{"id":4231,"date":"2024-04-27T06:11:03","date_gmt":"2024-04-27T12:11:03","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=regulations&p=4231"},"modified":"2024-06-03T13:53:11","modified_gmt":"2024-06-03T19:53:11","slug":"soc2-ics","status":"publish","type":"regulations","link":"https:\/\/trustarc.com\/regulations\/soc2-ics\/","title":{"rendered":"SOC2 – International Cybersecurity Standard"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tStandard<\/span>\n\t\t\t\t\t\t\t\t\t\t

SOC2<\/h1>\n\t\t\t\t\t

Developed by the American Institution of Certified Public Accountants (AICPA), the SOC 2 (System and Organization Controls, and Service Organization Controls), also known as the 2017 Trust Services Criteria, is a international cybersecurity standard establishing guidelines for the secure management of client data.<\/p>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Are you subject to SOC2?<\/h2>\n

SOC 2 is applicable to any organization who prioritizes data protection, privacy and security, and may not be narrowly restricted to financial institutions or organizations who process large volumes of financial data, including: cloud service providers, healthcare providers, and software as a service (SaaS) providers.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t

Key obligations of SOC2<\/h2>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Privacy notice<\/h4>\n

Organizations must create and make available privacy notices covering the purposes for collecting personal information, choice and consent processes, categories of personal information collected, data collection methods (e.g., cookies), and use, retention, and disposal periods. Notices should also detail whether information will be disclosed to third parties, security measures, breach notification processes, and if new information about the individual will be developed.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Vendor management<\/h4>\n

Where vendors and business partners are outsourced to support organizational operations, organizations must establish mechanisms to periodically assess their compliance with organizational privacy and data confidentiality standards and requirements. An assessment should also evaluate the level of performance and potential risk posed by vendors and business partners to organizational operations. All assessments shall be documented and retained.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Obtainment of consent<\/h4>\n

Organizations must obtain clear and explicit consent from individuals at or before the time sensitive personal information is collected. Where personal information is intended to be transferred to or from an individual\u2019s device, obtain prior consent and document the individual\u2019s consent to data transfers.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Performance of risk assessment<\/h4>\n

Organizations must identify potential risks to organizational operations by establishing a risk assessment procedure and management plan, and execute an entity-wide risk assessment. Assess the severity of known risks to the entity and develop mitigation measures to remediate the risk. All risk assessment results must be retained.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Implementation or technical security controls<\/h4>\n

Personal information in use, transit and at rest, and information assets must be protected by safeguards through implementing access controls, authentication methods, encryption and encryption keys, and malware detection mechanisms. <\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\"\"\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tWhitepaper<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t

Privacy and Data Security in Mergers & Acquisitions<\/h2>\n\t\t\t\t\t\t

Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today. <\/p>\n\t\t\t\t\t\t