In today's public cloud, data security and privacy are challenging to protect. Many organizations are storing a significant amount of data in the public cloud and even unmanaged environments, increasing challenges for regulatory compliance. At the same time, there are privacy mandates, such as GDPR, which can add to the complexities of governing data. Without a proper data governance program, however, organizations may face difficulties in meeting these privacy compliance mandates.
Providing independent third-party assurance, such as a System and Organization Controls (SOC) 2 report helps address these concerns and gives assurance to help organizations mitigate data security and privacy risk.
In this blog, we will give an overview of the System and Organization Controls for Cybersecurity (SOC) Reporting to help your organization better understand how it can help with data security. We will cover the SOC framework for the management and reporting of cybersecurity practices that allow companies to track and monitor the effectiveness of their information safety activities.
No business is immune from a data breach. A study done in 2019 on a series of Maryland CPA firm breaches showed that of the 132 firms reporting a crime, 90% were small firms (not included in the state's top 300 CPA firms) and that the most popular type of breach was the unauthorized access to data.
This is common in large enterprises, too. In November, the email stores and confidential client documents of global SaaS provider, Prestige Software, exposed millions of records after failing to pay attention to the security of its cloud instances. Users of some of the world’s most popular travel retail websites, including Booking.com, Expedia, and Hotels.com, now have some of their most sensitive data compromised.
The most tragic point of the tale, however, is that the original access is believed to have been through a leaky S3 bucket.
The large firm intrusions, however, surprised many industry professionals; companies that size are expected to use their considerable resources to set and maintain the highest standard of data security. As the Maryland study shows, smaller firms are also at risk of invasion since they don't often have those high-volume resources. They can't establish the data security systems needed to keep their clients' information safe.
The AICPA noted this small-firm data security concern when designing its SOC Cybersecurity risk management program. The framework begins by establishing a three-part process to ensure all corporate information - both the company's and its client's - is safely protected from cyber intrusions:
It creates a common language for use by all internal entities (human and machine) engaged in the cybersecurity concern. The standardized nomenclature ensures that all participants are 'on the same page' in terms of cybersecurity risks, controls, and management practices.
Using that common language throughout the organization allows the company to both implements and accurately report on the security system's ongoing activities. The reports facilitate assessments on the effectiveness of the practices to ensure controls are appropriately in place to protect confidential information.
Finally, the framework provides a guide for CPAs hired to examine the corporate cybersecurity risk management program and submit attestation as to their findings.
By following the SOC framework, users learn to develop and implement cybersecurity best practices and controls, and to keep stakeholders informed about their effectiveness and efficiencies. Not insignificantly, the AICPA designed the framework to be agile and flexible according to guides, rules, and regulations imposed by other global organizations and security frameworks, such as HIPAA and NIST.
Next, the framework creates three report categories to describe and assess the firm's data security practices:
SOC 1 reports assess how well a financial services organization (in this case, a CPA firm) manages the financial statements of their clients and customers. Reports give assurance to potential clients and industry regulators that the CPA firm is acting responsibly with its clientele's sensitive financial information. SOC 1 reviews generate one of two reports:
These reports go beyond a firm's capacity to properly manage client data by explaining how internal controls ensure the confidentiality and privacy of client information as it's accessed, processed, and secured. The data revealed by these reports inform management and overseers about the sufficiency of the company's data and vendor management protection strategies.
The SOC 2 assessments seek out controls related to both access to data and the types of data collected.
Access is classified into two types, physical and logical.
Physical access controls govern all the physical devices, servers, data centers, etc., where an orgs data reside. Compliance with a SOC 2 standard would mean that all data storage devices (servers, databanks, computers, hard, drives, etc.) are safely and physically locked so that interlopers can't access their information. Physical controls used to secure information include the use of firewalls and anti-virus software, ensuring laptops and computers are locked behind secure doors, and encrypting data storage hard- and flash drives.
Logical access controls include the tools, programs, and protocols used to identify, authenticate, and authorize appropriate users of information and computing systems. Securing logical access controls requires a two-step process to determine if access should be granted:
Types of Data
In addition to who gains access to data, the framework also offers guidance on clarifying and securing the types of data collected by CPA firms. Not all incoming or stored information is confidential, so the firm needs different security levels based on the differing levels of data sensitivity. Sending data also raises concerns, especially when the workforce is distributed and uses personal devices to access corporate databases. Finally, some global data regulatory systems (such as Europe's General Data Protection Regulation - GDPR) mandate how, when, and why data must be destroyed or retained. The SOC 2 report will detail how any individual CPA firm manages this aspect of global data controls.
SOC 3 reports assure any user that the CPA firm maintains appropriate controls over information security, access, and privacy without going into the detail noted in the SOC 2 reports.
Cybersecurity practices must evolve as digital crimes evolve, but most CPA firms aren't able to follow those developments or respond accordingly. The AICPA framework provides them with an overarching strategy to regularly evaluate their internal cybersecurity controls to minimize known risks and report their mandated compliances to their clients and industry regulators. They can also share their insights with clients to improve their security practices and perform the audits and assessment their clients need to maintain their cybersecurity perimeters.
From a higher perspective, the AIPCA SOC framework also builds confidence in clients, investors, and other stakeholders that confidential information is safe, and that the agency continues to pursue its due diligence in terms of cybersecurity activities.
Sonrai Security’s award-winning Dig technology maintains a constant vigil over corporate and client data stores and usages, monitoring for least privilege access and alerting you to data breach concerns. The software ensures that your CPA firm provides the highest standard of data protection and assures well-received SOC reports when needed.