New Service Organization Controls (SOC) issued by the AICPA in April 2016 have superceded the previous version of the SOC that came out in 2014. If you are looking to remain in compliance with TSP Section 100, make sure that you understand the new criteria of SOC 2. Here are the major points of contention that you need to know about.
The New Set of Principles
SOC 2 is based around four broad areas or principles: monitoring, procedures, policies and communications. Each of these four principles have controls that organizations must demonstrate adherence to. Organizations must also produce an unqualified opinion with an audit producing no significant exceptions. Although these criteria may be more difficult for some organizations to meet, the criteria is predefined and much more streamlined in SOC 2 than it is in any previous iteration of TSP section 100.
TSP Section 100 Restructuring
Before the implementation of SOC 2, TSP section 100 was organized into subsections of security, availability, processing integrity, confidentiality and privacy. SOC 2 stands alongside these subsections with a seven tiered structure:
- Organization and management
- Risk management and implementation of controls
- Monitoring of controls
- Logical and physical access control
- System operations
- Change management
Each of these must be reported on alongside the original trust principles in the same report.
The Major Changes in Risk Management
One of the most striking changes during the SOC 2 update was made in the mandates for risk management. Risk management is now one of the priority elements in all regulatory compliance, and any SOC 2 assessment should provide an interpretation of these new mandates if a company is looking to save money on SOC compliance.
Who Should Pay Attention to SOC 2?
Businesses in the document production, data analytics, software as a service and data center or co-location industries may want to pay special attention to SOC 2. There are actually three different reporting options within the SOC framework; however, the default standard for many technology oriented businesses has become SOC 2.
Is a Business Required to Address All Principles?
Contrary to popular belief, businesses are not necessarily required to address each of the four principles. Reviews and audits may be limited to the relevant principles if a business is performing an outsourced service.
What You Should Look for in an SOC Assessment Service
Most companies do not have the time to assess themselves for the new measures of compliance the SOC requires. It is simply too much of a headache, and in-house assessments are naturally less objective than professional third-party assessments. In order to ensure that you are receiving a service that will help you save money and time, you should look for the following characteristics in your compliance assessment service provider.
Your provider should have operational specific policies and dedicated procedural forms to back this up. IT security policies are an incredibly large part of remaining compliant with SOC 2 updates. You probably do not have the time to develop these on your own, and any compliance effort that you outsource should come in the door with ideas on how to reduce the use of your in-house resources towards this endeavor.
Your provider should understand the working procedures of your industry. In order to ensure that your communications and systems operations are compliant with SOC 2 while remaining useful for business, any compliance assessment provider should understand the internal and external connections that a company must maintain within a certain industry. Look for examples of previous assessments and do not be afraid to ask for proof of successful compliance efforts.
If you are looking to remain compliant with all relevant industry regulations and save money at the same time, you need a professional SOC assessment service. As experts on TSP section 100 and the SOC updates, we have been able to save our clients headaches and manpower while keeping their companies fully compliant with updated regulations.