If your business handles sensitive client data, a SOC 2 certification could be crucial. This security framework ensures third-party service providers (like cloud providers, SaaS companies, and data centers) meet strict security and privacy standards.
Key takeaways:
✅ SOC 2 is all about protecting client data
✅ It focuses on security, availability, processing integrity, confidentiality, and privacy
✅ Expect to invest in security controls, policies, and tools
#CyberSecurity #SOC2 #DataProtection #Compliance #RiskManagement
Transcript:
Hello, my name is Earl Duby. I’m the CISO at Auxiom.
(0:37) What I wanted to talk to you about today was SOC. Typically, when we hear about SOC in terms of (0:45) security, we’re thinking about Security Operations Center. But what I want to talk to you today about (0:49) and what you’re interested in because you’re watching this video is the SOC 2 certification.
(0:56) So the SOC 2 certification stands for Service Organization Controls 2. And so this is a(1:05) security framework put out by the American Institute of Certified Public Accountants.(1:11) And the purpose behind this series of controls, mostly IT security controls, is to ensure that (1:19) third party service providers are storing and processing client data in a secure way.(1:24) So think about data centers or software as a service type providers or anybody that’s(1:31) a third party to a company and they’re handling the client data for that company.
(1:38) And why this is starting to become more prevalent and more people are talking about it and probably (1:43) why you’re curious about it is the fact that a lot of organizations that are covered by regulations (1:50) or they’re doing government contracts or they’re working for large(1:57) automotive manufacturers or large companies, they’re all worried about risk. All these large (2:03) companies, governments, they’re all worried about risk management, especially in their third (2:08) parties. And so you’re probably the third party of some large organization that wants to protect (2:15) its client data.
So they’re asking you what kind of controls you have in place to protect that data (2:22) and they’re probably asking you to show them a SOC 2 certification. So let’s dig into that SOC (2:28) 2 certification a little bit. So there are basically five criteria that the whole certification is (2:38) broken into.
So you have security, you have availability, processing integrity, confidentiality, (2:45) and privacy. So when you go for that certification, you have to say which one of those five criteria(2:53) you want to be certified against. And typically the main ones are security, confidentiality,(3:02) and maybe privacy depending on what kind of client you’re working with.
But you’re gonna (3:06) have to claim one of those things and then work towards meeting the control criteria for that. (3:12) The other thing you got to keep in mind is only a certified public accountant can actually give (3:20) you the certification. Because it’s developed by the AICPA, the American Institute of Certified (3:27) Public Accountants, they stipulate that only a CPA can endorse the certification.
Now you can go to (3:35) a MSP or a virtual CISO or somebody to help you get there. So what we call audit readiness. So we (3:42) help you with audit readiness, you know, anybody that has, you know, credibility and, you know, you (3:49) can go to our videos on the virtual CISO and understand what needs to go into that thought (3:54) process of hiring a consultant or an advisor to help you get audit ready.
But at the end of the (4:01) day, you’re going to have to hire a CPA firm to come in and do the actual audit. So just to talk (4:08) again about which types of companies need to have a SOC 2 or really should consider getting (4:13) a SOC 2, it’s cloud service providers. So anybody that’s hosting applications in the cloud, anyone (4:20) that’s hosting data in the cloud, software as a service providers, data centers, you know, even MSPs (4:27) should think about getting a SOC 2 certification.
And then financial and health care systems, (4:33) you know, storing data, especially if you have like a portal or an application that you’re having (4:39) your clients come through to store that data. You really need to think about getting a SOC 2 (4:45) certification. And then any other organization that’s handling sensitive data.
(4:54) And then, you know, just in terms of thinking about what that process looks like. So, you know, once (5:00) you get a request from one of your customers that says, hey, show us your SOC 2 certification, (5:07) if you don’t have one, you know, a series of events are going to follow. You’re going to need (5:11) to either find someone internally that can head up that project of getting you SOC 2 certified, (5:18) or you can reach out to an MSP or a consulting company or an advisory company that will come in (5:24) and help you get ready for that audit.
Now, the CPA firm that does the audit for you can’t help you (5:32) get certified. You can only do one or the other. You can either help get you audit ready, or you (5:39) can do the certification assessment, but you can’t do both.
So, just keep that in mind. You’re going (5:44) to probably be paying two separate groups. One to get you audit ready, and the other one to actually (5:51) perform the audit.
Once you get someone trusted and, you know, capable to help you get audit ready, (6:00) you know, things you’re going to have to put in place to get SOC 2 certified are, (6:04) you know, endpoint protection, vulnerability management, network visibility, or a SIEM. (6:12) You’re going to have to have an incident response plan. You’re going to have to have a disaster (6:16) recovery plan.
So, all of those basic security controls that you would need for pretty much any (6:22) other certification, you’re going to need it for a SOC 2 certification. So, just keep in mind that (6:30) there’s the cost of the audit. There’s the cost of the project to get you audit ready, and then(6:37) depending on what kind of gaps you have in your security posture, you’re going to have to buy the (6:42) tools and, you know, have people that are going to run the tools for you.
So, someone’s got to do (6:48) vulnerability management for you. Someone’s got to do the endpoint protection and incident response (6:54) for you. So, just keep all that in mind is that, you know, it’s a very good certification.
I think it (7:03) will definitely help your security posture out, but you’re going to have to spend some money to do that. (7:08) So, that’s kind of the SOC 2 in a nutshell. If you need any help with that, let us know.
You know, (7:16) our contact information is right here, and we’re definitely available, you know, just give us a call (7:22) if you have any questions, and we can help you get through that. So, looking forward to talking to (7:30) you on a few other topics that we have. In the meantime, it’s a tough world out there.
Stay safe. (7:37) Talk to you later. Thanks.
