Information Security Controls, SOC Reporting Blog, Group Climbing Mountain

Demystifying SOC Reports to Build Trust and Reduce Risk


Part 1 of 3: How Service Providers Can Build Trust with Their Customers

By Zachary Ugol, Risk Management Consultant        

Who is responsible for Information Security Controls?

The rise in cloud-based technology and third-party solutions increases both the complexity and uncertainty of security and compliance responsibilities. Service providers and their customers need to understand how responsibilities are shared and split. This includes Software as a Service (SaaS), Infrastructure as a Service (IaaS), as well as operational solutions, such as credit card processing and billing, and IT, such as security monitoring and hosting services.

Does your organization rely on service providers that handle sensitive data, including financial records and Personally Identifiable Information (PII)? Do you have insight into how your service providers are protecting this data?

Or if you are a service provider, do you understand your customer’s compliance requirements as they relate to data security? For instance, are your customers required to comply with HIPAA, HITRUST, NIST, or another state requirement such as SEC501? Are there contractual provisions that require reporting on your security controls?

There is often a disconnect between the services being provided and the level of reliance being placed on service providers. This disconnect can lead to uncertainty around the division of responsibility for information security controls. If service providers and customers are not aligned around data security, there is an increased risk for security breaches.

Recently, Quest Diagnostics and LabCorp disclosed a data breach with one of their billing collections vendors, American Medical Collection Agency (AMCA). According to CNBC, AMCA provides billing collections services to Optum360, which is a Quest contractor. This incident, and many similar, highlight the need for increased transparency between service providers and customers around data security requirements.

What is a SOC report and how can it help?

System and Organization Controls (SOC) reports were developed by the American Institute of Certified Public Accountants (AICPA) with the goal of helping to increase the trust between service providers and their customers.

A SOC report (pronounced “sock”) enables service providers to hire an external third-party auditor to assess their relevant internal controls and produce a report that can be distributed to their customers.

SOC reports can clarify the services being provided and the responsibilities of the user in order to ensure that all parties are aligned around security requirements. The table below shares some of the benefits provided by SOC reports.

SOC Reports: Benefits for Customers and Service Providers

Customers Service Providers
  • Increase visibility from service providers
  • Clarify responsibilities between service providers and customers
  • Understand potential vulnerabilities from service providers
  • Identify opportunities to increase back-end security controls
  • Reduce cost of compliance including the time spent responding to customer audit requests and filling out vendor questionnaires
  • Meet contractual obligations related to security requirements
  • Continuous feedback on controls to increase effectiveness of security procedures

Share this as an image, on LinkedIn, Facebook, or Twitter.  

SOC Reports for Compliance, Building Trust, and Reducing Risk

In order to ensure ongoing protection against potential security breaches, it is important for companies and service providers to be on the same page regarding compliance requirements and to ensure that responsibilities have been divided accordingly. For users, it is important to understand how vendors are supporting your compliance requirements. For service providers, it’s important to understand stakeholder compliance requirements and to design the services in such a way to meet those requirements. SOC reports are one of the tools available in order to achieve these objectives.

Stay tuned for our next SOC Reporting blog!

Check back next week for part two in our series on exploring the kinds and types of SOC reports. We’ll explore SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity reports, as well as Type 1 and Type 2 reports. Follow us on LinkedIn, Facebook, and Twitter for updates.

Learn More: The Impact Makers Solution

Impact Makers’ Risk Management consultants have knowledge of SOC reports and insights to help both service providers and their customers.

For service providers, we help answer the following questions:

  • Do I need to provide a SOC report to my customers?
  • If so, am I ready for a SOC report?
  • What do I need to do in order to prepare for a SOC report?

For customers, we help answer:

  • Do I need to request a SOC report from my service provider?
  • If I already receive a SOC report, what information is important for me to review?
  • What I am I required to do with the results of the SOC report?
  • Do control failures impact our compliance requirements?
  • And does the existing SOC report meet my compliance requirements?

We work with our customers to deliver and enable strategic business advantage with Information Security & Risk Management services.

To learn more, contact us.