It’s easy to be intimidated by the sheer volume of acronyms that exist in the security and compliance space.
These acronyms make it hard to know what to look for when choosing a software-as-a-service (SaaS) Cloud provider.
At the end of the day, you want to have peace of mind that your data is secure and protected.
That’s why we’d like to demystify the evaluation process and explain what to look for when comparing and evaluating SaaS Cloud vendors.
In this blog, we’ll outline compliance standards and how they impact Cloud security.
What Are Compliance Standards?
Some of the most common acronyms you may come across are Security Operations Center (SOC) and Trust Service Principles (TSPs).
A Security Operations Center’s (SOC’s) responsibility is to monitor and analyze an organization’s security posture on an ongoing basis. SOC reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data.
There are multiple reports that prove an organization is in good standing. Namely, SOC 1 and SOC 2 compliances – it’s important that both Type 1 and Type 2 reports are complete for these SOCs.
- Type 1 Report – Demonstrates a company’s internal controls are properly designed to meet relevant Trust Principles. This report does not confirm the efficacy of controls over a period.
- Type 2 Report – Further demonstrates that your controls operate effectively over a period.
Did you know? To claim compliance with SOC, vendors only need to have a SOC 1 Type 1 report completed, not the full SOC compliance that includes a Type 2 report. It is important to ask a vendor whether their SOC compliance includes a Type 2 report. Only then are you assured that the controls have been tested over a period of time.
Differences Between SOC 1 & SOC 2 Compliances
So, now that we’ve outlined what the most common compliance standards are (SOCs), let’s look at the differences between SOC 1 and SOC 2.
SOC 1 – A SOC 1 report gives assurance that your financial information is being handled safely and securely. The international version of the SOC 1 report is commonly referred to as ISAE 3402. Typically, when a vendor says they are SOC 1 compliant, the implication is that they have completed both Type 1 and Type 2 reports.
SOC 2 – This report gives assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data.
Here is where Trust Service Principles (TSPs) come into play.
SOC 2 reports evaluate an organization’s compliance against five criteria, which are commonly referred to as Trust Service Principles (TSPs).
The five Trust Service Principles are:
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
- Availability – Information and systems are available for operation and use.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of.
Did you know? To claim compliance with SOC 2 Type 2 report, vendors only need to meet at least one of the five TSPs. It is important to ask a vendor what Trust Service Principals are being met for a SOC 2 Type 2 report. Make sure to ask vendors if they have met all five TSPs as part of their SOC 2 compliance.
Prophix’s Cloud Security & Compliance
Understanding the differences between SOC 1, SOC 2, and Type 1 & 2 reports will help you make an informed choice when choosing a SaaS Cloud vendor.
However, there are several other aspects of security and compliance you should consider, including the frequency of audits, what frameworks the vendor is certified in, who provides the underlying cloud technology, and how streamlined end-user authentication is.
To learn more about how to navigate cloud vendors on the market today, read our Security and Compliance whitepaper.
Prophix is certified in both SOC 1 Type 1 & 2 and SOC 2 Type 1 & 2 compliances, which means we are compliant with all five Trust Principles.
For more information on Prophix Cloud, visit https://trust.prophix.com/.