Should your business security systems provider have a SOC audit?
Steve Barlett is Director of Application Development at DGA Security with 15+ years of experience at DGA and even more in information technology and application development.
If you're reading this article, you might be wondering if your security provider has a SOC report, why security providers should undergo SOC audits, or even what a SOC audit is. While we don’t offer SOC audits at DGA, they are something we highly recommend to businesses dealing with sensitive information.
There are a few reasons why security providers should undergo SOC audits, all of which we'll elaborate on later.
- To improve security
- To help you self-audit and remediate security gaps
Security breaches can be catastrophic for organizations of any size. In 2013, Target was hacked through a third-party HVAC vendor, leaking data on millions of consumer credit cards. Target had to pay $18.5 million out to the government along with hefty legal fees as a result. On top of that, imagine how much Target’s image was tarnished and the amount of revenue lost during and after the incident.
In this age of connectedness, the security mistakes of your vendors can quickly become your security problems. This is just one reason SOC audits are gaining popularity as a way to gauge security in all industries, especially for those that deal with particularly large amounts of money or sensitive information.
What is a SOC Audit?
A SOC (Service Organization Controls) audit is a voluntary process overseen by the AICPA (American Institute of Certified Public Accountants) regarding a service organization's ability to protect the sensitive data of its customers.
There are three main kinds of SOC audits: SOC 1 (financial), SOC 2 (security), and SOC 3 (general). Additionally, there are also specialty SOC audits for industries like cybersecurity.
Within these three main SOC audits, there are two types, type 1 and type 2.
You can think of a type 1 audit as a snapshot in time of how a security organization has designed its security controls. Organizations often use this to prepare for a type 2 audit.
A type 2 audit goes further and takes place over a longer period to verify that all the documented designs work effectively. For instance, a type 1 audit might reveal that a company deletes personal information when an employee leaves, whereas a type 2 audit will verify that the information is deleted in a timely and effective manner.
So how does an organization complete and pass a SOC audit?
Unlike a standardized test, the CPA in charge of the audit custom-designs an audit for an organization using a methodology that uses trust services criteria, a group of security categories that consists of security, availability, confidentiality, processing integrity, and privacy.
Over a few months, the auditor will investigate a business’s security practices. They might ask how it physically protects areas where backup media is stored or what information is included in a visitor log and how long that information is retained.
To pass the audit, organizations must pass at least two trust services criteria, which are chosen based on the mission of the business and customer needs. For instance, we chose security and availability as our trust services criteria because we believe that these are most important to our clients.
Why is the SOC audit important?
Now that you understand the basics of the SOC audit, how can having a SOC audited security provider help you and your organization?
First, it proves that your vendors are following proper security protocols around the service they provide. Even if you have impeccable security controls, if just one of your vendors has poor security, you are at risk. The best way to defend against this is to make sure to leave no cracks by ensuring your vendors are secure.
Second, a SOC audit is a fantastic way to self-audit and remediate security gaps to better protect yourself and your customers.
Where does a company like DGA Security come in?
As an example, let’s say DGA Security secures XYZ Company with intrusion alarm, access control, and video surveillance systems. When XYZ Company undergoes a SOC 2 audit, it will need physical layouts with the location of every security device provided by DGA. Not all security companies are prepared to deal with customers having SOC audits, but DGA has that data in-house and can deliver it upon request.
How do I access a SOC report?
Generally, you should try to get into contact with the service organization that received the report to request it. For SOC 1 and SOC 2 reports, you may need to sign a non-disclosure agreement first. Some prominent organizations like Salesforce have their SOC reports posted right on the website.
So, what are the key takeaways from all of this? We know we just threw a lot of terms at you, so let's break it all down once more.
- A SOC audit is an important part of a modern security posture that helps reveal security gaps that could cost you millions.
- When looking for a security provider, try to find one that is SOC 2 type 2 audited. This type of audit documents an ongoing examination of an organization's security protocols.
- If SOC reports are not already available on the provider’s website, request SOC reports from the organizations themselves.
A SOC audit is increasingly becoming a standard amongst industries that deal with highly-sensitive data, which nowadays includes just about every industry. Get ahead of the trend and ensure your vendors, especially your security providers, have SOC audits available.
Have questions about physical security for your premises?
We'd be happy to help. Submit your question using our online form or call us at 800-PICK-DGA (800-742-5342) to speak with one of DGA’s experienced business security experts.
Tips for Protecting High-Security Areas Within Your Business