The SOC 2 Security Principle is one of the five (5) Trust Services Principles (TSP) that are utilized when conducting SOC 2 assessments on today’s growing list of technology driven service organizations. It’s also become the most widely known of all the TSP’s, as it provides a solid baseline when assessing companies for SOC 2 compliance. As for the TSP’s themselves, look upon them as a set of broad based provisions consisting of prescriptive criteria for a large number of information security and operational best practices.
Specifically, the five (5) Trust Services Principles (TSP) are the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
As for the “Security” TSP, it requires service organizations to have in place highly formalized and documented policies, procedures, and processes. More specifically, it means having documentation stating the policies, and then actually having personnel undertaking the stated procedures. Ultimately, this mandates that service organizations put in place a large number of information security and operational processes, procedures, and other supporting documentation. And this is also where companies struggle immensely, as they generally have little to no policy material in place.
In regards to the specifics of the “Security” TSP, the essential “criteria”, for which all service organizations would be assessed against, consist of the following:
- Policies: The entity defines and documents its policies for the security of the system.
- Communications: The entity communicates its defined system security policies to responsible parties and authorized users.
- Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.
- Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies.