The rapid advances in technology have created opportunities for businesses to realize new efficiencies and increased profitability. The ease of use, transparency, and functionality available has led many to embrace outsourcing as a solution to managing non-essential functions. Not only does this save money and minimize waste, but it also allows management to focus on core business processes. As more turn to outsourcing, it has become important to understand the data risk management policies protecting shared customer data. Typically, this can be demonstrated through a System and Organization Controls (SOC) report, SOC 1 or SOC 2, depending on specifics. For those who need to comply with additional frameworks, it can be costly to undergo both a SOC report and additional independent testing. Based on this, the AICPA created the new SOC 2+ report which incorporates multiple frameworks and standards in the assurance reporting process. To help clients, prospects, and others, OCD Tech has provided a summary of the key details below.
What is a SOC 2+ Report?
SOC 2 report assesses additional controls related to each framework beyond the AICPA’s Trust Service Principles (TSP). This includes other regulatory frameworks such as PCI-DSS and HIPAA.
The examples listed below are the additional frameworks examined during a SOC 2+ engagement which have formal mappings developed with a SOC report as outlined by the AICPA.
- CSA Security Trust & Alliance Registry (CSTAR) – This third-party assessment framework developed jointly with the AICPA, serves as an independent security assessment framework for cloud providers. There are two levels of assessment – self assessment and a third-party audit. A SOC 2+ with STAR can be performed when a data center which manages, transmits, and stores client data needs to test/validate certain security configurations.
- Hi Trust CSF – This security framework was developed by the Health Information Trust Alliance to help required organizations such as health plans and other providers comply with HIPAA standards. A SOC 2+ with HIPAA can be used by claims processors that need access to HIPAA protected data to complete assigned responsibilities. To demonstrate compliance with the safeguarding requirement of personal health information, the report can map how existing controls satisfy HITRUST criteria.
- National Institute of Standards & Technology (NIST) – This framework was designed to ensure organizations meet minimum cybersecurity standards while continuing to improve control effectiveness. A SOC 2+ with NIST can be used by a governmental contractor responsible for building housing to demonstrate compliance with new NIST standards.
- PCI-DSS –This framework was designed by the PCI Security Council to ensure organizations involved in the storage, processing, or transmission of cardholder data meets establish security standards. For service organizations that store credit card information for future payments, it is permitted to rely on a SOC 2+ with PCI-DSS to demonstrate broader compliance. This is especially helpful for organizations that do not have PCI certification.
Contact Us
SOC 2+ reports provide a streamlined method, for service organizations and outsourced providers to concurrently demonstrate compliance with TSPs and industry specific frameworks. If you have questions about the information outlined above, or need assistance with a SOC 2+ Report, OCD-Tech can help. For additional information call us at 844-OCD-Tech or click here to contact us. We look forward to speaking with you soon.
