Unless you’re in a regulated industry, security probably isn’t the first thing that comes to mind when you’re outlining criteria for a new marketing partner. However, in today’s technologically integrated world, data security is one of the most important qualities that a marketing partner can possess.
A company that performs regular security audits and stays current with compliance requirements should be given top consideration, especially if your programs have sensitive customer information.
SOC 2 is one of the most common security assurances that companies dealing in technology or information should meet in order to do business. But what is SOC 2 and what does it mean to be SOC 2 compliant?
SOC stands for “System and Operations Controls.” SOC regulations were developed by AICPA (American Institute of Certified Public Accountants) to regulate the security of service organizations that store or process customer data.
The SOC 2 report is intended to provide assurance about the internal controls governing security, availability, and processing integrity of the systems an organization uses to process user data, as well as the confidentiality of all data processed by these systems and privacy of the data processed by the systems.
In plain English: SOC 2 gives you peace of mind knowing that your data is in good hands with a SOC 2 compliant company.
To receive SOC 2 compliance, companies must demonstrate that they not only have policies and procedures in place that protect the security, availability, integrity, confidentiality, and privacy of customer data, but also be able to prove that they are operating according to those established requirements.
Let’s break that down. The five Trust Service Principles of SOC 2 are as follows:
1. Security: The security principle of SOC 2 evaluates whether the system is protected from unauthorized access, both logical and physical.
2. Availability: The availability principle refers to the accessibility of the system, products, or services as advertised or committed by contact, service-level, or other agreements.
3. Processing Integrity: Processing integrity reflects the system’s completeness, accuracy, validity, timeliness, and authorization of data processing.
4. Confidentiality: The confidentiality principle addresses the system’s ability to protect information designated as confidential.
5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice.
If you’ve ever sat through a security seminar, you know that security isn’t a simple matter of installing a security system that you can set and forget. There are five primary components of an organization’s system of internal controls that are essential to SOC 2 data security measures:
1. Infrastructure: The physical and hardware components of the system (facilities, equipment, and networks).
2. Software: The programs and operating software of a system (systems, applications, and utilities).
3. People: The personnel involved in the operation and use of a system (developers, operators, users, and managers).
4. Procedures: The automated and manual procedures involved in the operation of a system.
5. Data: The information used and supported by a system (transaction streams, files, databases, and tables).
When conducting a SOC2 Type 2 audit, a third-party reviews how the controls are implemented across infrastructure, software, people, procedures and data. All activity is documented as part of the SOC2 report and any non-conformities are noted.
Streamworks is a SOC 2 Compliant Company
Streamworks is proud to be SOC2 Type 2 compliant. We are dedicated to providing secure marketing solutions that evolves with your business needs in order to support your organization on a path to long-term success. As part of our commitment to data and information security, we maintain annual audits, ongoing training, development and implementation of enhanced security measures, and frequent testing of our processes.
In the market for a secure marketing partner? Download this free Secure Vendor Checklist so you know exactly what to look for when you meet with potential partners.