April 22, 2022
Two words no one ever wants to hear. With them comes the fear of revenue losses, identity theft, and broken trust. To ensure the secure collection, management, and storage of personal information, the American Institute of CPAs developed System and Organization Controls (SOC) 2 for Service Organizations. It outlines five Trust Services Criteria (TSC) that are designed to mitigate the risks associated with data handling, specifically when outsourcing services, such as an automotive SaaS solution. SOC 2 certification sends a clear message that a business is serious about personal data protection. Let’s explore how certification works.
During SOC 2 Type I certification, a company must implement procedures that uphold the five TSCs.
The company must have controls and mechanisms in place for information access that supports operation, maintenance, and monitoring.
The company must have the ability to protect confidential information from creation and collection to destruction and removal from the company’s control. This encompasses various types of information, including but not limited to personal information and intellectual property.
A company’s data use and management must include data subject notification, consent, and access; the collection, use, storage, and disposal of relevant data only; and the monitoring and enforcement of privacy and data quality. This applies to personal information only.
A company’s systems must perform their designated functions without impairment. In other words, the processing of data must be complete, accurate, valid, timely, and authorized.
A company must have a system or mechanism that ensures the security and integrity of personal information and prevents unauthorized tampering, modification, or destruction.
The procedures themselves are not specified. As such, a company has the freedom to develop its own unique mechanisms as a means of achieving compliance. SOC 2 Type I certification is achieved when the business is able to outline these procedures and explain how they accomplish the five TSCs.
The next stage of SOC 2 certification involves a six-month observation period. During this time a compliance auditor assesses the validity of the company’s Type I plan. To be certified SOC 2 Type II compliant, the entity must demonstrate the successful establishment and functionality of its procedures in relation to the five TSCs.
At Sibros we view SOC 2 compliance as a critical component of our OTA update and data management platform. Our certification shows not only a commitment to our customers and their data but a commitment to the protection and safe management of their customer’s data as well. Sibros is proud to be SOC 2 Type I certified and in the process of achieving Type II compliance. For more information about our certifications or to schedule a demo, contact us today.