The Five Principles of SOC 2: An Inside View Of Failed Information Security

For all the business-defining benefits that information technology provides, there are also countless risks. These can range from financially crippling to life threatening, and everything in between.

Before outsourcing activities like data centres and SaaS (Software as a Service), providers must get assurance that their services are watertight. ISAE 3000 (SOC2) is an internationally recognised auditing Standard that does exactly that, following five principles: security, availability, processing integrity, confidentiality and privacy.

To highlight their importance, we’ve discussed real-world examples from companies that have suffered due to poor applications of each principle.

1. Security

Your system resources, and all the data therein, must be protected against unauthorised access. Security tools such as firewalls and intrusion detection can help prevent harmful breaches which could expose sensitive information and corrupt your system.

Phishing is a common security threat used by cyber criminals to access private data through the use of fraudulent emails. In 2013, Yahoo’s network was infiltrated by hackers using this very method, exposing three billion user accounts.

2. Availability

It goes with saying that your system needs to be accessible, with consistent performance levels to prevent downtime. Security incidents and ‘disaster’ events can affect continuity, leading to data loss and much more.

In 2018, giant communication platform Slack was struck by a bug which caused unexpected spikes in network activity. As a result, it went down for four hours during a peak period, affecting hundreds of thousands of businesses worldwide.

3. Processing integrity

This principle ensures your system is functioning as intended e.g. delivering important information in the correct time and place. Your data processing must be complete, valid, accurate, timely and authorised, which can be assessed through quality assurance. 

Poor processing integrity can lead to deadly software blips, as it did for medical equipment manufacturer CareFusion in 2015. A pump designed to automatically deliver medicine and fluids to hospital patients encountered an error, causing it to delay an infusion which could have had fatal consequences.

4. Confidentiality

Keeping data confidential ensures it’s restricted to specific users, such as verified employees. This helps to protect sensitive information including financial details and intellectual property.

eBay encountered an almost catastrophic security breach in 2014, when large numbers of customer passwords were compromised. Quick action had to be taken to encourage users to change their passwords to prevent credit card details being stolen.

5. Privacy

The privacy principle refers to the system's ability to protect personal information such as name, address, health, sexuality etc. Unauthorised access puts this at risk, and must be prevented through the use of certain controls. 

Back in 2015, dating site Ashley Madison was hacked, and huge amounts of customer details leaked online. Some of these users were then targeted by extortionists, with unconfirmed reports of suicides occurring as a result.

Achieve certification from Centre for Assessment

When it comes to protecting important data and keeping your outsourced services up to scratch, the importance of ISAE 3000 (SOC 2) can’t be underestimated. Centre for Assessment is a UKAS-accredited certification body, able to facilitate in-depth auditing that ensures your organisation competes with the best in the industry.

Our friendly team of professionals are ready to deliver a service that suits your needs. Find out more by calling 0161 237 4080 or emailing sales@centreforassessment.co.uk.