There are many criteria IT leaders consider when assessing their security providers. Cost, capabilities, referrals, specific vectors they cover… But one factor is summative in such an assessment: trust. How can you take any of the other criteria at face value if you can’t trust your (potential) provider?
To demonstrate trustworthiness, vendors often seek out external validation from accredited auditors. If you are considering a security provider, it may behoove you to ask them for evidence of such validation. The one we’ll discuss today is SOC2, an audit conducted by an accredited provider to ensure the secure handling of sensitive data.
Not all SOC2 audits are created equal. In this blog post, we provide questions to ascertain the extent of a provider’s commitment to the principles of SOC2 in an effort to help you select a provider that you can trust.
What is SOC 2?
SOC2 stands for Service Organization Controls (SOC).
SOC 2 reports address a service organization's controls that are relevant to their operations and compliance to ensure security. SOC 2 also addresses data privacy rules around custodianship, more deeply than privacy regulations like GDPR or CCPA.
SOC 2 reports are provided to a service organization after a thorough audit carried out by a reputable third party according to the AICPA audit guidelines. These audits look for compliance with five services principles: security, availability, processing integrity, confidentiality, and privacy.
Why look for a security provider with SOC2?
Handling of sensitive information is a crucial element of cybersecurity. That’s why SOC2 compliance focuses on those five services principles—because security is no good if it’s not available all the time, and it’s no good if you can’t trust your provider.
So, finding a security provider with SOC2 compliance is important, but be careful: they’re not all created equal. Each SOC 2 report is unique to an individual organization, so it’s critical to understand what’s in it, not just take it at face value or assume it’s a blanket credential. You’ll need a SOC auditor or CPA to dive into the details.
And what’s the best way to understand how your prospective vendor achieved SOC 2 compliance? Ask your vendor the following simple questions to better understand their journey with SOC2.
What data are they collecting and how?
All organizations capture, store, and secure data, but what they’re collecting, and how they do it, differentiates them.
For IT leaders, understanding the collection processes vendors undergo to gather the information, and how it is transmitted between parties, can illuminate both how well it is secured, and more about the actual product or service you’re engaging.
Understanding whether they’re collecting sensitive information, non-sensitive information, or metadata can help you know how much rigor is required. Sensitive information could include PII, proprietary data, financial records, or anything else that could be damaging if it got into the wrong hands.
Where is your data stored?
Many vendors will simply hang their hat on the fact that they use cloud services from one of the main three cloud service providers (CSPs) to host data - entrusting their data security to the provider. Chances are that the security afforded by providers like AWS, Google, and Microsoft are indeed superior to on-prem data centers. While that is a good start, it’s important to understand whatever answer they give in the context of the first question. And, to understand what other credentials the provider has in place…
Does the data live in my country (data residency)?
There is a lot of debate about where data must reside. The USMCA further altered the discussion in 2020, enabling a freer transfer of data without removing the ability to create data location rules around ePII itself - which not all services collect from endpoints.
Ask whether the cloud storing your data is in your country and whether it's in the country where your vendor’s Data Science team is located. It’s far safer to store data where it’s processed rather than moving it around for processing.
How is your data being secured?
The primary objective of SOC 2 is information and system security. Some vendors will check-off the SOC 2 boxes and claim they are secure. But are they really?
Does your vendor provide intrusion protection? Firewalls? What about encryption and multi-factor authentication? Or do they just rely on simpler two-factor authentication?
Look for vendors who enact privileged access management and offer robust security awareness training. You want a partner who will continuously monitor your network looking for signs of unauthorized access, unauthorized disclosure of information, breach attempts, or any activity that could cause damage to systems or compromise the availability, integrity, confidentiality, and privacy of information on your systems.
What tools does the vendor use to process data?
Having trust in your vendor’s systems and people is critical, and more than ever that means ensuring your IT supply chain is secure.
The average enterprise software today contains hundreds of different third-party code dependencies. That’s a lot of potential risk. So, a significant part of IT supply chain security is keeping tabs on how much risk your vendors introduce into your environment.
Look for vendors that buy mature tools — not open source — or, who build their own. Your vendor’s systems should include a high degree of redundancy and disaster recovery planning in place, to ensure that data and systems are available when they’re needed.
And for a complete overview of how you can keep an eye on your level of risk, download our white paper, 6 Steps to Secure Your IT Supply Chain, here.
What change management programs and processes does the vendor have in place?
ActZero has a formal change management process in place, which requires identification and recording of significant changes, assessment of risk. This includes employee and user entity notifications, and potential effect of such changes, approval of proposed changes, and testing of changes to verify operational functionality.
Changes to infrastructure and software are developed and tested in a separate development or test environment before implementation - helping mitigate any security risks.
How ActZero can help
While SOC 2 isn’t a requirement for everyone, what it says about a company’s services and culture can be critical when selecting a provider.
SOC 2 compliance is indicative of rigorous handling of personal and other sensitive information, and says “Your security matters to us”. This post has offered ways to validate that when seeking out a security provider.
For more information on conducting a SOC 2 Type 1 project for yourself, check out our fireside chat with Jerry Heinz our VP of Engineering who underwent this process and shares his insights. Or, to explore what this means in practice at ActZero, check out our CXO Insight piece.