Should Your MSSP be SOC 2 Compliant?
SOC stands for Service Organization Controls and falls under the Statement on Standards for Attestation Engagements (SSAE) No. 16. SSAE 16 was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations like MSSPs.
SOC 1, SOC 2, and SOC 3 Audits
There are 3 categories of reports on control at service organizations:
SOC 1: Audit report that focuses on examining internal controls relevant to financial reporting to help ensure compliance with laws and regulations such as the Sarbanes-Oxley.
SOC 2: Audit report that focuses on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2 Type 1 reports cover the management’s description of internal controls; SOC 2 Type 2 independently examine the effectiveness of these controls.
SOC 3: Similar to SOC 2, SOC 3 focuses on controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. SOC 3 reports are designed to be made public for audiences that do not need to understand the details of the tests performed by the service auditor and results of those tests.
Do Audits Matter?
Customers count on their security service providers to identify threats and protect their infrastructure, applications and confidential information from cyber attacks. Delivering such a service requires powerful technology, security experts, and effective processes. It also requires the internal processes to ensure that customer data is secure and a provider’s service platform is protected from attacks. An independent audit of internal controls is important to give customers confidence that policies and controls are in place and are operating effectively.
So yes… Audits do matter.
Audits Also Save Time and Money
Security teams and Compliance Officers can spend weeks creating and evaluating vendor surveys that review the internal controls of potential vendors. Independent audits save time and money plus provide a higher level of confidence than available through vendor responses.
Proficio is SOC 2 Type 2 Compliant
Proficio undergoes annual SOC 2 auditing against the trust principles of Security, Availability, and Confidentiality. These audits review our controls against the AICPA’s “Common Criteria” and test those controls. Our auditor’s reports, available upon request, show that our controls are in full compliance with the standards, and when tested, passed without exception.