When it comes to cybersecurity standards, organizations these days can select from a myriad of frameworks designed to improve information security in a structured and methodical manner. However, for firms that store and manage client data in the cloud, implementation of the proper security framework may also require demonstrating compliance through independent, third-party validation and attestation.
For Akoya, attaining a SOC 2 Type II attestation was critical to validating its information security and operational practices to both internal stakeholders and clients, despite not storing any sensitive client data in the cloud. As one of the most rigorous and well-regarded cybersecurity compliance standards, SOC 2 attestation (and related reports) are increasingly required by clients when evaluating a vendor’s ability to protect their data.
In this article, we will provide an overview of SOC 2 and its key definitions and components, explore what it means to be SOC 2 compliant, and explain why it matters.
What is SOC 2?
The SOC 2 compliance standard and security framework was developed by the American Institute of Certified Public Accountants (AICPA) in 2010 with the intent of bolstering trust between service providers and customers. Short for Systems and Organization Controls 2, SOC 2 consists of a set of voluntary requirements and measures that describes how organizations should handle sensitive customer data in the cloud; specifically, how to protect customer data from malicious/unauthorized access, security failures, vulnerabilities, and other cyber risk exposures.
Despite being created by a professional organization of certified public accountants and finance professionals, the standard is geared for technology-based companies and service providers storing customer data in the cloud. AICPA still maintains stewardship over the SOC 2 framework, though the standards have since gained prominence in the U.S., across all industries. Today, SOC 2 is the pre-eminent compliance standard for auditors to gauge the operating effectiveness of a firm’s security controls, protocols, and processes.
SOC 2 Type I versus SOC 2 Type II?
SOC 2 certification comes in two forms, Type I and Type II, albeit the latter is preferred by organizations looking to provide greater assurance to their clients. SOC 2 Type I reports take less time to complete and usually cost less, as they only measure the efficacy of an organization’s security controls at a single point in time. In contrast, a SOC 2 Type II report assesses how the organization’s security controls work over a specific timeframe (e.g., 3, 6, 12 months), thereby providing a more comprehensive picture of the firm’s security architecture and its strengths and weaknesses.
SOC 2 Compliance & Attestation
SOC 2 compliance is validated and attested to by an independent auditor trained in assessing the fitness of an organization’s security controls per SOC 2 standards. During the audit, the security posture of the organization is measured using one or more of the five AICPA-developed Trust Services Criteria (TSC):
- Security – Protecting information from unauthorized access
- Availability – Ensuring that customers and employees have reliable access to required resources
- Processing Integrity – Verifying that the organization’s systems are functioning as intended
- Confidentiality – Preventing confidential information from being exposed by limiting its access, use, and storage
- Privacy – Protecting sensitive information from unauthorized access
Every organization that completes a SOC 2 assessment receives a report from an independent audit firm. The report contains the following information:
- Auditor’s opinion of the effectiveness of the organization’s controls.
- Description of the organization’s controls and how the controls comply with the TSC
Why SOC 2 Matters to Akoya
With a SOC 2 Type II attestation, Akoya has substantiated our commitment to data security and privacy, validated our best-in-class security standards, and reaffirmed our commitment to clients/potential clients, partners, and all players in the Akoya ecosystem. We consider strong security an intrinsic requirement for the business, and SOC 2 is one of the most comprehensive, rigorous, most widely accepted technology auditing standard and readiness assessment available today. The attestation affirms that our platform’s security, service commitments, and operational processes meet the stringent requirements our customers and partners demand, and that we safeguard data in line with industry standards and best practices.