A System and Organization Controls (SOC) 2 examination attests that your organization is compliant with the criteria laid out by the Association of International Certified Professional Accountants (AICPA). The Common Criteria used in a SOC 2 examination cover a variety of system controls that ensure that your organization is operating with best practices to protect the customer data your organization processes. This security spotlight explains how encrypting data in-transit and data at-rest can help your organization on your journey to SOC 2 compliance.
Data At-Rest versus Data In-Transit
Depending on usage, customer data will fall under one of two categories. Data at-rest is digital data that is not being actively accessed or used. With data at-rest, the data is currently in storage, such as a hard drive, database, cloud storage, flash drive, or some other form of archived storage. Meanwhile, data in-transit is data that is actively moving from one location to another location, and not sitting in storage. This occurs when data moves through the internet, when data is actively being uploaded to cloud applications, or when files are being shared on a local area network (LAN), for example.
How does Encryption Protect Your Organization’s Data?
Depending on whether the data is at-rest or in-transit, different encryption methods may be used.
1. Data At-Rest
The most effective way to protect sensitive data is by using encryption. The current industry-standard encryption cipher is AES-256 (Advanced Encryption Standard, which uses a key that is 256 bits in length); this method of encryption is virtually impossible to decrypt. Many cloud service providers will encrypt data at-rest with the AES-256 algorithm by default. By encrypting data at-rest with AES-256, your organization can ensure that sensitive data cannot be accessed by anyone but the intended recipient.
2. Data In-Transit
Transport Layer Security 1.2 (TLS) allows for a secure transmission of data in-transit by exchanging encrypted key information between a device and a server. Typically, this is achieved by using public key encryption, which ensures that a server is trustworthy. By ensuring that your organization’s server utilizes TLS 1.2 or higher protocols, you can better protect your clients’ sensitive data.
Data Encryption and SOC 2
A SOC 2 examination evaluates and reports on the controls your organization has implemented to safeguard customer data, along with other best practices that fulfill the trust service criteria. By ensuring both data at-rest and data in-transit are properly encrypted, your organization demonstrates to your customers that their data will be secured. In combination with other controls, data encryption provides valuable support on your organization’s journey to SOC 2 compliance.
Helping You Get There…
To learn more about data encryption, security controls, or our SOC 2 services, connect with a member of Boulay’s Risk Advisory Team today. We’re dedicated to helping you get there.
Boulay provides the information in this article for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose.
More Recent Stories
Input your search keywords and press Enter.