Information security is a growing concern for many organizations, especially those that handle financial and healthcare information. Many such organizations are required to undergo a Service Organization Control (SOC) 2 examination in order to provide assurance that their security controls are designed and operating effectively. A SOC 2 examination focuses on one or more of the five Trust Service principles as specified by the American Institute of Certified Public Accountants (AICPA):
- Security: defines the system’s physical and logical controls against data theft or loss.
- Processing Integrity: relates to how a system processes information so that it is complete, accurate, timely and authorized.
- Availability: specifies when and how the information system is made available for authorized use.
- Confidentiality: describes protection of information designated as confidential per agreement.
- Privacy: addresses personal information that must be kept private in order to comply with established criteria, and with an organization’s privacy notice.
A service organization can undergo a SOC 2 examination of any one or all five trust services principles. For example, some software-as-a-service (SAAS) providers may need to address system availability, security, and integrity, but they might not have any privacy or confidentiality concerns. Healthcare organizations, on the other hand, are under increasing pressure to comply with privacy and confidentiality regulations.
Comparing the HITRUST Common Security Framework and SOC 2 Reporting
The Health Information Trust Alliance (HITRUST) created the CSF Framework for use by organizations that work with health information. The CSF was developed in collaboration with healthcare and security experts, and has become the de facto standard for healthcare compliance. HITRUST has developed a standard report that provides a consistent representation of risk exposure, compliance posture and corrective actions that allow for benchmarking of results against industry best practices. The HITRUST CSF Framework and the SOC 2 reporting model are complimentary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.
The “SOC 2 for HITRUST” Combined Reporting Model
HITRUST and the AICPA have collaborated to develop and publish a set of recommendations to streamline and simplify the process of leveraging the CSF for SOC 2 reporting. Because some service organizations have very specific reporting formats from which they may not deviate, it was important to implement an internal control reporting structure that is efficient, yet flexible. Mapping the HITRUST CSF to the AICPA SOC 2 Trust Principles and Common Criteria is a way to provide a reporting structure that is both efficient and flexible. Under this structure of reporting, the SOC 2 for HITRUST report becomes the default method of reporting that meets a diverse range of requests. HITRUST suggests engaging a CPA who also functions as a CSF Assessor in order to enjoy the efficiency of satisfying both needs in one step.