Data security is increasingly top of mind for every business, but especially B2B SaaS companies. Data breaches are becoming more common and present an existential threat: losing control over sensitive personal information information can result in lost reputation, churn, class action lawsuits, fines from regulators, or literally closing up shop.
Your customers and partners demand assurances that the data you process on their behalf is protected. This is why standards like the the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (“SOC” for short) for Service Organization reports have become popular in the last few years. A SOC report is completed by an independent third-party CPA auditor and provides insight into how a service organization (such as a cloud vendor) achieves key security and compliance objectives.
Aptible has achieved SOC 2 Type 2 compliance for the security and availability Trust Service Principles. This post shares a bit more about what this means and why this type of compliance is so valuable to B2B SaaS companies in specific. We’ll also share how you can start building a security program that meets SOC 2 requirements and is audit-ready.
(If you’re a customer or partner, and you want to get a copy of Aptible’s SOC 2 Type 2 report, skip ahead.)
What is SOC 2?
SOC 2 is a widely-used framework for building trust between vendors (called “service organizations”) and customers (called “user entities”).
CPAs have been doing audits relating to controls at service organizations relevant to user entities’ internal control over financial reporting for decades, all the way back to a standard called SAP No. 29 in the 1950s. In 1992, a standard called SAS 70 introduced the concept of service organizations, which was used for years and gained importance post-Enron and post-Sarbanes Oxley. These standards still focused on internal control over financial reporting, however, not security. With the rise of cloud computing, the AICPA saw the need for a security-specific framework, and in 2010 introduced their new Statement on Standards for Attestation Engagements No. 16 (SSAE 16). SSAE 16 introduced SOC 1, SOC 2 and SOC 3, with SOC 1 replacing SAS 70.1
Today, SOC 2 Type 2 reports are one of the most requested forms of assurance from large B2B customers. Why is that?
SOC 2 defines five Trust Service Principles (security, availability, confidentiality, processing integrity, and privacy) and criteria (called the Trust Services Criteria) for meeting them. As an organization, you select controls to ensure you meet the criteria.
Do you remember the Choose Your Own Adventure Series?
SOC 2 is Choose Your Own Trust Service Principles2 and controls. You pick which TSPs you want to be audited on, and which controls you select.
Why are those the most popular? Why not the privacy TSP?
In a nutshell, the security TSP is the big lift. The criteria for the Trust Services Principles are broken into two categories: a set of criteria common to all five of the trust service categories (called the “common criteria”); and additional criteria specific to the availability, processing integrity, confidentiality, and privacy TSPs.
The common criteria cover key concepts that affect all of the TSPs and criteria, like establishing a control environment, communication, risk assessment, and monitoring. So, if you only do the security TSP, you do the common criteria and are done. If you only do availability, you have to do all of the common criteria, plus three additional criteria. If you do security and availability, you have to do the same work: all of the common criteria, plus the three additional availability criteria. With the new 2017 Trust Services Criteria, confidentiality (which used to be 8 additional criteria in the 2016 version) is wrapped into the common criteria and slimmed down to two additional criteria.
So security is the most popular TSP because everyone has to do it and it gets at the heart of your security management program. Availability and confidentiality are extra work, but not that much more.3 Processing integrity is six additional criteria (five in the new 2017 TSCs) and may become more popular in the future, although at Aptible we don’t see much demand for it yet. Privacy is 20 extra criteria (18 in the new 2017 TSCs), and often entities have HIPAA or GDPR efforts that are redundant, so customers rarely demand it.
We highly recommend buying the Trust Services Criteria 3 and SOC 2 Guide. Note the SOC 2 guide is the new, shiny 2018 edition (and works with the upcoming 2017 TSCs), but the TSCs are the 2016 version, which expires at the end of March. You can download a mapping of the extant (still in effect) 2016 TSCs to the new 2017 ones from the AICPA.
That explains SOC 2, but what is a Type 2 report and why is it so popular?
SOC 2 (and SOC 1) reports come in two flavors, Type 1 and Type 2. (These are also sometimes called Type I and Type II, but the AICPA SOC 2 Guide uses Arabic numerals, so I will here. I don’t think it matters.)
A Type 1 report is a point-in-time snapshot where a CPA looks at management’s description of the service organization’s system (e.g. your security management program) and renders an opinion on 1) whether that description is fairly presented, and 2) whether the controls you have in place are suitably designed to meet your control objectives. Type 1 reports are useful if you want to get your auditor familiar with your chosen controls, or if your system or control scheme has changed significantly.
A Type 2 is the good stuff your customers want: It includes the Type 1 subject matter plus an opinion on the operating effectiveness of the controls in place over a specific period (called a “review period” - usually 6 or 12 months). The Type 2 report also contains details about how the auditor examine each control and what they tested. This level of granularity, along with SOC 2’s usability for any vertical, is why the framework is so popular.
By way of contrast, an ISO 27001 certification (Aptible’s is here) represents strong adherence to a specific set of controls, but doesn’t have any granularity as to how specific control objectives are achieved, or whether those controls are operating effectively. Many B2B buyers will accept both in lieu of a security assessment questionnaire, but some prefer SOC 2.
The AICPA’s new SOC for Cybersecurity framework will have both a static set of controls (like ISO 27001) and the SOC 2 auditing methodology, and will probably be popular as well when the SOC for Cybersecurity Guide is released later this year.
How can you complete your own SOC 2 report?
If you run architecture on Enclave, our AWS-based Docker container orchestration platform, you can inherit our SOC 2 report through what the AICPA calls the carve-out method.
We also offer Gridiron, a security management SaaS platform for helping you stand up and run a security management program that meets stringent criteria. You can use Gridiron with several protocols, including HIPAA, ISO 27001, SOC 2, and GDPR.
For SOC 2 specifically, Gridiron onboarding replaces much of the gap and readiness work that you would do with consultants, in spreadsheets and word processing documents, and leaves you with a source of truth for security management data that makes auditing easy.
How can I get a copy of Aptible’s SOC 2 Type 2 report?
Under AICPA rules, SOC 2 reports are only for management, customers, and other key stakeholders. As a result we cannot post our SOC 2 Type 2 report publicly. We are however excited to share it with customers and partners.
If you’d like to get a copy of our report, you can access it here. If you’d like to learn more about SOC 2 and how you might begin preparing to create a security management program that will help you complete your own report, get in touch now.
1 These changes continue: SSAE 16 has been replaced with SSAE 18 and a new “SOC for Cybersecurity” framework is coming this year. 2 The AICPA is renaming the Trust Service Principles to Trust Service Categories, but is still using the acronym “TSP.” 3 The AICPA is updating the Trust Services Criteria to a 2017 version (effective in December 2018), but there are still only 3 additional availability criteria.