We work in an era where technology is ubiquitous, and where employees are tethered virtually to their jobs between smart phones, tablets, laptops, and the Internet. Increasing demand for ease-of-use, highly available technologies that can be accessed from anywhere have contributed to an explosion of cloud service adoption by businesses. In a world where Software as a Service (SaaS) is becoming just one of many "technology as a service" offerings, businesses are seeking assurance that their data will be available and, most importantly, secure.
The answer to this concern has been a seemingly ever-growing alphabet soup of third-party audits and certifications that you may have heard your IT colleagues talk about: SOC 1, SOC 2 (Type I and Type II), SAS 70, SSAE 16, ISO 27001, ISAE 3402, CSTAR, and more seem to spring up daily. At the crux of each of these reports is the goal of providing assurance to the reader regarding the security of the audited service.
Launched in 2011, the SOC family of reports replaced the former standard SAS 70 reports. SOC is shorthand for Service Organization Controls, and the criteria for the reports is governed by the American Institute of Certified Public Accountants (AICPA). SOC reports come in three varieties:
Interestingly, not all SOC 2 reports are created equal. There are different Types of report (Type I and Type II) and, as stated above, each report may cover one or more of the defined Trust Services Principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy).
If you're wondering how to know which report you need, the first place to start is to understand what services you are purchasing from your service provider including, but not limited to:
Once you have a definition of the service(s) that you are purchasing from the service provider, use that information to determine which type of SOC report and which Trust Principles (for SOC 2 reports) best apply.
While an SOC report (or any other type of audit and certification) does not guarantee the safety and availability of the service organization, understanding the variations among the SOC reports will help you keep your organization's best interests in mind and be a more informed buyer of services.
For more information, visit AICPA's website.
Anne-Marie Scollay specializes in building teams for mission-critical systems, creating order from chaos, and seamlessly bridging the languages of technology and business. With a combined 15 years' experience in technology and logistics, Anne-Marie has a passion for operational excellence and a knack for thinking strategically. She has become intimately familiar with the concept of data security through her work for Legal Tracker, a Thomson Reuters company, for the past five years. In addition to overseeing the technology requirements for SaaS at multiple locations, she also manages Legal Tracker's information security responses and enjoys talking with legal and technology departments about their information security questions related to SaaS solutions.
A graduate of the University of Puget Sound with a Bachelors of Art in Political Science, Anne-Marie sharpened her analytical skills coordinating shipments of everything from fish to sweaters before realizing her calling as a business professional with a penchant for technology. Anne-Marie has overseen high-availability sites and applications, provided thought leadership around information security and is a respected leader with a proven ability to coach teams to excellence.
A private pilot, closet chef and world-traveler, she shares her life adventures with her rescued pit bull named Truffles.