WEBVTT

1
00:00:00.300 --> 00:00:01.133
In this lesson,

2
00:00:01.133 --> 00:00:03.690
we will learn about Security Organization

3
00:00:03.690 --> 00:00:06.480
Control Type 2 or SOC 2.

4
00:00:06.480 --> 00:00:09.060
The SOC 2 framework is an auditing process

5
00:00:09.060 --> 00:00:10.560
that assesses the effectiveness

6
00:00:10.560 --> 00:00:13.620
of an organization's information security controls,

7
00:00:13.620 --> 00:00:15.540
either at a point in time

8
00:00:15.540 --> 00:00:19.260
or over approximately a 6 to 12 month period.

9
00:00:19.260 --> 00:00:23.190
SOC 2 focuses on five key trust service principles,

10
00:00:23.190 --> 00:00:27.000
security, availability, processing integrity,

11
00:00:27.000 --> 00:00:29.490
confidentiality, and privacy.

12
00:00:29.490 --> 00:00:31.860
Its reports are critical for demonstrating

13
00:00:31.860 --> 00:00:34.470
that an organization is effectively managing

14
00:00:34.470 --> 00:00:38.220
and protecting data according to industry standards.

15
00:00:38.220 --> 00:00:42.270
Next, a SOC 3 report is the public-facing summary

16
00:00:42.270 --> 00:00:43.860
of a SOC 2 report.

17
00:00:43.860 --> 00:00:46.470
Let's learn more about the SOC 2 framework,

18
00:00:46.470 --> 00:00:49.380
specifically SOC 2 Type I,

19
00:00:49.380 --> 00:00:51.030
SOC 2 Type II,

20
00:00:51.030 --> 00:00:52.980
and SOC 3 reports.

21
00:00:52.980 --> 00:00:54.960
The SOC 2 framework is designed

22
00:00:54.960 --> 00:00:56.520
to ensure that companies,

23
00:00:56.520 --> 00:00:58.890
especially those offering technology

24
00:00:58.890 --> 00:01:00.480
or cloud-based services,

25
00:01:00.480 --> 00:01:02.880
handle customer data securely.

26
00:01:02.880 --> 00:01:04.650
The SOC 2 framework was developed

27
00:01:04.650 --> 00:01:08.070
by the American Institute of Certified Public Accountants

28
00:01:08.070 --> 00:01:10.650
and focuses on five main categories

29
00:01:10.650 --> 00:01:12.870
called the trust service criteria.

30
00:01:12.870 --> 00:01:15.540
The trust service criteria includes security,

31
00:01:15.540 --> 00:01:17.400
which ensures the system is protected

32
00:01:17.400 --> 00:01:19.320
from unauthorized access,

33
00:01:19.320 --> 00:01:21.780
availability, which checks if the system

34
00:01:21.780 --> 00:01:24.420
is reliable and available when needed,

35
00:01:24.420 --> 00:01:25.950
processing integrity,

36
00:01:25.950 --> 00:01:27.450
which makes sure that the data

37
00:01:27.450 --> 00:01:30.210
is processed accurately and completely,

38
00:01:30.210 --> 00:01:32.400
confidentiality, which ensures

39
00:01:32.400 --> 00:01:34.560
sensitive information is protected,

40
00:01:34.560 --> 00:01:37.470
and privacy, which covers how personal data

41
00:01:37.470 --> 00:01:40.140
is collected, stored, and managed.

42
00:01:40.140 --> 00:01:43.830
The SOC 2 framework offers two types of evaluations

43
00:01:43.830 --> 00:01:47.526
for organizations, SOC 2 Type I,

44
00:01:47.526 --> 00:01:49.824
and SOC 2 Type II.

45
00:01:49.824 --> 00:01:51.690
The SOC 2 Type I evaluation

46
00:01:51.690 --> 00:01:54.900
assesses the design of an organization's controls

47
00:01:54.900 --> 00:01:57.060
for managing sensitive customer data

48
00:01:57.060 --> 00:01:59.250
at a specific point in time.

49
00:01:59.250 --> 00:02:01.140
For example, consider a company

50
00:02:01.140 --> 00:02:02.820
that stores customer data.

51
00:02:02.820 --> 00:02:05.130
A SOC 2 Type I evaluation

52
00:02:05.130 --> 00:02:08.190
examines whether that company has systems in place

53
00:02:08.190 --> 00:02:09.540
to protect their data,

54
00:02:09.540 --> 00:02:12.900
such as encryption and access controls.

55
00:02:12.900 --> 00:02:15.900
SOC 2 Type I evaluations take a snapshot

56
00:02:15.900 --> 00:02:18.090
of the security measures and checks

57
00:02:18.090 --> 00:02:20.070
to see if they are properly designed

58
00:02:20.070 --> 00:02:22.590
to meet the trust service criteria.

59
00:02:22.590 --> 00:02:25.410
However, a SOC 2 Type I evaluation

60
00:02:25.410 --> 00:02:27.690
does not check whether these systems

61
00:02:27.690 --> 00:02:29.640
work consistently over time,

62
00:02:29.640 --> 00:02:31.080
just that they exist

63
00:02:31.080 --> 00:02:32.310
and are set up correctly

64
00:02:32.310 --> 00:02:34.830
at the time of the evaluation.

65
00:02:34.830 --> 00:02:37.350
For a more comprehensive evaluation,

66
00:02:37.350 --> 00:02:40.710
SOC 2 Type II evaluates not only the design

67
00:02:40.710 --> 00:02:44.250
of the controls, but also their operational effectiveness

68
00:02:44.250 --> 00:02:48.300
over a period of time, typically 6 to 12 months.

69
00:02:48.300 --> 00:02:50.550
For instance, if the same company

70
00:02:50.550 --> 00:02:53.190
claims to use encryption and monitoring systems,

71
00:02:53.190 --> 00:02:55.350
the Type II evaluation would look

72
00:02:55.350 --> 00:02:57.750
at whether those systems functioned correctly

73
00:02:57.750 --> 00:03:01.170
and protected data throughout the entire evaluation period

74
00:03:01.170 --> 00:03:02.940
of 6 to 12 months.

75
00:03:02.940 --> 00:03:04.920
So if the company says it's monitoring

76
00:03:04.920 --> 00:03:06.840
for unauthorized access,

77
00:03:06.840 --> 00:03:08.820
the Type II report would confirm

78
00:03:08.820 --> 00:03:11.160
that its controls were consistently in place

79
00:03:11.160 --> 00:03:14.940
and effective during the entire evaluation period.

80
00:03:14.940 --> 00:03:17.610
Next, let's discuss a SOC 3 report.

81
00:03:17.610 --> 00:03:20.910
A SOC 3 report is a simplified public version

82
00:03:20.910 --> 00:03:23.370
of the more detailed SOC 2 reports.

83
00:03:23.370 --> 00:03:26.460
It's designed for organizations that want to show clients,

84
00:03:26.460 --> 00:03:29.820
customers, or the public that they have strong security

85
00:03:29.820 --> 00:03:32.220
and data protection practices in place,

86
00:03:32.220 --> 00:03:35.190
but without revealing all the technical details

87
00:03:35.190 --> 00:03:36.990
of their evaluation.

88
00:03:36.990 --> 00:03:40.020
Unlike SOC 2, which is meant for internal

89
00:03:40.020 --> 00:03:41.580
or detailed accounts,

90
00:03:41.580 --> 00:03:44.910
SOC 3 reports provide a high level overview

91
00:03:44.910 --> 00:03:48.450
of the organization's controls related to security,

92
00:03:48.450 --> 00:03:50.910
availability, processing integrity,

93
00:03:50.910 --> 00:03:53.190
confidentiality, and privacy.

94
00:03:53.190 --> 00:03:55.230
This makes it easier for businesses

95
00:03:55.230 --> 00:03:57.120
to share their SOC 3 report

96
00:03:57.120 --> 00:03:59.310
with potential customers or partners

97
00:03:59.310 --> 00:04:02.370
to demonstrate their commitment to data security.

98
00:04:02.370 --> 00:04:05.250
A SOC 3 report is a great way for companies

99
00:04:05.250 --> 00:04:07.920
to provide reassurance and transparency

100
00:04:07.920 --> 00:04:11.670
to anyone interested in their data protection practices.

101
00:04:11.670 --> 00:04:15.900
So remember, the SOC 2 framework is an auditing process

102
00:04:15.900 --> 00:04:18.480
that evaluates an organization's ability

103
00:04:18.480 --> 00:04:22.290
to manage and protect data across five key areas,

104
00:04:22.290 --> 00:04:26.070
security, availability, processing integrity,

105
00:04:26.070 --> 00:04:28.860
confidentiality, and privacy.

106
00:04:28.860 --> 00:04:31.110
SOC 2 Type I reports

107
00:04:31.110 --> 00:04:33.330
assess the design of these controls

108
00:04:33.330 --> 00:04:35.460
at a specific point in time.

109
00:04:35.460 --> 00:04:38.220
SOC 2 Type II reports evaluate

110
00:04:38.220 --> 00:04:41.130
the operational effectiveness of these controls

111
00:04:41.130 --> 00:04:45.060
over a period of approximately 6 to 12 months.

112
00:04:45.060 --> 00:04:48.540
SOC 2 Type I, and SOC 2 Type II reports

113
00:04:48.540 --> 00:04:50.040
are critical for companies,

114
00:04:50.040 --> 00:04:51.780
especially in the technology

115
00:04:51.780 --> 00:04:53.460
and cloud service sectors,

116
00:04:53.460 --> 00:04:56.100
to prove that they meet industry standards

117
00:04:56.100 --> 00:04:57.720
for data protection.

118
00:04:57.720 --> 00:05:01.740
A SOC 3 report is a simplified public-facing version

119
00:05:01.740 --> 00:05:04.380
of a SOC 2 report designed to provide

120
00:05:04.380 --> 00:05:06.000
a high-level overview

121
00:05:06.000 --> 00:05:08.430
of the organization's security practices

122
00:05:08.430 --> 00:05:11.070
without diving into technical details.

123
00:05:11.070 --> 00:05:14.040
SOC 3 reports are often shared with clients

124
00:05:14.040 --> 00:05:17.280
and partners to demonstrate a company's commitment

125
00:05:17.280 --> 00:05:20.673
to data security in a more accessible format.