We live and work in a society that has become extensively regulated. Regulations have evolved over time with the purpose of protecting citizens from fraudulent products, unsafe work environments, poorly processed foods, impure water, fake medicines, polluted air, abuse of personal information, cyber theft, and numerous other hazards, dangers, and threats that present themselves as our society and our industries advance.
Regulation Is as Old as The U.S. Itself
Regulations have been a central element of our governance since America’s earliest days. According to an article in the Journal of American Affairs, the first regulations were developed to govern occupational licensing, inspections of goods for sale, and environmental nuisances. For example, doctors, lawyers, innkeepers, and members of other occupations were required to apply for licenses to operate their businesses—or pay fines for non-compliance. In other examples, cemeteries could not be too close to the heart of town due to environmental concerns, and certain food items required inspection to protect town residents.
Fast forward 125 years to the 1900s, and regulations had mushroomed to the point that the federal government began creating agencies to oversee and enforce them. The Food & Drug Administration was formed in 1906, and the Federal Trade Commission in 1914. Both the Federal Communications Commission and Securities & Exchange Commission were established in 1934. The Occupational Safety & Health Administration was a relative newcomer in 1971, despite a factory fire in Manhattan that had killed 145 workers 60 years earlier.
In the 21st century, virtually every business in our economy is governed by at least one set of regulations, and many organizations are required to comply with the requirements of multiple regulatory agencies.
Three unassailable facts are as true today as they were in the mid-1700s. Businesses in virtually all industries continue to be governed by regulations, regulatory compliance is mandatory, and fines and other penalties may be and frequently are levied for non-compliance.
The vast web of regulatory requirements and their degree of complexity could never have been envisioned by our founding fathers. And while the intent of regulation is still, at its core, to protect the citizens of the United States, the mountains of red tape that create the letter of the law seem to thwart that objective.
Today, a list of the most common regulations reads like an alphabet soup: CCPA, FFIEC, GLBA, HIPAA, HITRUST, NIST-CFS, PCI DSS, and SOC-SSAE.
The Rise of the Service Industry
Regulations have been affected in various ways as the U.S. has advanced through several evolutionary periods. We began as an agricultural society, growing food and raising livestock, with cottage industries producing modest consumer and commercial goods. The industrial age created a giant manufacturing engine between 1760 and 1830, spawning unprecedented innovation in the mass production of goods. The information age was launched by the personal computer in the late 1970s, and exploded as the Internet expanded in the 1990s and was embraced by commercial and personal users in the ensuing decades.
In this information environment, the U.S. shifted its focus from manufacturing tangible goods to producing and delivering services. This shift brought services, and the organizations who provide them, under an increasingly watchful regulatory eye.
Regulation of Service Organizations
If you are an organization who provides services, whether to businesses or consumers or both, chances are you hold data belonging to your customers. If this is the case, you would find it to be in your advantage to comply with SSAE 18, which is the prevailing standard of the American Institute of Certified Public Accountants (AICPA). SSAE 18 applies not only to you, as the primary service provider, but also to any subcontractors you may employ in the handling of your customer data.
Examples of service organizations include financial services providers, payroll processing firms, information technology service providers, data centers, cloud services providers, hosting companies, IT managed services firms, payment processors, and any other service providers who maintain, process, or store customer data. In the information age, that covers a lot of ground.
Your Customers’ Rights
Any customer of a service organization is entitled to require their service provider to prove that they have proper SSAE controls in place, and that those controls have been verified by a third-party auditor or accounting firm.
Going further, many commercial customers of service providers have established formal policies, internally, that require them to periodically verify their providers are SSAE-compliant.
In both cases, the proof of compliance is provided in the form of SOC reports.
The Elements of SSAE 18 Compliance
SSAE, or the Statement on Standards for Attestation Engagements, was created by the American Institute of Certified Public Accountants (AICPA) to standardize the way service organizations report on their various compliance controls, such as financial or security controls.
The Service Organization Control reports (SOC) were created by the AICPA to provide a standard reporting format. The three SOC report formats include SOC 1, SOC 2, and SOC 3 reports.
The AICPA has also developed a cybersecurity risk management framework that assists service organizations in demonstrating the effectiveness of their overall cybersecurity risk management programs.
What You Need to Know about SOC Reports
Simply put, SOC 1 relates to the financial controls in a service organization. SOC 2 deals with controls over customer data held by a service organization. And a SOC 3 report is a generic version of a SOC 2 report, minus the client’s proprietary information. In somewhat greater detail:
- A SOC 1 assessment reports on the internal controls that a service organization has in place to protect financial data.
- SOC 2 reports validate that service providers (and any subcontractors working on their behalf) have systems in place to assure the security, availability, processing integrity, confidentiality, and privacy of customer data they are responsible for managing.
- A SOC 3 report is a sanitized version of the SOC 2 report, without any information that could be used to identify the assessed organization’s systems or applications.
In addition, there are two types of SOC 2 reports:
- SOC 2, Type 1, is a report of a service organization’s customer data protection on a particular day—a snapshot assessing what controls are in place at that time.
- SOC 2, Type 2, is a historical report of customer data protection controls over a longer period of time (at least six months), and attest to the effectiveness of controls during that timeframe.
SOC 2 reporting gained prominence a decade ago, as the explosive growth of cloud computing and service provider outsourcing spurred the transfer of customer data to subcontractors’ systems and to cloud processing and cloud storage systems. Data management risks were evident, which led to the implementation of data protection measures and a requirement to prove proper measures were in place.
The five principles evaluated in SOC 2 reports are known as the Trust Services Criteria. These principles relate to the security, availability, processing integrity, confidentiality, and privacy of customer data. As an example, the security principle applies to the protection of a service provider’s systems and information technology against unauthorized access, which could in turn compromise or destroy customer data.
Advantages of SOC Reports
With the protection of customer data being of utmost importance, SOC 2 reports have several important uses for service providers.
Many subcontractors, who provide services on behalf of service organizations who are their clients, obtain SOC reports as an aid in marketing their third-party services to other service organizations as part of their business development efforts.
SOC 3 reports, the generic versions of SOC 2, enable service organizations to share their proof of compliance with customers or prospective customers without revealing proprietary information about the organization.
Many service organizations promote the fact that they are SSAE-compliant in their sales materials and on their websites, referring to their SOC reports as evidence.
Others use their SOC reports to reassure existing customers that their data is being properly protected.
Whatever the use, SOC 2 reports must be obtained in order to meet SSAE compliance requirements, demonstrating that you have proper data security and privacy controls in place and that they have been verified by a third-party auditor or accounting firm.
Now That You Know, What Should You Do?
Assuming that you are a service organization responsible for handling your customers’ data, whether directly or through a third-party, you need to obtain a SOC 2 report proving you have the proper controls in place to protect that data.
Your first step should be to conduct a SSAE Readiness Assessment, which will help you prepare for the required SSAE assessment by an authorized auditing or accounting firm. SSAE Readiness Assessments are frequently performed by data security experts at 24By7Security for that purpose, and include these activities:
- Reviewing and scoping systems, processes, infrastructure, and applications that relate to customer data.
- Reviewing existing data privacy and security policies and procedures.
- Developing missing policies and procedures related to customer data protection.
- Reporting findings, with clear, actionable recommendations for improvements that will enable the service organization to become well-prepared for the SSAE audit.
As soon as you are prepared for the SSAE audit, we can assist you in identifying an auditing or accounting firm authorized to conduct the audit.
Upon completion of their formal SSAE assessment, you will receive a SOC 2 compliance report from the assessor, as well as the SOC 3 version if requested.
24By7Security also has the experience and expertise to conduct a security risk assessment for your organization, in accordance with the AICPA cybersecurity risk management framework. We will evaluate your complete cybersecurity posture, test system defenses, identify infrastructure vulnerabilities and much more, and present you with a comprehensive report of findings with actionable recommendations for improvement.
Federal regulation of businesses dates back to the earliest days of the United States, evolving in response to advances in our society and industries and becoming increasingly complex. As the industrial age gave way to the information age, the manufacturing of goods in the U.S. was largely replaced by the development of a service economy, with its own set of regulatory requirements driven by the protection of customer data.
SSAE compliance, as evidenced by SOC reports, enables service organizations to demonstrate that they have the proper controls in place governing the security, availability, processing integrity, confidentiality, and privacy of the customer data they are responsible for handling. Customers of service organizations may require proof of compliance at any time. Therefore, service organizations who do not have a current SOC report should take immediate steps to prepare for a SSAE audit in order to obtain the required SOC report, and gain an important competitive advantage.