Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Corporate Counsel Connect collection

Back to In This Issue Subscribe
April 2014 edition

An information security alphabet soup

Anne-Marie Scollay, IT Operations, Legal Tracker

Anne-Marie ScollayWe work in an era where technology is ubiquitous, and where employees are tethered virtually to their jobs between smart phones, tablets, laptops, and the Internet. Increasing demand for ease-of-use, highly available technologies that can be accessed from anywhere have contributed to an explosion of cloud service adoption by businesses. In a world where Software as a Service (SaaS) is becoming just one of many "technology as a service" offerings, businesses are seeking assurance that their data will be available and, most importantly, secure.

The answer to this concern has been a seemingly ever-growing alphabet soup of third-party audits and certifications that you may have heard your IT colleagues talk about: SOC 1, SOC 2 (Type I and Type II), SAS 70, SSAE 16, ISO 27001, ISAE 3402, CSTAR, and more seem to spring up daily. At the crux of each of these reports is the goal of providing assurance to the reader regarding the security of the audited service.

Launched in 2011, the SOC family of reports replaced the former standard SAS 70 reports. SOC is shorthand for Service Organization Controls, and the criteria for the reports is governed by the American Institute of Certified Public Accountants (AICPA). SOC reports come in three varieties:

  • SOC 1, which is primarily focused on the financial controls of the service organization. For example, a payroll service may have an SOC 1 audit report issued to provide clients an understanding of the service's financial controls.
  • SOC 2, which can cover one or more of what are referred to as Trust Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Service organizations like SaaS providers may have SOC 2 audits performed on one or more of the Trust Services Principles in order to provide clients with an independent analysis of their controls that support the Principle(s).
  • SOC 3, which is essentially an executive summary of the SOC 2 report for the service organization, but does not include an enumeration of the controls and test results.

Interestingly, not all SOC 2 reports are created equal. There are different Types of report (Type I and Type II) and, as stated above, each report may cover one or more of the defined Trust Services Principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy).

  • Type I reports provide a description of controls (processes, procedures, and the like) that were in place at the Service Organization at a specific point in time. The Type I reports do not test the operating effectiveness of the controls, and as a result may provide limited insight to readers.
  • On the other hand, the Type II report covers a period of time and includes testing by the auditors to ascertain whether or not the controls are operating effectively. From the Type II report, a reader can gain an understanding of not only what controls the organization has in place, but whether the controls are functioning as expected.

If you're wondering how to know which report you need, the first place to start is to understand what services you are purchasing from your service provider including, but not limited to:

  • What information will you be sharing with the service provider?
  • How sensitive to your company is that information?
  • Will the service provider be performing services on your behalf (e.g., calculating payroll) that could have a material impact on your financial statements?
  • Is your business in a regulated industry? If so, are there any particular regulations that may apply to the information that you will share with the service provider?
  • How critical to your business is the availability of the service provided?

Once you have a definition of the service(s) that you are purchasing from the service provider, use that information to determine which type of SOC report and which Trust Principles (for SOC 2 reports) best apply.

While an SOC report (or any other type of audit and certification) does not guarantee the safety and availability of the service organization, understanding the variations among the SOC reports will help you keep your organization's best interests in mind and be a more informed buyer of services.

For more information, visit AICPA's website.

About the author

Anne-Marie Scollay specializes in building teams for mission-critical systems, creating order from chaos, and seamlessly bridging the languages of technology and business. With a combined 15 years' experience in technology and logistics, Anne-Marie has a passion for operational excellence and a knack for thinking strategically. She has become intimately familiar with the concept of data security through her work for Legal Tracker, a Thomson Reuters company, for the past five years. In addition to overseeing the technology requirements for SaaS at multiple locations, she also manages Legal Tracker's information security responses and enjoys talking with legal and technology departments about their information security questions related to SaaS solutions.

A graduate of the University of Puget Sound with a Bachelors of Art in Political Science, Anne-Marie sharpened her analytical skills coordinating shipments of everything from fish to sweaters before realizing her calling as a business professional with a penchant for technology. Anne-Marie has overseen high-availability sites and applications, provided thought leadership around information security and is a respected leader with a proven ability to coach teams to excellence.

A private pilot, closet chef and world-traveler, she shares her life adventures with her rescued pit bull named Truffles.

Relax...The Highest-Rated Legal Management - learn about Legal Tracker

article