System and Organization Controls (SOC) 2 is a reporting framework that sets benchmarks for managing customer and user data. It was created by the American Institute of Certified Public Accountants (AICPA), and is based on the institute's five Trust Services Criteria – privacy, confidentiality, security, availability, and processing integrity. SOC 2 Type II compliance assures existing and potential customers that your organization has instituted the proper security, privacy, and compliance controls in place to manage its data.
SOC 2 Type II applies to any service provider or service organization that stores, processes, or transmits information. In the face of evolving cyber threats, the attestation is more important than ever and tells your customers that you're serious about protecting them and their information.
Driven by members and government contracts that require external assessments and certifications, the Center for Internet Security (CIS) recently completed the SOC 2 Type II audit for its CIS SecureSuite and MS- and EI-ISAC membership services. CIS's SOC 2 Type II compliance ensures our members’ data and associated information is protected at all times, within all compliance requirements.
Undergoing the attestation process is not easy, but it's well worth the effort, as we can assure our customers that CIS products and services align with the most rigorous security and privacy standards in the industry.
At CIS, we performed an initial gap assessment, both internally and externally, to identify areas that needed special attention. The gap assessments help organizations to understand the status of their current environment relative to security controls and best practices, so those gaps can be minimized. For example, at a high level, some areas to look at during the assessment may include, but are not limited to: tone at the top, data management, vendor management, risk management, change control, vulnerability management, and separation of duties. With the gap assessment completed, we reviewed our organizational policies, standards, and processes to ensure they were accurate and appropriate for our environment. Policies, standards, and processes are the foundation of any successful security program.
Once the policies, standards, and processes reflected the current environment, we reviewed our technical controls. This included establishing new controls, refining existing ones, and removing those that were not appropriate. This is where applying our own CIS Critical Security Controls (CIS Controls) was most beneficial in our SOC 2 process. We mapped the CIS Controls to the SOC 2 framework and aligned them where necessary. It was not strictly a one-for-one alignment, but it assisted in defining potential gaps within the organization.
With the technical controls in place, we began defining audit cadences based on risks and compensating controls. With the internal audits and reviews in place, we gathered the necessary documentation and evidence from CIS's business units. Once we felt comfortable with our processes, we scheduled the SOC 2 Type I review. The SOC 2 Type I differs from the Type II, as it is a point-in-time review focused on design only. Once we successfully completed the SOC 2 Type I, we began preparing for the Type II review.
Of course, every organization is different. However, there is a set of standard items that virtually every team should address when preparing for SOC 2 attestation.
CIS's experience identified a number of critical success factors that apply to any SOC 2 attestation.
SOC 2 is not a one-time event, and it requires a real commitment. For CIS, this commitment is the foundation for continuous improvement, enabling us to improve upon the security and privacy of our members and their data, and move forward with other attestations and certifications in the future.