One SOC, Two SOC: Confirm your vendor is adhering to organizational security policies

A key differentiating factor when looking for a software partner is to check for achievement of Service Organization Controls (SOC) compliance. Conveniently, our team is one who is committed to achieving this status through the American Institute of Certified Public Accountants (AICPA). There are multiple levels to this compliance. At its core, SOC compliance indicates a third-party audit confirms that we have adequate information security policies and controls in place. It also ensures that we are adhering to them throughout our partnership. 

How SOC originated

SOC was created as part of the Statement on Auditing Standards (SAS). Throughout the 1990s it “became a way to report on how companies treated information security in general,” according to Secureframe’s The History of SOC 2. 

As companies started to outsource work to technology and software firms, there became a growing need for AICPA to revamp their standards and issue three reports: 

• SOC 1 for financial reporting 
• SOC 2 for areas such as security and privacy, and
• SOC 3 for public communication of SOC 2. 

Our Chief People & Compliance Officer Kate Ward takes it a step further in explaining to us the difference in SOC 2 Type 1 and Type 2. She shared that, “SOC 2 Type 1 compliance evaluates an organization’s information security controls at a single point in time. A SOC 2 Type 2 audit considers how well an organization’s system and controls function over a period of time, which is typically 3–12 months.” 

Organizations who go through a SOC 2 audit develop organization-specific controls that adhere to the SOC principles they’re audited against. These SOC Trust Principles might include: 

• Privacy
• Security 
• Availability 
• Processing Integrity, and 
• Confidentiality. 

Our role with SOC compliance

RedCAT has successfully completed a SOC 2 Type 2 audit each year since committing to the process in 2017. As our organization has grown and matured, so have our policies and controls. 

Ward said, “We work closely with our auditors. This is to ensure that as our business and operational practices change, we continue to follow best information security practices and adhere to our own stated policies and controls.”

Benefits of SOC compliance

When shopping for a new technology partner, you’ll want to ensure that your data–whether its employee or customer–is protected by adequate information security policies and controls. They want to have full confidence that personal information, from birthdates and hire dates to email addresses and phone numbers, are kept under lock and key.

Knowing that your technology partners complete a SOC 2 audit can give you reassurance that they take information security seriously.  

Confirm a company’s SOC compliance by looking for the certification image or data privacy statements on their company website. You can also ask them directly through email or a scheduled call in the event the information isn’t readily displayed.

Additional data privacy considerations

If you have data that originates in Europe or other continents, consider whether your vendor adheres to General Data Protection Regulation (GDPR) or other country-specific data privacy standards. If the vendor will be transferring data to the United States, ask whether they:

• self-certify to the Data Privacy Framework Program, or 
• use another approved mechanism of transferring data, such as Standard Contractual Clauses.

Many organizations use security questionnaires during the Request for Proposal process. This is to learn more about a vendor’s information security processes and assess whether they’re sufficient for protecting their organization’s data. 

Commitment to your data

SOC compliance is all about trust and commitment. Our teams adhere to the policies set in place and routinely review and update them. You can trust that we’re doing right by you and your data. 

We are committed to following the standards set by AICPA and educating our employees on how best to protect our customers. If you have questions about our SOC compliance, feel free to contact us at expert@redcatsystems.com.