Support Center
About Us
Facebook-f X-twitter Linkedin-in

SERVICE ORGANIZATION CONTROL
SOC 2

Let's talk!

SOC is a suite of reports from the American Institute of Certified Public Accountants (AICPA) that CPA firms can issue in connection with system-level controls at a service organization. SOC 2 reports on various organizational controls related to the five categories of the Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy.

IT Support for Manufacturing Firm

Who Must Comply?

If your organization stores or transmits potentially sensitive data on behalf of clients, earning SOC 2 certification (SOC 2 Type I or Type 2 Reports) is an important step–both legally and competitively. The types of organizations that should comply include SaaS providers; companies that provide business intelligence and analytics; businesses that oversee, facilitate, or consult with finances or accounting practices; cloud service providers; and those that store client information in the cloud.

5 TSC categories each cover a set of internal controls relevant to important aspects of your information security program:

The level of the CMMC certificate is dependent upon the type and nature of information that flows down from your
prime contractor. There are three levels of CMMC that range from basic cybersecurity hygiene to
advanced/progressive cybersecurity hygiene. Each level has its own set of controls observed in a CMMC audit. The
three levels of CMMC best practices are:

1

Security

The Security Category (also known as “common criteria”) refers to the protection of information throughout its lifecycle. This is the only category that is required. Security controls are established to protect against unauthorized access, unauthorized disclosure, or damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems.

2

Availability

The Availability Category considers controls that demonstrate the system is available for operation and use as committed or agreed upon. Consider this criteria if your customers must demonstrate that their systems are available at all times. Availability does not set a minimum acceptable performance level but addresses whether systems include controls to support accessibility for operation, monitoring, and maintenance. Examples include sufficient data backups and disaster recovery plans.

3

Confidentiality

The Confidentiality Category requires companies to demonstrate that data classified as confidential is protected. Confidentiality applies to various types of sensitive data such as personal information, trade secrets and intellectual property. Controls for Confidentiality include encryption and identity, along with access management. This category should be considered if you are storing sensitive information that is protected by Non-Disclosure Agreements (NDAs) or if your customers have requirements to delete data that is obsolete.

4

Integrity

The Processing Integrity Category focuses on ensuring that a system process is complete, accurate, timely, and authorized. It addresses whether systems achieve their purpose and perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. This category should be considered if your customers are executing critical operational tasks on your systems such as data or financial processing. Because of the number of systems used by an entity, Processing Integrity is usually addressed only at the system or functional level.

5

Privacy

The Privacy Category aims to show that personal information is collected, used, retained, disclosed, and disposed of properly. Although similar to Confidentiality, Privacy refers specifically to Personally Identifiable Information (PII) that your organization collects from customers. It also verifies that appropriate parties have access to the information and what can be done with it. Controls for Privacy include privacy policies and consent management mechanisms. Consider this category if your customers are storing PII such as health records, payment card information, social security numbers, or birthdays.

HERE’S HOW WE WILL HELP YOU PREPARE FOR AN SOC 2 REPORT:

Level 1

We’ll answer all your questions and help you understand the cybersecurity practices for SOC 2 and all the bureaucratic fine print in your contract.

Level 2

We’ll do a gap analysis to identify gaps in controls and procedures relevant to the Trust Services Criteria (TSC).

Level 3

We’ll formulate a roadmap that charts the initiatives and timeline necessary to mature your processes and procedures.

We Can Help!

Right Hand Technology Group is CompTIA Security Trustmark+™ certified and has been ranked as one of the top Managed Service Providers in the world. Our experienced staff of Cybersecurity Professionals and Security Engineers have been working with various industries on cybersecurity for more than 20 years.

Our Offices
Pittsburgh Office
2400 Ansys Dr.
Suite 102
Canonsburg, PA 15317
(412) 254-4448
[email protected]
Tampa Office
610 E. Zack St.
Suite 110
Tampa, FL 33602
(813) 379-2808
[email protected]
SECURITY
COMPLIANCE
Quick links
Sign up to our monthly newsletter
Sign Up
Copyright ©2024 Right Hand Technology Group, Inc. All Rights Reserved.
Facebook-f X-twitter Linkedin-in