If you're reading this article, you might be wondering if your security provider has a SOC report, why security providers should undergo SOC audits, or even what a SOC audit is. While we don’t offer SOC audits at DGA, they are something we highly recommend to businesses dealing with sensitive information.
There are a few reasons why security providers should undergo SOC audits, all of which we'll elaborate on later.
Security breaches can be catastrophic for organizations of any size. In 2013, Target was hacked through a third-party HVAC vendor, leaking data on millions of consumer credit cards. Target had to pay $18.5 million out to the government along with hefty legal fees as a result. On top of that, imagine how much Target’s image was tarnished and the amount of revenue lost during and after the incident.
In this age of connectedness, the security mistakes of your vendors can quickly become your security problems. This is just one reason SOC audits are gaining popularity as a way to gauge security in all industries, especially for those that deal with particularly large amounts of money or sensitive information.
A SOC (Service Organization Controls) audit is a voluntary process overseen by the AICPA (American Institute of Certified Public Accountants) regarding a service organization's ability to protect the sensitive data of its customers.
There are three main kinds of SOC audits: SOC 1 (financial), SOC 2 (security), and SOC 3 (general). Additionally, there are also specialty SOC audits for industries like cybersecurity.
Within these three main SOC audits, there are two types, type 1 and type 2.
You can think of a type 1 audit as a snapshot in time of how a security organization has designed its security controls. Organizations often use this to prepare for a type 2 audit.
A type 2 audit goes further and takes place over a longer period to verify that all the documented designs work effectively. For instance, a type 1 audit might reveal that a company deletes personal information when an employee leaves, whereas a type 2 audit will verify that the information is deleted in a timely and effective manner.
Unlike a standardized test, the CPA in charge of the audit custom-designs an audit for an organization using a methodology that uses trust services criteria, a group of security categories that consists of security, availability, confidentiality, processing integrity, and privacy.
Over a few months, the auditor will investigate a business’s security practices. They might ask how it physically protects areas where backup media is stored or what information is included in a visitor log and how long that information is retained.
To pass the audit, organizations must pass at least two trust services criteria, which are chosen based on the mission of the business and customer needs. For instance, we chose security and availability as our trust services criteria because we believe that these are most important to our clients.
Now that you understand the basics of the SOC audit, how can having a SOC audited security provider help you and your organization?
First, it proves that your vendors are following proper security protocols around the service they provide. Even if you have impeccable security controls, if just one of your vendors has poor security, you are at risk. The best way to defend against this is to make sure to leave no cracks by ensuring your vendors are secure.
Second, a SOC audit is a fantastic way to self-audit and remediate security gaps to better protect yourself and your customers.
As an example, let’s say DGA Security secures XYZ Company with intrusion alarm, access control, and video surveillance systems. When XYZ Company undergoes a SOC 2 audit, it will need physical layouts with the location of every security device provided by DGA. Not all security companies are prepared to deal with customers having SOC audits, but DGA has that data in-house and can deliver it upon request.
Generally, you should try to get into contact with the service organization that received the report to request it. For SOC 1 and SOC 2 reports, you may need to sign a non-disclosure agreement first. Some prominent organizations like Salesforce have their SOC reports posted right on the website.
So, what are the key takeaways from all of this? We know we just threw a lot of terms at you, so let's break it all down once more.
A SOC audit is increasingly becoming a standard amongst industries that deal with highly-sensitive data, which nowadays includes just about every industry. Get ahead of the trend and ensure your vendors, especially your security providers, have SOC audits available.
We'd be happy to help. Submit your question using our online form or call us at 800-PICK-DGA (800-742-5342) to speak with one of DGA’s experienced business security experts.
Tips for Protecting High-Security Areas Within Your Business