HillSouth annually has an independent CPA firm audit its controls and procedures to verify that HillSouth meets or exceeds the SOC 2 Service Provider Guidelines. Read on to learn more about how this independent review can offer confidence in HillSouth’s services to its clients
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
What is a SOC 2 Audit?
Developed by the American Institute of CPAs AICPA, SOC 2 is specifically designed for service providers storing customer data in the cloud. So, what does SOC 2 require, exactly? It’s considered a technical audit, but it goes beyond that: SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that a company’s information security measures are in line with the unique parameters of today’s cloud requirements. As companies increasingly leverage the cloud to store customer data, SOC 2 compliance is becoming a necessity for a wide variety of organizations.
What are the 5 Trust Principles?
SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.
The security principle refers to protection of system resources against unauthorized access. Access controls help prevent or detect the breakdown, system failure, potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
IT security tools such as network and Unified Threat Management (UTM), Multi-Factor Authentication and Data Encryption are useful in preventing security breaches that can lead to unauthorized access of systems and data.
The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.
This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.
3. Processing integrity
The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.
However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.
The confidentiality principle addresses the system’s ability to protect information designated as confidential, including, its final disposition and removal from the system. Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.
Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII/PHI from unauthorized access.
Please contact [email protected] to request full audit report.