PCR Business Systems recently completed our SOC 2 audit. We chose to go through the SOC 2 auditing process for one simple reason—so our partners know we follow the best practices in the IT industry and that we take no shortcuts in protecting their data. This article explains what a SOC 2 audit is and why you should only work with an MSP that is SOC 2 certified.
What is a SOC 2 Audit?
Developed by the American Institute of CPAs (AICPA) to help address risk concerns for businesses that outsource services to a third party. SOC (System and Organization Control Requirements) is an independent audit that takes an extensive look into the internal security controls a managed service provider (MSP) has in place to determine if they are properly managing the data security of their clients and delivering the services in their user agreements.
The SOC 2 report defines the criteria for managing a client’s confidential data by breaking it down into five “trust services.” These criteria include security, availability, processing integrity, confidentiality and privacy.
Security –How does the service provider protect their system against unauthorized access (hackers, rogue employees, malware, etc.)? This includes the security tools an MSP has in place such as two-factor authentication, firewalls, and intrusion detectors.
Availability – Is the system available for operation as agreed in your contract? The availability trust principle reports on performance monitoring; how an IT service provider handles disaster recovery (do they have a disaster plan in place and how long will it take them to get your business back up and running?); and security incidence handling.
Processing Integrity – Is the system doing what it’s supposed to? Is the system processing valid, timely, complete, accurate, and authorized information? The processing integrity principle includes data process monitoring and quality insurance procedures.
Confidentiality – Is access to confidential data restricted only to the users who should have access to it? This includes the encryption, access controls, and network and application firewalls the MSP has in place to protect the data being stored and processed on their computer systems.
Privacy – Refers to how your IT provider collects, uses, retains, discloses, and destroys personal information. Is it in accordance with their privacy notice? This is extremely important for any business that collects any type of personal data!
Why you should ONLY work with SOC 2 Compliant IT Providers
Two words … trust and reliability.
As we mentioned in the article “The Wild West of IT Services,” there are no official governing entities overseeing IT Providers. The SOC 2 audit is the only way to guarantee you are outsourcing your IT to a trusted and reliable company. The SOC 2 report eliminates time spent worrying about how your service provider is protecting your sensitive data so you can focus on running your business.
It’s amazing how many businesses entrust their most sensitive data to a third-party service provider without understanding the risks.
For example, did you know that if your Akron IT Provider gets hacked and your customers’ private data gets compromised, you could be liable? This is a very real threat if your MSP does not have the proper security measures in place.
What many businesses don’t realize is that their service provider is often the weakest link in their data security. In addition to being unregulated, IT firms in Akron, OH, are also often the targets of hackers. This is because IT providers hold the keys to the castle—meaning they store the customer data and passwords for many different clients—not just one business. Why hack one company when you can go after several all at once?
With data breaches becoming more and more common, it is imperative your business works with a company that has the strictest data security controls in place.
Remember, if your data is mishandled or compromised, it could leave your business vulnerable to attacks, data theft, and/or lawsuits that could potentially destroy your business. Working with an IT provider that is not SOC 2 compliant is not worth the risk!
Why we Chose to be SOC Audited
We want to give our clients peace of mind by showing them, through a detailed auditing process, that we have the controls and procedures in place to safeguard their data, and the services we promise are the services we deliver.
The SOC 2 Report validates that we are qualified, professional, and follow the best practices in the IT industry.
Have questions about the SOC 2 auditing process? Send us an email at firstname.lastname@example.org or call 330-572-7575 .