What is a SOC 2 Examination?

SOC 2® Type 2 Definition

21972-312_SOC_NonCPASOC stands for “system and organization controls,” and the controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information and internal processes. The purpose of SOC standards is to provide confidence and peace of mind for organizations when they engage third-party vendors, like ITS Fiber, for critical level services (i.e. Data Center or Cloud Services).

The AICPA created the SOC guidelines to provide an authoritative and independent benchmark for service organizations to demonstrate implementation of proper control procedures and practices.

The SOC 2® examination is the assessment of an organization’s controls as they relate to the AICPA’s (American Institute of Certified Public Accountants) five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. It requires companies to establish and follow strict policies and operating procedures that adhere to these principles and guidelines.

An organization that has completed a SOC 2 examination and report has been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place. More specifically, SOC 2 examinations focus on how client data is stored and protected, and is a more technical, security-focused report than a SOC 1.

The SOC 2 report is the result of this examination and can be given to clients, prospects, business partners or regulators who have a need for insight into the company’s operations on an as needed basis, but the details of the report are not to be marketed to the public.

The Type 2 level of examination not only looks at the policies and procedures in place at a given point in time, but also validates their effectiveness over a six-month or more extended time period.

ITS Fiber’s SOC 2 Type 2 Examination and SOC 3 Report

As previously stated, the SOC 2 examination focused on ITS Fiber’s adherence to the five Trust Service Principles and Criteria set forth by the American Institute of Certified Public Accountants (AICPA). These principles are Security, Availability, Processing Integrity, and Confidentiality and Privacy.

Through the security compliance examination process, ITS Fiber demonstrated they are committed to providing the highest quality data center, cloud and broadband solutions and their technology and procedures go beyond security best practices. As part of the security attestation process, an independent third-party audit firm confirmed that ITS Fiber’s security policies, procedures, and operation rigorously protect the consumer and business data managed by the company and their ITS Fiber Data Center.

What is also notable about our most recent SOC 2 evaluation is the amount of specific and new criteria needed to acheive a completed report was almost double from previous years.

Our SOC 3® Report

The SOC 3 report assessments cover the same subject matter as a SOC 2 and ITS Fiber’s commitment to practicing the most rigorous security and operational procedures for customer’s critical data and privacy. However, its use and distribution are not restricted. The description of the system is less detailed than a SOC 2, and is primarily used for marketing purposes. The SOC 3 report is designed to meet the needs of users who need assurance about the controls at a service organization, but do not have the need for or the knowledge necessary to make effective use of a restricted, lengthy, SOC 2 Report. The SOC 3 reports can be made publicly available via a company’s website.

The SOC 3 report for the general public shows ITS Fiber’s commitment to practicing the most rigorous security and other procedures to serve our customers’ critical data security and privacy needs. It is designed to meet the needs of clients or prospective clients who need assurance about the controls at a service organization, but do not have the need for or the knowledge necessary to make effective use of a restricted, lengthy, SOC 2 Report.

FAQs horizontal banner

Common SOC 2®Type 2 Questions

Question Mark Icon How is SOC 2 Type 2 Different than Type 1?

click for answer

silver icon - A While the Type 1 report highlights our policies and procedures for ensuring Trust Factor criteria, the Type 2 process requires a minimum 6-month audit period by a third party. In other words, the SOC2 Type 1 is a point in time measurement of the policies and procedures used to manage the Trust Factors, while SOC2 Type 2 is proving that those policies are followed, with hard evidence, in a 6-month or longer reporting window.

Question Mark Icon What Does the SOC 2Type 2 Audit Examine?

click for answer

silver icon - A SOC 2 looks at five Trust Factors of secure data processing or storage and a company’s overall departmental operations. Demonstrating proficiency across one of more of these criteria is an attestation to the privacy and security controls of a company:

  • Security: the system is protected against unauthorized access, both physical and logical 
  • Availability: the system is available for operation and use as committed or agreed 
  • Processing Integrity: system processing is complete, accurate, timely, and authorized 
  • Confidentiality: information designated as confidential is protected as committed or agreed 
  • Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)
SOC 2 reports can address one or more of the above Trust Factors. ITS Fiber felt all of these areas of Security, Availability, Processing Integrity, Confidentiality and Privacy were all significant and important/notable areas for focus for our audit.

Question Mark Icon What is SOC 3® Report?

click for answer

silver icon - A A SOC 3 report is the general public use version of the SOC 2 report; SOC 3 reports can be freely distributed to anyone.

Question Mark Icon What Does SOC 2 Type 2 Compliance Mean for ITS FIBER Customers?

click for answer
silver icon - A  Today, companies are increasing the requirement of their vendors to prove they are properly protected by asking to view a completed a SOC 2 audit. The SOC examination and corresponding report demonstrates to a you, the client, ITS Fiber’s level of maturity for their organization’s security and control environment. Organizations have always made the claim (and will continue to do so) that they are properly securing the data of their customers. But a SOC 2 report, backed by AICPA standards, is indisputable evidence of that claim.

For companies concerned with security and controls, a SOC examination gives assurance to your company that ITS Fiber:
  • Has strong, best-in-class controls and safeguards in place to ensure the confidentiality and privacy of our data and yours,
  • Has strict adherence to security and a willingness to invest the time and money to prove it,
  • Understands security and its importance to our clients.

Because cybersecurity is such a major priority of companies, ITS Fiber’s SOC 2 assessment and corresponding SOC 3 report on controls relevant to the five Trust Service Criteria (security, availability, processing integrity, confidentiality, and privacy) substantially should reduce any concerns you may have of using our IT, cloud or data center services.