What is a SOC report?
Service Organization Control (SOC) reports are independent audits based on the American Institute of Certified Public Accountants (AICPA) that assess an organization’s security posture and best practices for protecting clients’ data. Organizations that obtain a SOC report demonstrate that they’ve undergone a rigorous assessment process by a third party that points out any weaknesses and flaws.
There are three types of SOC reports:
SOC 1 (Detailed Report - Usually Requires an NDA):
SaaS Organizations that handle, process, store, or transmit financial information, or information that can impact the financial statements of their customers, need a SOC 1 audit.
SOC 1s (unlike SOC 2s) are tailored to the organization receiving the evaluation. There is not a predefined set of trust service criteria that are included in the report.
This report evaluates an organization’s financial reporting, data processing, and IT services. Formally, this report is known as a Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (ICFR).
- Type 1: This report is completed based on a particular point in time with a set date.
- Type 2: This report is completed over a period of time (typically one year) that holds the organization accountable for all the security points covered in the Type 1 report done previously.
The main value a SOC 1 audit provides is ensuring the protection of financial information, showing a commitment to corporate governance, and providing assurance to customers that an organization’s systems are secure. SOC 1 reports will include an auditor’s opinion on whether an organization is qualified or unqualified.
The main value a SOC 1 audit provides is ensuring the protection of financial information, showing a commitment to corporate governance, and providing assurance to customers that an organization’s systems are secure. SOC 1 reports will include an auditor’s opinion on whether an organization is qualified or unqualified.
The four types of audit opinions are:
- Unmodified - Clean report with no modifications.
- Qualified - Misstatements are material but not pervasive in financial statements
- Disclaimer - Account books may not be appropriately maintained, and auditors may not have enough information to - disclaim an opinion
- Adverse - Misleading/incomplete financial statements
SOC 2 (Detailed Report - Usually Requires an NDA):
Organizations that handle, process, store, or transmit any kind of data will likely need a SOC 2 evaluation to help that organization establish tight internal security controls.
This report evaluates an organization’s security, availability, processing integrity, confidentiality, and privacy of its customers’ data.
Examples of Trust Services Criteria and Their Specifics:
- Security: Firewalls, IDS Systems, Anti Virus, Multi-factor authentication, Recovery Systems
- Availability: Network monitoring systems, SLA adherence, DDoS protection, Incident Response Planning
- Processing Integrity: Quality Assurance, Performance Monitoring, Vulnerabilities
- Confidentiality: Adherence to the principle of least privilege, Encryption (at rest and in transit)
- Privacy: Ensuring private information is kept safe, PII protection, Processing of Healthcare Data and preventing Unauthorized Access
The above Trust Services Criteria apply to an organization’s infrastructure, software, people, procedures, and data.
Typically, the SOC 2 report applies to any organization that stores, processes or transmits customer data. SOC 2 reports are considered ‘stale’ when they are older than one year. This report generally includes a detailed description of the system, testing of controls and its results, and an opinion letter.
- Type 1: This report is completed based on a particular point in time with a set date.
- Type 2: This report is completed over a period of time (typically one year) that holds the organization accountable for all the security points covered in the Type 1 report done previously.
SOC 3 (Short Report - General Use - Often Publicly Available):
This report is a summary of the SOC 2 report.
When evaluating an organization’s security posture, the SOC 2 Type 2 is the most commonly referred to report.
SOC Reports in the Context of Hybrid-Cloud Physical Security:
In a SOC report, you’ll find the many components of the system used to provide services and their purpose stated. An example of this can include the database used (AWS RDS for example) or the virtual server service (AWS EC2, for example). This can include services from a cloud service provider (such as AWS, Azure, and GCP) and other software platforms (such as Okta, GitHub, or Datadog) that are used to keep the system functioning.
With hybrid cloud physical security, all the infrastructure that would traditionally live on prem lives in the cloud. User databases, video archiving, camera metadata, and all other information will live in the cloud. This means that the SOC report analyzing that backend will include all the systems and services that are used to connect to the cloud service.
Many Verkada customers require their IOT devices to be on networks that only communicate outbound to the internet without any traffic touching other devices on their network. Given that all Verkada devices communicate with AWS on an outbound-only connection, Verkada’s cloud architecture, with a zero-trust policy model in place, is a great fit for customers.
Request Process
Your organization’s cybersecurity or information security team will generally request a copy of a SOC report through a secure document repository/portal. For example, Verkada customers and prospects can access a copy of Verkada’s SOC reports through this Pima link. Many organizations require you to sign an NDA to obtain the SOC report. Reports will also be watermarked with the requestor’s credentials to avoid unauthorized access and sharing.
How Verkada commits to hybrid cloud security
Verkada’s hybrid cloud physical security solutions integrate advanced technology, rigorous SOC compliance, and a user-friendly cloud-based management system to provide unparalleled visibility, control, and ease of use. Experience simple, secure AI-powered search, monitoring, and analytics, paired with customizable access control and smart building solutions. Get a personalized demo or start a free trial today.