In this installment of McKonly & Asbury’s ongoing series of articles focused on System and Organization Controls (SOC) engagements, we will focus our discussion on the additional criteria of a SOC 2 examination.
Before we dive into the additional criteria, let’s do a quick recap of what a SOC 2 examination covers.
A SOC 2 examination is used by service organizations to meet the needs of a broad range of users that need detailed information and assurance about the controls at the service organization relevant to security, availability, and processing integrity of the systems at the service organization, and the confidentiality and privacy of the information processed by these systems. The AICPA has established specific trust services criteria within each of the trust services principles which the service organization’s controls must meet in order for the principle’s criteria to be satisfied. The AICPA requires that all SOC 2 examinations cover the Security principle (also known as the common criteria). However, service organizations have the opportunity to select additional criteria (availability, processing integrity, confidentiality, and privacy) to be included within their SOC 2 examination.
We will focus on the Availability, Processing Integrity, and Confidentiality criteria within this article. A separate article will be dedicated to the Privacy criteria in the coming months.
To start us off, the Availability criteria focuses on the availability and accessibility of information used by the service organization’s systems and services provided to the service organization’s customers.
Availability Criteria 1.1 – The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
Availability Criteria 1.2 – The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
As noted within the two Availability criteria above, the criteria centers around the maintaining and monitoring or system components and infrastructure to ensure that there is no disruption in a customer attempting to obtain their data or use a service provided by the service organization. This criteria does not require the system component and infrastructure to be functional (functioning of systems/infrastructure is covered within the Security criteria). Rather, this criteria focuses mainly on the service organization’s upkeep of their systems, software, and other infrastructure affecting the services provided to their customers. For example, a datacenter that hosts space for their customer’s servers must establish appropriate controls surrounding the monitoring and the maintaining of the facility’s functionality (i.e. installing appropriate fire suppression systems, maintaining appropriate safeguards in the event of a power failure, monitoring air conditioning units to verify rooms are appropriate cooled, etc.).
Next up, the Processing Integrity criteria focuses on the completeness, validity, accuracy, timeliness, and authorization of the process of the service organization’s system.
Process Integrity Criteria 1.1 – The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
Process Integrity Criteria 1.2 – The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.
Process Integrity Criteria 1.3 – The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.
Process Integrity Criteria 1.4 – The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.
Process Integrity Criteria 1.5 – The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.
The five criteria within Processing Integrity revolves around the systems at the service organization and its ability to achieve its intended function without impairment. There are many systems within a service organization; however, Processing Integrity focuses on the system within the scope of the SOC 2 examination. Controls within the Processing Integrity criteria can include the service organization’s use of customer contracts to define objectives and the intended use of the system, policies and procedures maintained by the service organization to ensure that their system is operating effectively, or review processes established by the service organization to ensure the accuracy of the information inputted into their system or software.
Finally, the Confidentiality criteria encompasses the service organization’s ability to detect and protect confidential customer information.
Confidentiality Criteria 1.1 – The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
Confidentiality Criteria 1.2 – The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
The two Confidentiality criteria noted above are designed to ensure that service organizations have at least a two-step process when it comes to holding confidential data. First, the service organization must have controls surrounding the identification of confidential information provided by the service organization’s customers. The service organization should also have controls in place to ensure that the confidential information, once identified, is appropriately and securely maintained. Second, the service organization must have controls in place to properly dispose of confidential information when disposal is deemed to be necessary. Controls under this Confidentiality criteria can range from the service organization having a disposal policy in place to the service organization establishing a control to receive disposal documentation after hardware or data has been wiped/destroyed. For example, a service organization that processes retirement benefits for their customers would cover the first Confidentiality criteria by maintaining a confidentiality policy requiring that data is encrypted at rest and during the transmission of the data between various locations. The service organization could also have a control in place noting that confidential data is secured based on contracts with their customers. A service organization would cover the second Confidentiality criteria by having a destruction policy in place noting that once hardware is retired it is appropriately disposed of. The service organization could also have a control in place noting that disposal certificates are maintained for all retired and destroyed hardware.
The paragraphs above are a brief summary of what the Availability, Processing Integrity, and Confidentiality criteria entail. It is up to your organization to make the determination if these additional criteria are applicable to the services your organization provides. Adding the additional criteria noted above can strengthen your SOC 2 Report and provide your customers with additional assurance over the Availability, Processing Integrity, and Confidentiality of their data.
If you’d like to discuss how to incorporate these additional criteria into your SOC 2 Report, please reach out to either David Hammarberg at email@example.com or Michael Hoffner at firstname.lastname@example.org. We’d love the opportunity to help your organization strengthen your SOC 2 Report.