Service Organization Controls: SOCs and Data Security
By United Language Group
Chances are your company stores far more data in the cloud than just a few years ago. This likely includes sensitive information that you need to protect, including financial data, business strategies and plans, and personal data belonging to customers.
With the rapid growth in cloud computing, you’re not alone. The global public cloud market is expected to reach $263 billion by 2020, according to Forrester Research predictions. This means your vendors, including Language Solutions Partners (LSPs), are increasingly moving to the cloud, too.
Working with cloud-based vendors has major perks. The cloud creates an online repository or portal where all project materials and information can be accessed by project stakeholders, no matter where in the world they are located. However, the cloud also creates some data security issues that need to be evaluated and addressed to protect your company’s interests.
By operating with strong digital security measures in place, like ISO certifications and Service Organization Controls, the likelihood of data loss decreases dramatically.
WHAT ARE SERVICE ORGANIZATION CONTROLS?
The American Institute of Certified Public Accountants (AICPA) introduced SOCs in 2011 to certify that cloud vendors have the appropriate procedures, policies and safeguards in place to protect your personal or confidential information. Vendors go through a rigorous audit by a certified public accountant (CPA) to get SOC certification.
This is important to you, as the cloud customer, for several reasons. It gives you peace of mind that the vendor is doing everything possible to prevent the breach of your confidential information. It demonstrates good faith and professionalism. And, if you’re in a highly regulated industry like banking or healthcare, it helps ensure compliance. Vendors aren’t required to meet SOC compliance standards – the process is voluntary – but they’re more attractive to clients if they do.
Prior to 2011, this type of certification didn’t exist. Often, vendors improperly used the SAS 70 standard on controls affecting financial statements to suggest that they were properly protecting customer data. To stop this and clear up confusion, AICPA introduced SOC reports.
SOC 1, SOC 2 AND SOC 3: WHAT’S THE DIFFERENCE?
This is where SOC compliance gets a little confusing. There are three different types of SOC reports, then some subtypes within those.
Here’s what’s important to know: The reports are differentiated by why they’re created, who’s allowed to access them and the level of detail.
- Much like the old SAS 70, SOC 1 reports audit financial statements. These detailed reports may only be viewed by company management, customers and customers’ auditors.
- SOC 2 reports evaluate a company’s data security and privacy controls. In addition to the parties mentioned above, they are used by regulatory agencies.
- Far less detailed, SOC 3 reports are used primarily for marketing. They can be viewed by anyone who wants to verify that the vendor has proper security controls.
If a vendor you’re considering uses the AICPA’s SOC logo, that means the company has commissioned at least one of the three reports within the last year.
SHOULD MY LANGUAGE SERVICE PROVIDER BE SOC CERTIFIED? as Needed
LSPs are increasingly moving workloads to the cloud to improve collaboration, boost efficiency and lower customer costs. With web-based Language Mastery Platforms, you can submit projects, receive estimates, track project progress, download real-time status reports and manage the terminology database from anywhere in the world, at any time. There’s no expensive software to install on site, and entry costs are lower.
However, working with a cloud-based translation provider also means sharing lots of confidential information over the web. Even when the vendor stores that data, your company is responsible and liable if confidential information is released or a breach occurs.
SOC compliance doesn’t guarantee cloud data protection, but it drastically reduces the likelihood of a breach. SOC reports verify through a trusted and independent source that the provider has the best-possible data security controls in place.
LSPs can also safeguard data by becoming to certified to the ISO 27001 standard. To learn more about data security, visit ULG’s quality page.
ULG’s insights delivered straight to your inbox.
Thoughtful editorials from industry experts delivered weekly in bite-sized pieces.