If your company or a third party you work with is responsible for handling and storing customer data, how do you ensure your clients’ data will be kept safe? More importantly, how do you communicate your commitment to protecting your clients’ data to potential new customers?
SOC 2 is a framework applicable to all technology service or SaaS companies that store customer data in the cloud to ensure that organizational controls and practices effectively safeguard the privacy and security of customer and client data. If you’re using Trello to operate your business and are in the process of preparing for a SOC 2 audit, or are just interested in stepping up the security of your customer’s info, keep reading!
Why SOC 2?
Before we dive into the details, let’s discuss why your organization might choose to pursue a SOC 2 report.
First of all, it can greatly expand your target market. SOC 2 compliance is necessary for service providers working in highly regulated fields or with clients who are publicly traded companies, to be seen as a viable vendor for hire. Attaining a SOC 2 report is an excellent way to unlock these new markets.
SOC 2 reports also help you build trust in the minds of your customers. The SOC 2 report will show prospects and current customers you’re committed to protecting their client’s and their own interests. The SOC2 report gives prospects confidence their data is being protected and you aren’t a possibility for introducing vulnerabilities into their systems via integrations. Being SOC 2 compliant assures your customers and clients that you have the infrastructure, tools, and processes to protect their information from unauthorized access both from within and outside the firm.
SOC 2 reports also help businesses to preemptively mitigate risks in today’s cybersecurity landscape. Being SOC compliant will give you a head start if your business should become the victim of a cyberattack. Often, data breaches trigger fines, reputation damage, loss of customers, a deflation of stock prices, and so much more. SOC compliance can go a long way in mitigating some of these losses. A compliant business is more likely to respond to a breach quickly, thus limiting its impact.
What Is SOC 2?
Disappointingly, SOC 2 has nothing to do with socks. SOC stands for Service Organization Control; businesses can receive a SOC 1, a SOC 2, or even a SOC 3 report. SOC 1 reports deal with financial data, and SOC 3 reports are non-confidential public versions of SOC 2 reports. A SOC 2 report is the most commonly used, so that’s what we’ll be covering in depth today.
A SOC 2 report is essentially a way to tell the world that you care about keeping your customer’s information safe and secure. After a SOC 2 audit has been performed by an accredited auditor, an organization can share their SOC 2 report with different stakeholders such as potential customers, other auditors, or investors.
A SOC 2 report is basically a report card, where an auditor has checked that the company is actually performing appropriate data protection procedures. The five different trust services principles form the basis of the entire SOC 2 report. Note that not all five categories always apply; if your company doesn’t handle customer data, you don’t need to worry about the privacy criteria, for example.
Megan Dean, Information Security and Risk Compliance Manager at Rewind, agrees on the importance of a strong security program. “If you don’t have a formalized security program, you’ll eventually be asked by an auditor to prove something you don’t have. And then those red flags will start to show up in your SOC 2 report.”
The five different trust service principles are broken down into broad categories:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
You can be audited on one or a combination of the trust services principles. Security is the only mandatory principle that you must be audited on. Let’s dive into the five trust service criteria in a bit more detail.
Security Criteria
According to the AICPA (the organization who maintains and performs SOC 2 compliance audits), security refers to information during its collection or creation, use, processing, transmission and storage. It also includes all systems that use electronic information to “enable the entity (e.g. your business) to meet its objectives.” That means that not only are your own internal processes under scrutiny, but every other third-party application, tool, or SaaS product must also comply with SOC 2 security requirements.
Availability Criteria
The availability trust service principle means that your systems must be ready and able to run as expected based on your operating agreements with customers and/or users. Essentially, it aims to answer a single question: can I rely on this service being available to me when I need it?
Availability criteria often involve a documented business continuity and disaster recovery plans and procedures. Potential customers will want to know what your plan is in the event of an emergency. The availability criteria also requires periodic backups and recovery tests of business critical applications.
Processing Integrity Criteria
Industries where the accuracy of information processed is vital, such as services that perform financial transactions or data analytics for their customers, often consider covering processing integrity in their SOC 2 report. Basically, this criteria asks the question: how do you ensure that the information you are processing is complete, valid, accurate, timely, and authorized?”
Confidentiality Criteria
This criteria is pretty basic: information designated as confidential is protected. The level of protection will depend on the type of information and industry: for example, data related to health care falls under more stringent regulations known as HIPAA.
Privacy Criteria
Privacy is another seemingly obvious criteria that is nonetheless vital. Privacy ensures that personal information is used, collected, retained and disclosed to meet the entity’s objectives. While confidentiality applies to various types of sensitive information, such as financial data or health records, privacy applies only to personal information you have collected about or on behalf of customers and/or clients.
In a very nutty nutshell, those are the trust service criteria that each cover a set of internal controls that your SOC 2 auditors will assess. Of course, there’s a lot more detail to know about each, so be sure to investigate fully before beginning the SOC 2 audit process.
Is Your Trello Account Business-Critical?
Business-critical is a term that SOC 2 auditors use to describe applications, equipment, processes or even people that are required for your business. An espresso machine would be considered business-critical to a coffee shop, for example (as well as some quality beans).
A good rule of thumb is to ask yourself: “am I able to service my customers without (blank)?” If the answer is “no”, then “(blank)” should be considered business-critical.
For example, if your Trello boards were maliciously deleted by a member of your team and you were no longer able to service your customers, then Trello is a business-critical tool within your organization.
SOC 2 auditors check that backups of applications storing critical data are performed daily. If your company is using Trello to store business-critical data, you will need to ensure your account is backed up. Trello backups can support recovery in the event of human error, malicious attacks, or buggy Power-Ups, and they’re one more safeguard to help your business workflows run uninterrupted.
“If you have to prove to an auditor that a particular process is taking place, and you’ve got one place where that process takes place, you need to make sure that’s always accessible. So if you’re performing access reviews and approval on Trello, you need to make sure that you can go back and prove that those processes did in fact happen”, explains Dean.
How To Be SOC 2 Compliant On Trello
Wondering if you can use Trello and still maintain SOC 2 compliance? Good news – Trello is fully SOC 2 compliant, and even provides a SOC 3 report, which is a more user-friendly version of the SOC 2 report. Trello is also ISO 27001 certified, and reports regularly on their status.
However, just because Trello itself is SOC 2 compliant doesn’t mean that your organization will necessarily be either. Here’s how to bake in SOC 2 compliance – and security! – into your Trello workflow.
Building Trello Into Your Business Continuity Plan
A business continuity plan is a critical part of your preparation for a SOC 2 audit. What would your organization do if you suddenly lost access to the vital information in Trello?
A solid backup and recovery strategy mitigates this risk. If your Trello data is safely backed up, you can simply restore from your more recent backup and get back to business.
Trello offers an ‘export’ feature, which allows you to export your Trello data as a CSV file. However, without some fancy programming, you won’t be able to simply re-upload that file back into Trello, making data recovery more time-consuming.
Rewind Backups for Trello is an automated data backup and recovery Power-Up. It automatically creates a secure backup of your Trello boards, cards and lists daily, ensuring you’re never without a recent backup. In the case of a data disaster, you can simply select the date when everything worked perfectly, hit “restore”, et voila, you’re back to business.
If you’re interested in working safely on Trello, why not give peace of mind a whirl with a free trial of Rewind Backups for Trello.
