This article follows our recent post Why cybersecurity is important for digital asset management and addresses the questions we have received by many of our customers who want to know more about what SOC 2 is and why it is of such high importance. I have attempted to make this content palatable for business users by providing simple explanations of otherwise complex concepts.
SOC stands for system and organisational controls. These controls act together to monitor, prevent, detect, investigate, and respond to cyber threats around the clock. SOC teams are charged with monitoring and protecting assets including intellectual property, personnel data, business systems, and brand integrity.
With the prevalence of SaaS solutions, risk management and cybersecurity have become of primary importance for everyone. As a measure of the level of security that a particular vendor offers it’s clients, compliance is a high visibility statement of having achieved a high level of security, and the willingness to be independently audited as a testament to the efficiency of risk management framework that has been implemented.
SOC 2 compliance is a standard that has been created by the American Institute of Certified Public Accountants AICPA. Correctly speaking the term is AICPA & CIMA, when in 2017 AICPA merged with Chartered Institute of Management Accountants CIMA to form one single organisation. AICPA & CIMA is regarded as most influential body of accountants and finance experts in the world, with 689,000 members, students and engaged professionals globally.
SOC 1 is an audit report specifically designed for systems that manage financial data. SOC 2 is a broader audit report that is applicable to non-financial systems and is focused on ensuring the confidentiality and privacy of your data is being maintained. For the purposes of a DAM solution, SOC 2 is appropriate.
In Australia SOC 2 is regarded as an equivalent of ASAE 3150.
If you are an organisation in Australia wanting to ensure that a solution (typically SaaS) that you are wanting to use or are using, provides sufficient level of risk management for your data, then it is important to request and review the SOC 2 reports from the vendor. There are two types of SOC 2 reports:
- Type I describes the organisation’s systems and whether the system design complies with the relevant trust principles.
- Type II details the operational efficiency of these systems.
There are a range of approaches for an organisation to review the SOC 2 qualifications of the solutions in use.
Your own technical team can take a deep dive examining the SOC 2 auditors report and making your own analysis of the efficiency of the risk management framework. However, this requires that you have cybersecurity experts on your team that are both qualified and experienced to make such judgements.
Alternatively, an organisation’s management team can familiarise themselves with the overall intent of the SOC 2 standard and review the assurances that they receive as part of an independent auditors report, without going into the technical details of the risk management framework. This is a much more palpable and realistic alternative for most Australian organisations.
What works for you will most probably be somewhere in between these two alternatives.
It must be remembered that risk management is all about reducing risk to an acceptable level. No risk management framework will ever remove all forms of risk, nor is professional risk management intended to achieve this.
Once risk has been identified and reduced to an acceptable level by the qualifications and compliance of suppliers, further mitigation can be undertaken, if required, by additional approaches such as insurance.
To conclude, SOC 2 compliance ensures that your provider has implemented robust security measures and controls to protect your data from cyber threats. Key reasons why SOC 2 certification is important are data security, risk management, independent audit, compliance assurance and competitive advantage.
Selecting a DAM solution provider with SOC 2 certification is crucial for ensuring the security and integrity of your data. It provides assurance that your provider has implemented robust security measures, undergone independent auditing, and follows internationally recognised standards.
