In December 2014 Adobe’s Shared Cloud became SOC2 – Security Type 1 Compliant. The Shared Cloud is the infrastructure component that supports the Adobe Creative Cloud.
What does this mean to you, essentially SOC 2 reports specifically address one or more of the following five key system attributes:
• Processing Integrity
Source (Aicpa SOC20 Whitepaper).
An excerpt from the same Whitepaper about SOC2 describes the following :-
SOC 2 Report: What is it?
Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements (AICPA, Professional Standards, Vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system attributes:
• Security — The system is protected against unauthorised access (both physical and logical).
• Availability — The system is available for operation and use as committed or agreed.
• Processing integrity — System processing is complete, accurate, timely and authorised.
• Confidentiality — Information designated as confidential is protected as committed or agreed.
• Privacy — Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian
Institute of Chartered Accountants.
Putting a SOC 2 Report to Work
A Software-as-a-Service (SaaS) or Cloud Service Organisation that offers virtualised computing environments or services for user entities and wishes to assure its customers that the service organisation maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when it is needed. A SOC 2 report addressing security, availability and confidentiality provides user entities with a description of the service organisation’s system and the controls that help achieve those objectives. A type 2 report also helps user entities perform their evaluation of the effectiveness of controls that may be required by their governance process. Another example is a medical claims processing service organisation that processes claims for health insurers (user entities) and wishes to assure those users that its controls over the processing of claims will protect the information in those claims, which is subject to privacy laws.