SOC 2 PRINCIPLES AT A GLANCE

System and Organizational Control -SOC 2 is an auditing process targeting inter-business relationships. SOC 2 principles focus on service organizations i.e. an organization that provides services to a user organization e.g. Managed services.

The diagram below highlights the five (5) SOC 2 principles that defines the criteria for managing customers' data.

1. Security: this refers to the protection of system resources against unauthorized access, potential system abuse (theft, unauthorized use of data,) and unauthorized disclosure of information. Tools like web application and network firewall, 2FA, IDS, IPS, are useful and necessary for preventing security breaches and unauthorized use of data.
2. Availability: refers to the accessibility of the managed service, stipulated by contractors or SLA. The minimum acceptable performance level is set by both parties. It is important to know it doesn’t address system functionality and usability but involves security-related criteria that may affect availability. Monitoring network performance, availability site failover (backup), incidence response, and handling are critical in this context.
3. Process Integrity: addresses if a system achieves its purpose, does the system deliver the right data at the right time? Data processing must be complete, valid, timely, accurate, and authorized. Process integrity doesn’t imply data integrity, data can be corrupted before inputted into a system. Detecting corrupted data isn’t part of the process integrity responsibility. Monitoring of data processing and quality assurance procedures can help ensure process integrity.
4. Confidentiality: data is considered confidential if access is restricted to specific parties. Encryption is an important control for protecting confidentiality during transmission. Network and web application firewall combined with rigorous access control can be used to safeguard processed or stored data.
5. Privacy: this addresses the systems collection, use, retention disclosure and disposal of information accurately conforms with an organization's privacy policy and as well align with actual operational procedures.

The combination of these principles doesn’t just look at the policies, controls, and procedures put in place but the day-to-day running of an organization. It simply compliments the security posture of an organization.