Is your supply chain software SOC-2 compliant? Here’s why it matters | 2022-01-30

When searching for security frameworks, the alphabet soup SOC-1, SOC-2, HITRUST, ISO 27001, ISO 27701, ISO 22301, FedRAMP 3PAO, CMMC 3PAO, QSAC, and CSA STAR can make your head spin.

SOC-2, however, should be a priority for supply chain software users.

Developed by the American Institute of CPAs (AICPA), SOC-2 – pronounced “sock two” – defines criteria for handling customer data based on five principles: security, availability, processing integrity, confidentiality and privacy. It is a rigorous auditing framework, which has become a gold standard for ensuring that software vendors manage data responsibly and securely.

As more manufacturers, distributors, and other supply chain players embrace digital transformation, security audits are becoming increasingly critical. The cost of data breaches, privacy breaches, or system downtime far exceeds the cost of a SOC-2 certification.

Digital threats and attacks continue to evolve, and successful companies in the supply chain industry will be the ones to recalibrate their security strategies. Those who do not prioritize safety will be at a serious disadvantage. When a company undergoes a SOC-2 audit, it demonstrates to key stakeholders its commitment to providing safe and secure services and ensuring that their customers’ information and assets remain tightly protected.

Here is a breakdown of the five fundamental principles of auditing:

Security. Systems must be well protected and uncompromising in their access and authorization architectures. Unauthorized disclosure of vulnerable information and systems cannot be tolerated. As raw material supply chains become increasingly digitized, it is essential to secure them with the same intent as we might secure physical premises.

Availablity. Information systems must be accessible internally and externally when needed. It is not a specific measure of server availability, but an assessment of whether the appropriate systems are in place to operate, maintain and monitor a system. Supply chains, more than ever, deserve to be monitored 24/7, and modern systems should enable this.

Integrity of processing. Systems must operate with the utmost efficiency, achieve specific goals without unnecessary delays or data manipulation, and process validly and accurately. Poorly managed data hinders reporting and decision making based on that data.

Confidentiality. Sensitive information should be stored and handled in such a way that unauthorized parties can never see it. This is especially important for supply chain platforms where many parties can access certain software, but should only see certain information, not that of their counterparties.

Private life. Along the same lines as privacy, the AICPA outlines requirements for privacy notices and the disclosure of personal information an organization collects.

SOC-2 is rigorous, but it’s important to remember that certification does not equate to a “perfect system”.

The cybersecurity landscape is changing faster than almost any other area of ​​IT or engineering. Daily software updates, patches, and constant discussions aim to fix issues with the underlying software systems we use every day – and that requires an organization that pays close attention to the criteria outlined above.

SOC-2 should not be viewed as just another compliance issue or one more legal requirement. It is a very concrete policy framework on how to approach the design of secure systems on large-scale platforms. And as supply chains digitally transform, companies should require the software vendors they work with to also be SOC-2 compliant.

Scott Evans is co-founder and CEO of Bridge.