The first and the most common security audit I had to wrap my head around was SOC 2. System and Organization Controls (SOC) audits probably have the most plentiful bounty of information, guides, definitions, secrets, tools, and tricks of all the major security certifications I’ve seen. The tough part was sifting through it all to find the core content and key concepts (not to mention layperson explanations) I needed to fully outfit myself with the information needed. This would be my unicorn.
So, what did I learn about SOC 2?
A SOC 2 audit is typically found in North America, though it has been spotted in other regions of the world. There are two types with different lifespans: Type 1 and Type 2. Type 1 is a faster and cheaper variety, however, its lifespan is shorter. Type 2 is a slower, more expensive and thorough creature, but has the trait of assuring customers of greater security and has a much longer lifespan.
SOC 2 outlines a set of regulations designed to ensure organizations that store sensitive information (especially in the cloud) adhere to a common set of security best practices. Enter: my brain where unicorns are dancing in the skies. Much like unicorns that stand for principles of good in the world, there are five “Trust Services Principles” or “Trust Services Criteria” (TSP or TSC, depending on how fancy you want to get) that SOC stands for: Privacy, Security, Availability, Processing Integrity, and Confidentiality (here’s a mnemonic to help you remember all of that)! As an organization that cares about its customers, you’ll need to demonstrate that you have the right security controls in place for the TSP that apply to your organization.
Keeping up with the unicorn analogy (stay with me here!), here’s how each TSP is broken down as if I were a knight seeking one out and needed the proper tools:
These main principles of SOC 2 are the key to finding your own personal unicorn in the world of security audits. And now that I have indulged my need for fantastical comparisons…I am off to discover more in the world of InfoSec! Tally-ho!