When you’re shopping for business software-as-a-service (SaaS), how do you know if a vendor can keep your data secure? You know it’s important to do everything possible to ensure your business’ cybersecurity & data protection. You want to believe the salesperson’s claims about security. But what can a business leader without expertise in technology do to prevent their business from being the next high-profile hacking victim? Rather than take security claims at face value, ask for a Service Organization Control (SOC) Report.

What is an SOC Audit & Report?

A SOC audit investigates how software providers operate. It can reveal how securely they build, test, deploy, manage, and operate their platforms. It also documents how they manage data privacy in their human resources departments, physical offices, and other environments in which information is vulnerable.

What does this mean for cannabis businesses?

For cannabis businesses holding private customer data, including medical information with HIPPA compliance mandates, data privacy is a critical issue for the industry. As the industry grows and matures, utilizing enterprise-grade SaaS while maintaining security controls that go above and beyond will be what separates the businesses with staying power from those who fall victim to data theft and consumer lawsuits. Learning the lingo and best practices is the first step to ensuring your business’ longevity.

Not all SOC Reports tell the same story. As a buyer, you need to: 

1. Determine which SOC audit the vendor underwent 
2. Interpret the results of the audit

There are two types of SOC 2 compliance audits that both focus on controls for SaaS operations:

• SOC 2 Type 1 is a point-in-time audit. It simply verifies that the vendor has effective controls in place.  
• SOC 2 Type 2 audits are conducted over a 3 to 12-month period. They ensure that SaaS vendors consistently perform their security controls. The auditors also assess how well each control addresses SOC’s Trust Services Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Thus, SOC 2 Type 2 answers the toughest questions: How would the vendor actually handle and protect your data? How would its team ensure uptime and performance?

SOC 2 Type 2 could, for instance, confirm that the company runs disaster recovery tabletop exercises on a monthly basis and conducts access reviews to ensure single sign on. It could also verify that the company enforces strong password and network polices and removes terminated employee access within 24 hours.

When you read a SOC 2 Type 2 Report, look for the list of exceptions, which are controls that were not in compliance during the audit window. The number of exceptions is a barometer for how well a vendor has delivered on the Trust Services Principles and Criteria.

To learn more of have a consultation with our HoRizon business development team, get in touch with us today.