The Importance of SOC® Attestation for Managed Service Providers and Their Clients
With more and more companies looking to move diverse facets of their IT operations to Managed Service Providers, one topic that often comes up is how your organization evaluates the security of a service provider’s operations. Perhaps you should send each of the prospective MSPs a vendor security assessment questionnaire and evaluate their responses? That may not work out as many organizations will not complete a VSAQ for a prospective client or organization not under an MNDA. On top of that, responses on a VSAQ aren’t generally supported by evidence, and may be written to shield the service provider from scrutiny.
A better option for conducting a balanced comparison of security postures is to ask the MSP for an evaluation of their security program from an independent auditor. But with so many options, from PCI, to ISO27001, to NIST CSF, how do you choose? Enter the SOC (and I don’t mean Security Operations Center). SOC, which stands for System and Organization Controls, is an evaluation program created by the American Institute of Certified Public Accountants (AICPA). SOC for Service Organizations is a prime example of how a business can quickly evaluate the application and effectiveness of a service provider’s information security, risk management, and organizational management programs.
The Many Flavors of SOC
Under the umbrella of SOC for Service Organizations there are three different versions of SOC reports available for service providers to choose from. AICPA also specifies two different types of SOC reports, depending on the needs of the evaluated organization.
The SOC 1 is an evaluation of the controls that an organization has around financial reporting. While this could be useful to your organization if you are looking to outsource critical parts of your business and want to be sure that a service provider is operating effective financial controls, this is generally not the type of report you should be seeking.
A SOC 2 is based on AICPA’s Trust Services Criteria, and evaluates the suitability of controls that an organization has as they relate to the security, confidentiality, availability, processing integrity, and privacy of their described system. This is the meat and potatoes of what your organization should be evaluating when selecting a new Managed Service Provider. A SOC 2 will have a description of the system and organization under evaluation, and a full listing of the internal controls under evaluation, as well as their criteria ties.
A SOC 3 is also based on AICPA’s Trust Services Criteria, and is generally done hand in hand with a SOC 2. The biggest difference in the final reports is that a SOC 2 will have a description of the controls under evaluation, while a SOC 3 will not. A SOC 3 is therefore a good option for service providers to publicly display on their websites or provide to prospects or others not under an NDA.
Both the SOC 1 and SOC 2 have two types of examinations that may be performed by an independent auditor. A Type 1 examination is used to evaluate the suitability of the controls that an organization states in its system description at a given point in time, where a Type 2 examination _also_ evaluates whether those controls are not just suitable but also the effectiveness of the organization in operating the controls over a period of time. The Type 2 report is generally considered more comprehensive and informative than a Type 1.
Why you want your MSP to have a SOC Attestation
Now that we’ve covered the different sorts of SOC reports available to organizations, let’s consider why your organization would want an MSP to have a SOC attestation.
Every SOC 2/3 evaluation is conducted against the Trust Services Criteria to ensure that an evaluated organization has sufficient controls around organizational oversight, risk and vendor management, security, availability, and confidentiality. When an organization is lacking controls in a specific area, the third-party auditors will either work with the organization to establish new controls that meet the criteria, or call out a finding in the report that the criteria has not been met. Additionally, your organization can ensure that you are choosing an MSP that has been evaluated against not just the Common Criteria, but also Confidentiality, Availability, and Processing Integrity, if those criteria are important to you.
A SOC 2 Type 2 attestation will not only tell you that your MSP is covering all of the required criteria, but that they also proved to an independent auditor that they are actually operating their controls as stated. It doesn’t really do you as a client much good to hear from your MSP that they have strong password requirements (let’s say, 15 character minimums) if they don’t actually enforce those requirements somehow. By electing to have a Type 2 evaluation performed, an organization is committing to providing evidence that each of their controls is operating as intended and that they can account for any deviations from those controls.