AI Blog: SOC2

Welcome back to our AI blog.  Today, we consider what SOC 2 actually is.

Recently, we mentioned that the Team plan of ChatGPT is SOC 2 compliant, but what did we actually mean by this?  It’s important to understand both the regulatory and compliance environments that should be considered when discussing AI.

SOC 2

SOC 2 stands for Service Organization Control Type 2 and is a framework created by the American Institute of Certified Public Accountants (AICPA).  This framework is designed to  improve the cybersecurity of companies, ensuring that third-party services manage client data securely.

To obtain SOC 2 certification an organisation must undergo a SOC 2 audit, performed by an independent, external auditor.  This auditor will assess the organisation’s controls and see if they comply with the five [5] trust service criteria of SOC 2.

Rather than have a broad range of prescriptive rules for all organisations to follow, SOC 2 instead uses these five trust service criteria.  Organisations are expected to identify which are applicable to their services, identify any gaps that need to be addressed and then implement any required internal controls before undergoing a SOC 2 audit.

The five trust service criteria are as follows:

1. Security: both the data held and the services themselves should be adequately protected against unauthorised access.  Controls should be in place to ensure that data is kept safe to prevent unapproved disclosure, alteration or removal of confidential information
2. Availability: systems should remain operational and available as agreed upon in service-level agreements.  The system should be designed to remain functional as laid out in any service-level agreements avoiding any unexpected downtime, network failures and adequately handling the expected number of users
3. Processing Integrity: system processing should be complete, accurate, timely and authorised.  This means that systems should achieve their purpose without any unnecessary delays, errors or bugs
4. Confidentiality: confidential information should be adequately protected and only be accessible by authorised individuals.  Information that is identified as confidential should be safeguarded throughout its lifecycle.  Typically, it must be encrypted both while being stored and while being transferred to ensure that it remains accessible only to the intended users
5. Privacy: any personal information that is collected, used, retained or disclosed must be done so in compliance with privacy policies and regulations.  Any personally identifiable information (e.g. full name, bank account number, e-mail address, date of birth) should be protected from breaches and unauthorised access, typically through the use of two-factor authentication and encryption.

Next week, we’ll discuss toenail extraction whilst watching paint dry.

Join us next time for more on AI!