The security of the information of a company and its clients must be within the priorities of any current company. If you have providers in your company under the Software as a Service scheme, even more. To show that your provider takes this issue seriously, there are several mechanisms, SOC 2 being one of these.
SOC 2 is an audit procedure under a framework of principles that guarantees that an organization securely manages its data to protect the interests of its organization and the privacy of its clients. These principles are security, availability, processing integrity, confidentiality, and privacy.
Compliance with SOC 2 can be the determining factor in many business decisions. For this case, we are going to raise it since we want to guide the technology company that provides a solution in a SaaS scheme and is interested in knowing in-depth what SOC 2 represents and how it can take advantage of it.
What are the principles behind SOC 2?
This principle refers to the level of protection that the system has to prevent unauthorized access to information. Establishing access levels and controls can prevent potential improper access, theft, unauthorized copies, deletion of files, inappropriate use of software, modifications to the code, or worse, disclosure of confidential information.
To be under this principle, various security tools or solutions can be used, such as Web Application Firewalls (WAF), implementation of multi-factor authentication (multifactor authenticator), or detection tools. Intrusion Detection System - IDS. Each of these solutions provides a different layer of security.
It refers to the possibility that customers will have to access or have the SaaS platform available, typically these conditions of time and accessibility can be found in the Service Level Agreement (ANS).
This agreement will establish the minimum levels allowed for the company. If this does not comply with these levels and they are below what was agreed, the client would be entitled to some remuneration. If you are interested in learning more about the ANS, here is the link where we discuss it in greater detail.
This principle refers to the ability of the SaaS platform to achieve the goal that it says it achieves. This condition is popularly known as the implied warranty of functionality for a particular purpose.
The data must be complete, valid, accurate, at an appropriate time, and in an authorized manner. Important, processing integrity does not necessarily mean that the data is complete. We must always keep in mind a basic maxim in terms of processes: If what goes in is garbage, what comes out will also be garbage (Garbage-in / Garbage-out).
If access to certain information is limited to a specific group of people or organization, this data is considered confidential, therefore it cannot be published or disclosed to unauthorized persons.
The mechanism to keep data confidential is data encryption, in this way only the issuer and those who have the key can decrypt (decode) the message or data. This applies when the data has to be transmitted or transferred.
On the other hand, to protect the data that is stored on servers or databases, it is necessary to implement perimeter protection solutions, such as firewalls and strict access policies.
Personal data refers to any data that identifies or allows to identify a person. Examples of these data are name, address, national identity document (or identity card in some countries), etc. In addition, some data are even more sensitive, such as race, sex, sexual orientation, religion, or political tendencies. Any company that collects, stores, or processes personal data must take double care, due to the risk that this entails.