Security

SOC2 is a type of audit report that provides assurance to stakeholders that an organization has appropriate controls in place to safeguard the security, availability, processing integrity, confidentiality, and privacy of its systems and data. The Trust Service Criteria (TSC) are a set of principles used in SOC2 audits to evaluate an organization's controls in these areas.

When it comes to security, the TSC require an organization to implement measures to protect against unauthorized access, disclosure, modification, and destruction of its systems and data. The TSC specifically evaluate the following security principles:

  • Control Environment: This principle requires an organization to establish and maintain an environment that supports the achievement of its objectives. This includes setting the tone at the top, establishing a code of conduct, and ensuring that policies and procedures are in place to manage security risks.
  • Risk Assessment: This principle requires an organization to identify, assess, and manage risks related to the security of its systems and data. This includes identifying threats and vulnerabilities, assessing the likelihood and impact of potential security incidents, and implementing appropriate controls to mitigate risks.
  • Logical and Physical Access Controls: This principle requires an organization to implement controls to prevent unauthorized access to its systems and data. This includes implementing password policies, access controls, and monitoring of system access.
  • System Operations: This principle requires an organization to implement procedures to ensure the ongoing security of its systems and data. This includes monitoring for security incidents, maintaining system logs, and implementing change management procedures to ensure that changes to systems are made in a secure and controlled manner.
  • Change Management: This principle requires an organization to implement controls to ensure that changes to systems and applications are made in a secure and controlled manner. This includes testing changes before they are implemented, implementing appropriate controls to manage changes, and ensuring that changes are properly documented.

    Overall, an organization must demonstrate that it has appropriate security controls in place to protect its systems and data from unauthorized access, disclosure, modification, and destruction. The SOC2 audit report provides assurance to stakeholders that the organization has implemented these controls effectively.