report. The Security Principle is a “must” to have in your SOC 2 Audit Report because of that common criteria. It has to be included in a non-Privacy Principle SOC 2 audit engagement.
There are 7 categories within the Security Principle. There is Organization and Management – how is your company structured? How do you oversee the services that you perform? Communication – how do you communicate to internal and external users about how your system works? How do you communicate about policies and procedures and expectations? Risk Assessment and Management of Risk through the implementation of controls – how does your organization select the controls that you put in place to meet the criteria? It has to be done through some type of Risk Assessment in order to determine what kind of controls are necessary to address the risk that you are dealing with. The thing that follows up to that is the Monitoring of Controls – once you put a control in place, how do you monitor it to make sure that it’s effective and that you don’t need any changes or remediation if the control becomes ineffective? That’s done through Monitoring. There’s also Logical Access and Physical Access to sensitive information and systems – how do you control access like entering from a door into a sensitive area that may be controlled by some type of a card reader or lock and key? And also Logical Access – are there passwords? Are there requirements for identifying the user before they access the system? And then also, we’ve got System Operations, which has to do with your day-to-day processing – what are your procedures? What do you do on a daily, weekly, and monthly schedule in the execution of your services? And lastly, we’ll be looking at Change Management, which is when you have to make changes to your system or your service that you’re providing, how do you document those changes? How do you test them? How do you evaluate the risk? How do you prove them in order to make sure that those changes are well-documented and approved prior to making the change in the environment?
So these are some areas to think about as you prepare to be audited against the Security Principle, because that criteria will be very important to have in place for your auditor to review.