Service Organization Controls (SOC) 2 is a compliance report standard defined by the American Institute of Certified Public Accountants (AICPA). These SOC 2 compliance reports provide users with an assurance about the controls at a service organization relevant to security availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems.
The main purpose of earning SOC 2 compliance is to demonstrate to customers that a respected third party has examined your services and found that they meet five “trust service principles”.
Information and systems are protected against unauthorized access and disclosure of information.
Information and systems are for operation and use to meet the entity’s objectives.
System processing is complete, valid, accurate, timely, and authorized.
Information designated as confidential is adequately protected.
Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
A SOC 2 report is the result of an audit conducted by an independent auditing and accounting firm based on the criteria defined by the AICPA. The audit can take three to six months to complete.
There are two types of SOC 2 reports: a Type I report on management’s description of the systems in place and the suitability of the design of controls; and Type II report on the suitability of the design and operating effectiveness of the controls described therein to meet the applicable trust services criteria. The responsibility of the auditing firm is to build the report by expressing an opinion on the fairness of the presentation of the descriptions, the suitability and the effectiveness of the control measures.
During the audit period, the stated controls for the following Check Point products operated effectively to meet the applicable trust services criteria: