In addition to the efficiency of a software, data security is a key criterion when choosing a SaaS solution. Among the existing certifications, the SOC 2 (System and Organization Controls 2) ensures compliance with security standards in data management. But what is a SOC 2 certification? And why is it worth taking into account when deciding on your EMOS solution? Let's take a look.
- SOC 2: what is it?
- SOC 2 and ISO/IEC 27001: what are the differences?
- What is the link between data, EMOS and SOC 2 reports?
SOC 2: what is it?
SOC 2: an assurance of data security
The SOC 2 is a certification developed by the AICPA (American Institute of Certified Public Accountants), which is increasingly taken into account internationally, particularly in Europe. It concerns companies that provide services and systems to their customers, such as cloud computing, SaaS or PaaS.
Its purpose? To review the services provided by a company to enable users to assess and address the risks associated with an outsourced service.
The client organization can thus ask the service provider to provide an audit report, especially if confidential information is entrusted to it.
Good to know
Like many certification, SOC 2 isn't mandatory. However, it is highly recommended: obtaining it is a guarantee of confidence and quality of service.
The principles of the SOC 2 standard
The SOC 2 standard defines data management criteria based on the AICPA's (TSC) Trust Services Criteria. More broadly, it is based on the three main principles of cybersecurity.
- Availability. The system is operational and ready to be used as agreed.
- Integrity. Data should only be modified by authorized persons and according to a defined process.
- Confidentiality. Information deemed confidential is protected in accordance with the commitments and regulations in force.
The traceability, or conservation of data movements, often forgotten by newcomers, is also essential to ensure the respect and the good progress of the three previous conditions.
There are two types of SOC 2 reports.
- Type 1, based on a report from the first year of the audit, focused on the theoretical design of the controls.
- Type 2, based on practice, is produced in subsequent years and certifies that the controls carried out have been effective for a complete period.
Note: Obtaining the SOC 2 certification demonstrates that a solution meets the above criteria.
SOC 2 and ISO/IEC 27001: what are the differences?
When we talk about cybersecurity, one might naturally think of the ISO/IEC 27001 standard, which specifies the requirements for Information Security Management Systems (ISMS). More widely used in Europe, it serves as a reference for an eponymous certification.
The SOC 2 reports, on the other hand, are more commonly used in Australia, Asia-Pacific and the Americas, and relate to the controls in place for data security.
The ISO/IEC 27001 and SOC 2 standards share common criteria (CC) requirements. It is an internationally recognized set of standards whose objective is to evaluate the security of computer systems and software in an impartial manner. These standards are internationally recognized and their objective is to evaluate the security of computer systems and software in an impartial manner.
What is the link between data, EMOS and SOC 2 reports?
SOC 2 is a regulatory protection against security threats that may arise when using an EMOS. But what is the actual connection between data, EMOS and SOC 2?
Reminder: how an EMOS works
The Data Collector implemented on the customer's IT system will retrieve data, host it on the cloud and process it on the customer's platform in the form of indicators, charts, etc.
Energy data: information to protect
The use of an EMOS (Energy Management and Optimization System) leads to the addition, removal and processing of sensitive information within the user's SCADA system. This is a risk factor, which could for instance lead to an infection from the provider that spreads to the customer's system.
The challenge for the EMOS user is to ensure that the provider is reliable. To do this, they must:
- Be proactive, define your own security requirements and impose them on the chosen provider (a laborious option, since it requires sufficient expertise in information systems security).
- Rely on robust international standards and choose an ISO/IEC 27001 or SOC 2 certified provider.
Securing your data: a profitability lever for your company
Each company has its own risk tolerance, i.e. a level of overall risk that it can assume in pursuit of its strategic objectives. However, every risk has a cost: this cost is calculated as a function of the overall average cost of carrying out a risk and the probability of its average occurrence.
A certified provider is an additional element to reduce this occurrence and gain control of its risk level. It is therefore essential to understand IT security in your company.
Secure your data to reduce the cost of risk
The cost of a phishing attack on an organization can be relatively high for companies. By reducing an employee's propensity to click on a malicious link or by reducing the amount of data exposed, the average cost of risk decreases.
Offering a highly secure EMOS solution to our customers is one of METRON's priorities. Certified SOC 2 Type 1 in 2021 and in the process of obtaining SOC 2 Type 2, we are always looking for ways to make your energy data more secure. Our next goal is to obtain the ISO/IEC 27001 certification in the near future. Are you planning to equip yourself with an EMOS and would like to know more about data security by METRON?