SSAE 18 - SOC 1, SOC 2, SOC 3

Service Organization Controls are of 3 types as mentioned below:

SOC1: SOC 1 reports address a company’s internal control over financial reporting, which pertains to the application of checks-and-limits. SOC 1 is the audit of a third-party vendor’s accounting and financial controls. It is the metric of how well they keep up their books of accounts.

SOC2: The purpose of the SOC 2 report is to provide an assurance or an opinion on the level of trust and assurance that user auditor and user organization can derive from the system that the service organization has deployed that effectively mitigate operational and compliance risks.

SOC 3: A Service Organization Control 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality, or privacy. A SOC 3 report can be freely distributed, whereas a SOC 1 or SOC 2 can only be read by the user organizations that rely on your services.

SOC is an auditing procedure that ensures your service carriers securely control your data to protect the pastimes of your organization and the privacy of its clients. Specifically, for security-minded corporations, getting compliant with SOC is a least and fundamental need when considering a SaaS provider.

The objectives of a SOC compliance include: 

1. Security:
   The protection principle refers to safety of system sources towards unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized elimination of data, misuse of software, and improper alteration or disclosure of information.
2. Availability :
   The availability principle refers to the accessibility of the system, products or services as stipulated through a contract or Service Level Agreement (SLA). As such, the minimum acceptable overall performance stage for system availability is set by using both parties.
3. Processing Integrity:
   The processing integrity precept addresses whether a system achieves its cause (i.e., delivers the proper data at the right fee at the right time). Accordingly, data processing needs to be complete, valid, accurate, timely and authorized.
4. Confidentiality:
   Data is considered exclusive if its access and disclosure is confined to a specific set of persons or organizations. Examples may also encompass information meant solely for corporation personnel, as nicely as enterprise plans, mental property, inner charge lists and different types of touchy monetary information.
5. Privacy:
   The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of non-public records in conformity with an organization’s privacy notice, as properly as with standards set forth in the AICPA’s Generally Accepted Privacy Principles (GAPP).

The approach we follow at CyberSRC^® is as mentioned below:

Step 1: Risk Assessment
The first step to documenting internal controls is to conduct a risk assessment. Understanding your risks will help you to understand what controls you have or need to mitigate the risk.

Step 2: Establish a Control Framework
Establish the framework for your internal controls, the key processes to mitigating a potential risk, the objectives of the control, the requirements must be in place for you to control the situation effectively.

Step 3: Document the Control Activity
The programmatic steps taken to achieve the goals of your internal controls. Another important aspect of documented internal controls is the roles around the control. 

Step 4: Test Control Effectiveness
A strong part of robust internal controls is testing to assure it is effective at preventing security incidents. Also, include a remediation log that details the steps taken to correct issues and ensure the control is effective.

Step 5: Reporting