What is a SOC 2 Audit? Why your IT Provider MUST have one!
PCR Business Systems is currently undergoing a SOC 2, Type II audit. We chose to go through the SOC 2 auditing process for one simple reason—to give our partners peace of mind knowing that we follow the best practices in the IT industry and that we take no shortcuts when it comes to protecting their sensitive data.
This article explains what a SOC 2 audit is and why you should only work with a MSP that is SOC 2 certified.
Developed by the American Institute of CPAs (AICPA) to help address risk concerns for businesses who outsource services to a third-party, SOC (System and Organization Control Requirements) is an independent audit that takes an extensive look into the internal security controls a managed service provider (MSP) has in place to determine if they are properly managing the data security of their clients and delivering the services spelled out in their user agreements.
The SOC 2 report defines the criteria for managing a client’s confidential data by breaking it down into five “trust services criteria.” These criteria include security, availability, processing integrity, confidentiality and privacy.
Security— How does the service provider protect their system against unauthorized access (think hackers, rogue employees, malware, etc.)? This includes the security tools a MSP has in place such as two-factor authentication, firewalls, and intrusion detectors.
Availability— Is the system available for operation as agreed upon in your contract? The availability trust principle reports on performance monitoring; how an IT service provider handles disaster recovery (do they have a disaster plan in place and how long will it take them to get your business back up and running?); and security incidence handling.
Processing Integrity— Is the system doing what it is supposed to? Is the system processing valid, timely, complete, accurate, and authorized information? The processing integrity principle includes data process monitoring and quality insurance procedures.
Confidentiality— Is access to confidential data restricted to only the users who should have access to it? This includes the encryption, access controls, and network and application firewalls the MSP has in place to protect the data being stored and processed on their computer systems.
Privacy— Refers to how your IT provider collects, uses, retains, discloses, and destroys personal information. Is it in accordance with their privacy notice? This is extremely important for any business that collects any type of personal data!
Two words…trust and reliability.
As we mentioned in the article “The Wild West of IT Services,” there are no official governing entities overseeing IT Providers. The SOC 2 audit is the only way to guarantee that you are outsourcing your IT to a trusted and reliable company. The SOC 2 report eliminates time spent worrying about how your service provider is protecting your sensitive data so that you can focus on running your business.
It’s amazing how many businesses entrust their most sensitive data to a third-party service provider without understanding the risks.
For example, did you know that if your Akron IT Provider gets hacked and your customers’ private data gets compromised, that you could be liable? This is a very real threat if your MSP does not have the proper security measures in place.
What many businesses don’t realize is that their service provider is often the weakest link in their data security. In addition to being unregulated, IT firms in Akron, OH are also often the targets of hackers. This is because IT providers hold the keys to the castle—meaning they store the customer data and passwords for many different clients—not just one business. Why hack one company when you can go after several all at once?
With data breaches becoming more and more common it is imperative that your business works with a company that has proven to have the strictest data security controls in place.
Remember, if your data is mishandled or compromised it could leave your business vulnerable to attacks, data theft, and/or lawsuits that could potentially destroy your business. Working with an IT provider that is not SOC 2 compliant is not worth the risk!
We want to give our clients peace of mind by showing them, through a detailed auditing process, that we have the controls and procedures in place to safeguard their data, and that the services we promise are the services we deliver.
The SOC 2 Report validates that we are qualified, professional, and follow the best practices in the IT industry.
In addition, PCR Business Systems will also be SOC 2, Type II certified. “Type II” looks at our controls over time—meaning that we continue to be monitored to ensure we always deliver the best Akron IT services possible.