In this quick presentation I included the SOC key points and the five key sections of the Trust Service Criteria for SOC 2 Compliance.

1. SOC Compliance
Overview
System and Organization Controls
Edited by Fabio Ferrari | particles.io
https://www.linkedin.com/in/particles/

2. What is SOC?
SOC stands for “system and organization controls,” and the controls are a series of
standards designed to help measure how well a given service organization conducts and
regulates its information.
The purpose of SOC standards is to provide confidence and peace of mind for organizations
when they engage third-party vendors.

3. What is SOC 2 Compliance?
Developed by the AICPA, SOC 2 is specifically designed for service providers storing
customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well
as any company that uses the cloud to store its customers’ information.
Before 2014, cloud vendors only had to meet SOC 1 compliance requirements. Now, any
company storing customer data in the cloud must meet SOC 2 requirements in order to
minimize risk and exposure to that data.

4. SOC 1 vs. SOC 2 vs. SOC 3
SOC 1 reports on the service organization’s controls related to its clients’ financial
reporting.
SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the
security of a system at a service organization. The SOC 2 report was designed to determine
if service organizations are compliant with the criteria of security, availability, processing
integrity, confidentiality, and privacy.
SOC 3 reports are a simplified version of SOC 2 reports, requiring less formalized
documentation.

5. Why SOC 2?
Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each
organization. In line with specific business practices, each designs its own controls to
comply with one or more of the trust criteria.
The SOC 2 protocol is designed for more advanced I.T. service providers.
These can include managed I.T. service providers (MSPs), cloud computing vendors, data
centers and SaaS (software-as-a-service) companies.

6. SOC 2 Framework
The SOC 2 framework includes five key sections, forming a set of criteria called the
Trust Services Criteria (TSC):
1. The security of the service provider’s system
2. The processing integrity of this system
3. The availability of this system
4. The privacy of personal information that the service provider collects, retains, uses, discloses
and disposes of for user entities
5. The confidentiality of the information that the service provider’s system processes or
maintains for user entities

7. TSC – Security
The security criteria refers to protection of system resources against unauthorized
access. Access controls help prevent potential system abuse, theft or unauthorized removal
of data, misuse of software, and improper alteration or disclosure of information.
IT security tools such as network and web application firewalls (WAFs), two factor
authentication and intrusion detection are useful in preventing security breaches that can
lead to unauthorized access of systems and data.

8. TSC – Availability
The availability criteria refers to the accessibility of the system, products or services as
stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable
performance level for system availability is set by both parties.
This criteria does not address system functionality and usability, but does involve
security-related criteria that may affect availability. Monitoring network performance and
availability, site failover and security incident handling are critical in this context.

9. TSC – Processing Integrity
The processing integrity criteria addresses whether or not a system achieves its purpose
(i.e., delivers the right data at the right price at the right time). Accordingly, data processing
must be complete, valid, accurate, timely and authorized.
However, processing integrity does not necessarily imply data integrity. If data contains
errors prior to being input into the system, detecting them is not usually the responsibility
of the processing entity. Monitoring of data processing, coupled with quality assurance
procedures, can help ensure processing integrity.

10. TSC – Confidentiality
Data is considered confidential if its access and disclosure is restricted to a specified set of
persons or organizations. Examples may include data intended only for company personnel,
as well as business plans, intellectual property, internal price lists and other types of
sensitive financial information.
Encryption is an important control for protecting confidentiality during transmission.
Network and application firewalls, together with rigorous access controls, can be used to
safeguard information being processed or stored on computer systems or cloud
infrastructure.

11. TSC – Privacy
The privacy criteria addresses the system’s collection, use, retention, disclosure and
disposal of personal information in conformity with an organization’s privacy notice, as
well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) refers to details that can distinguish an individual
(e.g., name, address, Social Security number). Some personal data related to health, race,
sexuality and religion is also considered sensitive and generally requires an extra level of
protection. Controls must be put in place to protect all PII from unauthorized access.