With great data, comes great responsibility. When SOC 2 Compliance was introduced, it was in direct response to the growing need for security in data storage, particularly so that consumers could trust companies that utilize a cloud-based data storage approach. As cloud technology continues to grow and evolve, so does the ability for hackers to infiltrate these systems. Without a framework for companies to continue to optimize security measures, customers’ data has the potential to be rendered vulnerable to outside invaders. As a result, companies across the globe have adopted a variety of security guidelines known as the SOC 2 Trust Principles to ensure the safety of the 21st century’s most precious commodity--data--in the ever-changing landscape of cloud technology.
SOC 2 Trust Principles
While companies get certified in SOC 2, it differs from other certifications with strict requirements, like GDPR and CCPA, in one primary way: SOC 2 reports are tailored to companies, each with their own unique set of goals, challenges, and, most importantly, vulnerabilities. With this, each organization shapes its reports based on the following principles:
Privacy:
All data collection, use, retention, disclosure and disposal, particularly PII (any information that can distinguish an individual, such as a name, address, or social security number) must conform to an organization’s privacy policy. The privacy policy should also follow the guidelines put forth in the AICPA’s privacy principles, known as GAPP. Other forms of data considered sensitive in nature include, but are not limited to: health, race, sexuality, and religion. While not considered directly PII, organizations should consider treating these forms of data with similar sensitivity.
Confidentiality:
Data should be accessible only to the people or persons who will need to utilize it for specific, pre-agreed upon, business offerings or dealings. Companies are to put in place controls to mitigate the ability for unauthorized personnel to access confidential information. This is most often done by implementing a firewall, but other systems (such as access controls) can be utilized in tandem to safeguard information in computer systems.
Security:
Organizations must implement a set of security measures to prevent breaches in the cloud, particularly where data is stored. This can be done in a variety of ways, but is most often implemented via technologies such as: web application firewalls (WAFs), two-factor authenticators, and intrusion detection systems. With these tools, organizations can monitor for outside intrusion into the cloud and improper internal usage.
Availability:
Companies must adhere to the minimum acceptable performance level as set forth in their service level agreements or contracts with customers. To do this, organizations typically put in place systems to monitor network performance and availability to avoid crashes. Also inclusive in this principle is the process by which security failures are rectified and subsequently modified to mitigate vulnerabilities.
Processing Integrity:
Data processing must follow these four subsequent principles in order to be considered processed with integrity: authorized, complete, accurate, and timely. To be considered authorized, data must be approved for processing ahead of time and serve a business need that’s compliant with the customer’s contract. Further, the data processing is considered valid only if it is complete--not stopped midway through the processing. Finally, processing will be considered accurate if it follows the operation’s pre-approved instructions and it will be found to be timely if all of the aforementioned activities are completed in the pre-agreed upon time frame.
A note: processing integrity does not account for faults inlaid in the data itself—it exclusively discusses the processing of the data. The job of ensuring data integrity typically falls to the entity responsible for data input into the system whereby the processing will begin.
Final Thoughts (For The Skimmers Among Us)
SOC 2 Compliance isn’t so much a checklist as it is guidelines and agreements among involved parties to ensure mitigation of data misuse, security around said data, and the agreement to implement swift action against hackers and system invaders. As cloud systems evolve, so will these policies, which is why they are often written with broad strokes. However, organizations, such as Hiya, adopt SOC 2 Compliance to indicate that they are committed to vigilant monitoring; to show that they are willing to go above and beyond data security assurances and standards to proactively prevent attacks. In other words, they’re not only talking the talk—they’re walking the walk. Hiya does this so that we can protect our customers’ data and continue to lead the voice performance channel with solutions and technology rooted in integrity.
To learn more about Hiya, our data protections, and SOC 2 Compliance regulations, please reach out here.
For more frequently asked questions on SOC 2 Compliance, click the link here.