SOC 2

SOC 2 is a voluntary compliance standard for services organizations, which defines criteria for managing customer data. SOC 2 is the second of three types of reports under the System and Organization Controls (SOC) standards program managed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is based on five core “trust service principles” – Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The SOC 2 core “Trust Service Principles” focus on IT controls in the following areas:

1. Security
   • Firewalls
   • Intrusion detection
   • Multi-factor authentication
2. Availability
   • Performance monitoring
   • Disaster recovery
   • Incident handling
3. Confidentiality
   • Encryption
   • Access controls
   • Firewalls
4. Processing Integrity
   • Quality assurance
   • Process monitoring
5. Privacy
   • Access Control
   • Multi-factor authentication
   • Encryption

SOC 2 reports provide internal and external stakeholders—regulators, customers, partners, vendors, etc.—with detailed information about the controls in place to manage and process their user data.

SOC 2 reports come in two types: 

• Type I describes a service organization’s systems and whether the system design complies with the relevant trust principles.
• Type II addresses and describes the operational efficiency of these systems.

You can find more detailed information about SOC 2 at the AICPA.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.