SOC 2 Type 2 , Internal Controls and Access Reviews
Not to be confused by SOX (the Sarbanes-Oxley Act), SOC 2 is an auditing procedure developed by the American Institute of CPAs (AICPA). In response to the growing occurrence of cybersecurity threats, the framework of System and Organization Controls (SOC) was developed by AICPA as an independent report on an organization’s cybersecurity risk management. In a white paper published, AICPA says that “the new framework provides a common and consistent language for organizations to communicate about, and report on, their cybersecurity efforts.”
SOC 2 reports are further separated into two types; type 1 describes an organization’s cybersecurity systems while type 2 measure’s the systems’ effectiveness against cyber threats against the AICPA’s Trust Service Criteria. Since both types contain highly technical information, their use is restricted to only “user entity personnel and specified parties” that possess the knowledge and expertise to understand the reports.
The Trust Service Criteria all play directly into an organization’s identity governance. The first criterion, Security, refers to the protection from unauthorized use of information and systems. Availability requires an organization’s information and systems to be available for use. Confidentiality ensures that information designated as confidential is properly protected. The last, Privacy, ensures that information is collected, used, stored, and disposed of properly to protect the users. To ensure SOC 2 Type 2 compliance, an independent auditor ensures that an organization’s internal controls in place to address the Trust Service Criteria are effectively doing their job to prevent cyber threats. Any organization can get a head start on ensuring its compliance with SOC 2 by conducting regular, periodic access reviews.
During access reviews, an organization verifies that only authorized users can access their information and systems. The importance of this is reflected directly in the Trust Service Criteria that specifies that information and systems should be kept secure enough that unauthorized access isn’t possible while enabling access for authorized individuals. During an access review, it is crucial that unauthorized users are quickly identified and access is revoked so that sensitive data does not fall into the wrong hands.
Together with SOC 2 Type 2 audits and regular access reviews, organizations can feel confident that they are properly protecting the information they are held responsible for. Additionally, since SOC 2 audits are done by an independent party, customers and shareholders can also feel confident that their information is being protected from cyber threats and hackers.
Automate your Access Reviews with YouAttest
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest, a pure cloud-based solution uses pre-built APIs into Okta to pull all the necessary information for a full IGA ausit. YouAttest:
- Attest to users, groups, roles and applications
- Intelligent delegation: Auto-delegation on manger roles
- Reminder emails and updates
- Multiple Reviewers
- RBAC functionality
- Triggers on key security events
The key to these reviews is to have a consolidated center for the information to be collated and the roles/permissions to be accounted for. YouAttest does this through a “single pain of glass” – an cloud-based GUI that leverages APIs or CSVs to obtin the data. Implementation is in minutes and secure by using industry validated protocls like SAML and OIDC and YouAttest is a “Okta Verified” member of the Okta Integration Network.
Access reviews play directly into an organization’s identity audit, whether internal or external. To ensure compliance with identity governance regulations, such as SOX or HITRUST, identity audits analyze user accounts within an organization’s system. During an identity audit, companies want to make sure that those accessing sensitive information are authorized and maintaining compliance with information security protocols and regulations.