Maintaining consumer data security is perhaps the highest priority for any company that gathers, uses, or transmits private information for commercial purposes. Organizations that access the IT services of third-party vendors should be especially sensitive to the practice because they become liable for damages if that contractor fails to maintain appropriate security protections when accessing their data for contract purposes. The American Institute of CPAs (AICPA) designed its “Service Organization Control” (SOC) certifications to help enterprises ensure that their third-party vendors are compliant with the highest levels of data security standards.
To determine if your IT support vendors are SOC 2 compliant, you can follow this SOC 2 compliance checklist to gain a comprehensive insight into their data protection activities.
Service Organization Controls
There are two types of SOC reports:
- A Type 1 report assesses the vendor’s data management systems for their suitability to maintain the SOC standards. According to the AICPA, a SOC 1 report provides control information that is relevant to internal controls over financial reporting. The SOC 1 report also falls under the AICPA’s Statement of Standards for Attestation Engagements (SSAE) 18
- A Type 2 SOC report focuses on how well the design and operating effectiveness of the organization maintain the trust principles on the data they access. Each SOC 2 report is unique to the entity that develops it and demonstrates the efforts that the company has taken to comply with the SOC 2 standards. Companies that follow a SOC 2 compliance checklist to both achieve and maintain SOC compliance are often the highest and best-qualified tech support providers for SOC purposes.
Trust Services Criteria
The goal of the SOC standards is to establish trustworthy systems and practices that control all aspects of data management. The AICPA bases its standards on how sufficiently entities address the five ‘trust services criteria’ related to data management: security, availability, privacy, confidentiality, and processing integrity. These criteria are modeled around four broader foundations for information management: communications, policies, procedures, and monitoring. Each of the five trust criteria has points of focus correlated to the four foundations and companies must adhere to all aspects of each criterion to attain and maintain compliance with SOC 2. For businesses, the SOC 2 report predefines for them what compliance looks like so it is easier for them to achieve it.
SOC 2 Compliance Checklist
As you evaluate the effort of your tech support companies in New Jersey, inquire about how they address these data security concerns:
Comprehensive data security practices will prevent most (or hopefully all) unauthorized access or use of sensitive corporate data.
Best practices for data security now include protections against both internal and external exposures or breaches, so entities must design their systems to scan for inappropriate activities happening both inside and outside their enterprise. Basic access controls will manage and record how users access corporate systems, what they do while engaged with those systems, and how the system will respond to any inappropriate behaviors or suspicious actions. Ask your potential vendors about their:
- access controls,
- authentication procedures (there should be at least two for every entry point),
- intrusion detection systems, and
- web application firewalls.
Appropriate security measures only work when they are applied to every instance of access. Third-party vendors frequently access their contractor’s databases, applications, and functions as they pursue their contract work. Accordingly, determining how broadly available that access to those systems will become a critical aspect of the data security protection plan.
Every potential vendor you interview should have a service level agreement (SLA) that clearly defines how much of your corporate data will be available to them as they work to accomplish their services on your behalf. To establish an appropriate SLA with your vendor:
- clarify what type of corporate data your vendor might require,
- who in their organization will have access to it and
- how they will use it.
Be sure to include within the SLA:
- How the provider will monitor those contract activities;
- The provider’s failover capacity if or when your primary site fails due to errors, crime or other events. (Failover is critical to maintaining business continuity despite technical failures or glitches), and
- How the provider will handle security incidents.
The data that requires the highest level of protection is the personally identifying information (PII) related to individual persons. This information includes (but is not limited to) social security numbers, health information, race, sex, or gender information, and financial information.
Per the SOC 2 standards (which, in this case, also include the AICPA’s ‘generally accepted privacy principles‘ (GAPP)), third-party vendors must protect the PII of your customers and enterprise in every instance in which they access, use, retain, disclose and dispose of that information.
Maintaining data confidentiality means ensuring that only those who are authorized to access it have that access capability. Data that requires confidentiality protections includes consumer data and also proprietary corporate information, business plans, and intellectual property.
- Processing Integrity
Finally, the SOC 2 standards also cover the processing of protected data so that it maintains those protections while also achieving the intended corporate goals. Per the AICPA, data processing must be valid, accurate, complete, timely and authorized. Third-party vendors who use a SOC 2 compliance checklist will also ensure that their processing practices prevent errors from entering the system which further ensures the integrity of their processing activities.
If you must evaluate the tech support in New Jersey by a third-party vendor, be sure to follow the SOC compliance checklist to ensure that the data they use from your organization is properly protected.