The Service Organization Control (SOC) 2 Certification was developed by the American Institute of Certified Public Accountants (AICPA) specifically for service providers storing sensitive data. To achieve this certification, service organizations must go through an independent, third-party audit of internal controls “on the services provided … and address the risks associated with an outsourced service.” The auditor reports on the organization’s controls tied to five “Trust Services Criteria” (TSC) based on Security, Availability, Processing Integrity, Confidentiality and Privacy. Team leads and business unit managers can take this as a step further using this criterion “to evaluate the suitability of design and operating effectiveness of controls.”
Initially, service providers were only required to meet SOC 1 Certification and Compliance requirements. Now, rightly so, providers storing customer data must meet SOC 2 Certification requirements to minimize risk and exposure to data. That means practically any Software as a Service (SaaS), Platform as a Service or Cloud Computing organization should be able to achieve and uphold SOC 2 Certification and Compliance.
But what does that mean to you? This certification provides peace of mind when hiring a service provider and one that you should come to expect. It’s proof in the pudding as to how a company operates and the backbone of how it’s run; this provides a high level of assurance as a trusted third-party meticulously validates it. In 2019, the ZeroFox team achieved SOC 1, which usually takes a year or more. We accomplished this in just seven months. Our SOC 2 Type II Certification was awarded in May 2021, and we couldn’t be prouder of all team members involved in such a large undertaking. Let’s take a closer look at this accomplishment, break down areas assessed as well as how this feat translates to our customers, partners, employees and more.
Critical Areas for SOC 2 Certification
The SOC 2 Type II Certification could be summarized as a technical audit, but it takes a much deeper dive than this alone. The certification takes into consideration several vital areas based on policies, communications, procedures and monitoring. The specific TSC’s explained above must be met to achieve certification successfully.
Confidentiality touches on data that should be restricted and protected appropriately. Privacy takes a close look at personal information that’s “collected, used, retained, disclosed and disposed to meet the entity’s objectives.” Security involves data and systems that should be protected against unauthorized access and disclosure as well as “damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems.” Information and systems are also assessed for availability and overall use while processing integrity ensures procedures are “complete, valid, accurate, timely and authorized.” When researching compliance in these areas, you will see a lot of references to “controls.” These are simply the policies, processes or procedures created along the way to ensure your team achieves what they are setting out to do without pitfalls or “unwanted accidents.”
It is also important to note that ZeroFox achieved Type II compliance specifically. There are two types; ours proves audited controls are in place and effective over a period of time. Type I is preliminary in that it shows controls are in place but have not yet proven their effectiveness long term. Your service provider should not only be able to tout their achievements here but also prove it is lasting.
Putting Compliance into Practice
This may sound like a lot of process improvement word salad but putting compliance into everyday practice is where it all falls into place. As much as you might feel these are all simply layers of audit jargon, it shouldn’t be dismissed and it’s essential to know when selecting a service provider. This is actually a very detailed examination; it’s beyond valuable when assessing an organization’s security posture. Furthermore, SOC 2 ensures that a company’s security measures align with the unique parameters of today’s digital world.
When a company works with a third party who has been granted access to sensitive data or systems, there is without a doubt a certain level of risk involved. The more sensitive the data and the type of access granted directly equate to the level of risk for the organization. Even the most minor data breaches can become a severe issue for any company regardless of size; adequate internal control policies and systems must be sufficient.
When put into practice, several areas related to security are critical for SOC 2 compliance. Our very own ZeroFox Platform fits into the equation nicely and mirrors requirements naturally.
Detect and Optimize
Achieving SOC 2 compliance means you have established processes and practices with required levels of oversight across the board. There should be a process to monitor any questionable activity to include movements such as unauthorized system configuration changes or changes to user access levels. Continuous security monitoring practices should be in place to quickly detect any possible external and internal threats. Your service provider should be able to ensure this is a constant baseline with their certification.
Analyze and Disrupt
In today’s digitally connected world, with a constantly evolving threat landscape, security incidents are inevitable. It is equally important organizations can ascertain alerting procedures are in place to mitigate and act in time. However, this can quickly equate to a lot of data and overwhelmed teams. To strike a balance, processes should be in place tied to accurate risk assessments that can pinpoint unusual activity defined for your unique environment. SOC 2 Certification requires alerts triggered by any activity resulting in unauthorized (1) exposure or modification of data or configurations, (2) data transfer activities and (3) account or access changes.
Decisions can only be as targeted as the intelligence you base them on. Actionable data, or actionable threat intelligence, is required to make informed decisions that are timely and relevant. Targeted alerting and remediation equate to digital threat intelligence that provides context and correlation to truly understand the risks at hand.
SOC 2 and You
SOC 2 compliance is becoming a necessity for a wide range of organizations. It isn’t just an exercise aimed at ticking all the compliance boxes. SOC 2 Certification is genuinely about putting well-defined policies, procedures and practices into place. This equates to a trusted relationship with customers, partners and end-users regarding the security of operations as a whole. As stated earlier, this certification is no small feat compared to other compliance mandates where all that’s required is a passing grade on an audit test. SOC 2 Type II requires longstanding, continuous internal practices that bolster the security and lasting success of your business.
Every department involved at ZeroFox stayed committed despite unusual hurdles posed by the pandemic as well as a concurrent acquisition. Our team implemented a series of controls to ensure compliance with internal policies and best practices company-wide across all business areas. This wasn’t a one-and-done deal. It certainly did not happen overnight, and compliance must be lasting. ZeroFox will consistently meet annual audit requirements to ensure our controls continue to operate effectively. This certification is a genuine accomplishment from all teams involved and shows overall company commitment to ensuring that internal processes and controls are seamless and secure.