When it comes to your data, and your customers’ data, you can never be too careful or too secure. According to Juniper Research, the cost of cybercrime will reach $2 trillion by 2019, and right now the Ponemon Institute pegs the average cost of a single breach in the U.S. at $7 million. All told, of 1,000 IT leaders that participated in a cybersecurity study for Invincea, 75 percent had experienced a breach in the past year and 62 percent expected to experience one in the coming year.
These are staggering numbers that underscore the importance of backup and disaster recovery. When choosing a solution to fit your business, it’s critical to ask questions and do your research, both before you sign with a service provider and on a consistent basis afterward.
In fact, some of the most common questions we get from customers revolve around security.
- How do you protect my company’s data from potential threats?
- What critical security controls have you implemented to ensure the security of my company’s data?
- What types of testing are performed to ensure the effectiveness of the security controls that you have implemented?
How can you be sure a service provider has really prepared for all the potential issues? One major framework that has recently come to the forefront of the security discussion is SOC 2.
By going through a detailed, thorough audit, service providers can be designated as SOC 2 compliant. If a company completes this process, you know it adheres to a strict set of principles around securely managing your data. ClearSky Data recently completed this process, and is now 100 percent SOC 2 compliant.
Let’s look at what exactly being SOC 2 compliant means, and why it’s important.
What is SOC 2 compliance?
The Service Organization Control reporting platform was developed by the American Institute of CPAs (AICPA) to help companies get a handle on the complex, diverse security issues out there, and provide a framework for service providers to measure against. SOC 2 compliance covers companies that provide services like data hosting, colocation, data processing and software-as-a-service (SaaS), and is based on five “trust services principles,” that reflect different criteria for managing customer data: security, privacy, availability, processing integrity and confidentiality.
The five SOC 2 principles
The SOC 2 principles double as a great way for customers to organize their thoughts and concerns – if you think about managing data, most of the aspects fall into one of these categories. To be compliant, service providers must have clear, well-documented, proven strategies around all five of these topics.
- Security means system resources are protected against all types of unauthorized access, including network and application firewalls, two-factor authentication and intrusion detection.
- Privacy addresses how the system collects, uses, retains, discloses and disposes of personal information, and how that process aligns with the organization’s privacy notice and with the AICPA’s generally accepted privacy principles (GAPP). It includes access control, two-factor authentication and encryption.
- Availability looks at how accessible a company’s services, products and systems are, based on the contracts and service level agreements (SLA) it has. It includes performance monitoring, disaster recovery and security incident handling.
- Processing integrity, at its base, asks if a system achieves what it’s meant to do – does it process data the way it promises, in a timely manner, with authorization, and with the performance and price agreed upon. It involves quality assurance and process monitoring.
- Confidentiality relates to data that has access and/or disclosure limited to specific groups. It involves encryption, access controls, and network and application firewalls.
Why does SOC 2 matter?
It’s important to note that no vendor is required to be SOC 2 compliant; it’s a voluntary process. Any company that chooses to go down this path has security at the forefront of its operations. After all, the certification process is a months-long endeavor, conducted by impartial outside auditors.
SOC 2 compliance is well worth the effort. It’s a very tangible way for ClearSky to ensure that your data, and your customers’ data, is handled using the strict guidelines mentioned above. It’s more than checking a box; it’s a commitment that goes to the very heart of your relationship with a service provider.
To learn more about securing your data in the cloud, read the white paper, “Securing the New Model for Enterprise Storage.”