SOC 2 Compliance – What It Is and Why It Matters

SOC 2 Compliance – What It Is and Why It Matters

With risks rising and awareness about data security at an all-time high, it’s no longer enough to say we have good security practices in place. eBizDocs takes security very seriously and proves it with its SOC 2 report.

SOC 2 is a standardized framework applicable to all technology service companies that handle customer information and/or store customer data in the cloud. The framework helps ensure that organizational controls and practices effectively safeguard the privacy and security of customer data.

A SOC 2 audit allows eBizDocs to demonstrate its security policies and controls are in order and tracked consistently over time. SOC 2 standards focus on five trust services criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. Only security is required for a SOC 2 audit and report. However, eBizDocs opted to also include Availability, based on our industry and the types of data we process.

According to the AICPA standards, Security and Availability means:

Security

Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.

This means best practices like two-factor authentication, access controls, identity management, encryption, breach alerts, and maintaining firewalls are in place. It also means having well-documented security policies and procedures, a good security training program, and enforcing best practices with infrastructure provider, and vendors.

Availability

Information and systems are available for operation and use to meet the entity’s objectives. Systems meet availability standards as outlined in a Service Level Agreement (SLA).

When auditors evaluate availability, they’re looking that promises in the SLA are kept and what systems are in place to ensure performance, support disaster recovery, and provide incident management.

What is SOC 2 Report?

A SOC 2 report is a third-party attestation. This report must be generated by a licensed CPA firm and their goal is to assess the Security and Availability trust service criteria discussed above.

There are two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2. Type 1 focuses on a single point in time (Was the organization compliant last week?). Type 2 focuses on a period of time (Was the organization compliant for the last continuous year?). The latter carries more weight and has a higher bar. eBizDocs meets the higher standard and successfully received its SOC 2 Type 2 compliance report.

eBizDocs’ report contains five sections: an opinion letter/auditor report, management assertion, detailed description of the system or service being evaluated, details specific to each of the trust services categories being evaluated, and test results from testing done on the controls evaluated. This large report is treated as privileged information and is only available upon request. To request a copy of the eBizDocs SOC 2 report, please complete this form.

About eBizDocs –eBizDocs is a premier digital transformation provider focused on helping you put INFORMATION AT YOUR FINGERTIPS. Offerings include paper and microfilm conversion, content capture and document management solutions, scanner sales and service, and process consultation. eBizDocs is SOC2 Type II certified and serves private and public-sector organizations. The company has been in business for over 20 years and is a preferred source contractor for NYS entities. To learn how eBizDocs can help transform your operation, visit eBizDocs.com.