It's not surprising that cybersecurity is top of mind for boards, management and regulatory organizations, when tracked data breaches in the U.S. in 2015 totaled 781, the second highest on record since 2005, according to the Identity Theft Resource Center. Consequently, businesses and vendors are increasingly being held accountable for transparency into their security and controls.

Remain a Trusted Vendor

Within the health care industry, for example, organizations are compelling their business associates and service organizations to provide this information through specific questionnaires or assessment documents. Claims management and processing companies, printing and mailing businesses, customer call centers and IT data centers, among others, may receive countless amounts of these requests annually. It takes significant time and effort to complete these requests, but otherwise vendors risk losing their trusted position.

Are your customers sending you security or controls questionnaires and/or letters requiring you to complete some type of internal controls audit? You can benefit by having a SOC 2® report completed on your organization. SOC 2® reports are intended to meet the needs of a broad range of users – from a small manufacturing company to an international financial services business – that need information and assurance about the controls at a service organization.

Benefits of a SOC 2® Report

A SOC 2® report aligned to the Common Security Framework (CSF) requirements has many benefits for business associates and service organizations. These benefits allow organizations to:

  • Save Internal Time – A SOC 2® report can significantly reduce the time personnel spend on responding to the numerous requests you receive.
  • Decrease Costs – The report reduces the number of audits that your organization undergoes to meet a customer's request.
  • Standardize Delivery – Recipients of the report will recognize the AICPA standard reporting format.

In addition to these specific benefits for your customers, enhancing your control environment can help reduce risks throughout your organization. Plus, if an organization is accountable for their security and controls, they will likely have a competitive edge in the market.

What is a SOC 2® Report?

A SOC 2® report focuses on the controls that affect the security, availability and processing integrity of the systems a service organization uses to process users' data. These reports also cover the confidentiality and privacy of the information processed by these systems.

Why Utilize a SOC 2® Report Aligned to CSF?

In December 2015, the American Institute of Certified Public Accountants (AICPA) announced it had collaborated with the Health Information Trust Alliance (HITRUST) to develop an illustrative SOC 2® report that met the applicable trust services criteria and the HITRUST Common Security Framework (CSF) requirements.

HITRUST established the CSF requirements for use by organizations that create, access, store or exchange personal health and financial information. The SOC 2® report enables a service organization to communicate information about its processes and procedures used to meet the HITRUST CSF requirements. These reports also enable service organizations to communicate information about their applicable trust services criteria relevant to security, availability and confidentiality, thus improving transparency and information for decision making.

To learn more about a SOC 2® report or other security controls, please visit bswllc.com, or contact Greg Smith, Principal, Advisory Services at Brown Smith Wallace, at 314.983.1306 or gsmith@bswllc.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.