What is the SOC 2 report and why is it important for senhasegura?
SOC 2 provides a report after completing the audit.
Recently, senhasegura conquered this milestone, providing details on the principles of confidentiality, processing integrity, availability, and information security.
Want to know more about this subject?
Read our text until the end!
In December 2022, senhasegura reached compliance with the principles defined by the AICPA with the SOC 2 report, which attested to the reliability of the services provided by the organization and also of the 360º PRIVILEGE PLATFORM.
In practice, the System and Organization Controls 2 (SOC 2) consists of an audit report used to assess how a company undertakes and implements internal controls around the storage of its customers’ information.
This document points out that senhasegura uses standards defined by the AICPA regarding one or more of the following attributes: confidentiality, privacy, processing integrity, availability, and security.
In this article, we share more details about the SOC 2 report, achieved by senhasegura. To facilitate your reading, we have divided our text into the following items:
1. What is the SOC 2 report?
2. SOC 2 Trust Principles
3. Is SOC 2 equivalent to ISO 27001?
4. How do I become an SOC 2?
5. About senhasegura
6. Conclusion
Enjoy your reading!
1. What is the SOC 2 report?
Developed by the American Institute of CPAs (AICPA), SOC 2 establishes requirements for the management of customer data, based on five principles of trust service. They are confidentiality, privacy, processing integrity, availability, and security.
Unlike the PCI DDS, which is comprised of strict criteria, SOC 2 reports are customized for each corporation, which must comply with business practices related to one or more of the Trust Principles.
Through SOC 2 reports, it is possible to obtain important information about how service providers manage their customers’ data.
There are two types of SOC 2 reports. One describes a vendor’s systems and whether their design is appropriate to meet trust requirements; the second type addresses the operational effectiveness of these systems.
2. SOC Trust Principles
The SOC 2 trust principles are:
- Confidentiality
- Privacy
- Processing integrity
- Availability
- Security.
Check each one of them in detail:
-
Confidentiality
When information is restricted to a specific number of people or organizations, it is considered confidential. This data can include employee-facing documents, internal price lists, business plans and bank information, for example.
To protect sensitive items, it is essential to use encryption. Network and application firewalls and strict access controls may also be used.
-
Privacy
In SOC 2, privacy encompasses the collection, use, retention, disclosure, and disposal of personal information in accordance with company guidelines and the requirements set forth in the AICPA’s Generally Accepted Privacy Principles (GAPP).
This principle of trust applies to Personally Identifiable Information (PII), which can be used to distinguish people, such as name, address, telephone, and social security number.
Other personal data referring to sexuality, race, religion, and health are also considered sensitive by GAPP.
-
Processing integrity
Here we refer to the ability of a system to achieve its purpose, that is, to deliver the right information, for the right amount, at the right time. Thus, it is desirable that data processing is complete, valid, accurate, timely and authorized.
In contrast, processing integrity is unrelated to data integrity. If these are incorrect before being registered in the system, their identification should not be the responsibility of the processing organization.
On the other hand, monitoring data processing along with quality assurance procedures can help to ensure the integrity of the process.
-
Availability
The process, product or service must remain available as agreed between the customer and the provider. That is, the minimum acceptable performance for the availability of a system must be established by both parties.
In practice, this principle does not address issues related to the usability and functionality of the system, but requirements associated with security that may impair availability.
In this sense, it is essential to monitor network performance and availability, site failover and response to security incidents.
-
Security
The security principle consists of the need to protect system resources against external access. Access controls have the function of preventing intrusion attempts, manipulation of devices, misuse of software, theft and unauthorized removal of data and disclosure of information.
To prevent unauthorized access, you can use some IT security tools, such as web and network application firewalls (WAFs), two-factor authentication, and intrusion detection.
3. Is SOC 2 equivalent to ISO 27001?
SOC 2 and ISO 27001 share many security controls, according to a study on the subject. What sets the two apart are the approach and goals. These two standards argue that companies only need to adhere to a control if it applies to them, but their approaches are different.
ISO 27001 takes a systematic approach to information security management through an Information Security Management System (ISMS). It is a comprehensive way of managing data protection practices. SOC 2 is a specialization of ISO 27001, being a specific standard on data, with a punctuated approach on the five principles widely explored in this article.
Are you enjoying this post? Join our Newsletter!
Newsletter Blog EN
We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.
4. How do I comply with SOC 2?
To earn an SOC 2 audit report, your company must adopt a compliant cybersecurity program and be audited by an AICPA-affiliated CPA. In this process, the auditor assesses the cybersecurity controls according to the SOC 2 standard and issues a report with their conclusions.
5. About senhasegura
We are senhasegura and are part of the MT4 Tecnologia group of companies, specialized in cybersecurity, founded in 2001 and present in over 60 countries.
Our goal is to offer digital sovereignty and cybersecurity to the organizations that hire us, granting control of actions and privileged data and preventing breaches and leaks of information.
For this, we follow the privileged access management lifecycle through the automation of machines, before, during and after the accesses. We work as follows:
-
We avoid downtime, which could harm their performance and productivity
-
We offer advanced PAM solutions
-
We automatically audit privileged changes to identify privilege abuses
-
We automatically audit privilege usage
-
We reduce cyber threats
-
We bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001 and Sarbanes-Oxley
6. Conclusion
In this article, you could see the importance of the SOC 2 audit report, awarded to senhasegura in December 2022. Did you like our article? Share with someone who might be interested in the topic.