Archive

Introduction to SoftLayer’s Service Organization Control reports

Share this post:

What color SOCs do bears wear? I promise we’ll get to the answer, but first, a few words about the cloud.

I am often asked about IBM SoftLayer, cloud computing and why Service Organization Control (SOC) reports are important. The question comes up often enough for me to decide to write about it here.

Service Organization Control reports are issued by the American Institute of Certified Public Accountants (AICPA). There are three distinct reports: SOC1, SOC2 and SOC3 (AICPA breaks them down into additional sub-types, but we are not going to cover those here.) Truly enough to give an IT person a headache!

Before I reveal what color SOCs bears wear, let’s have a conversation on the various types of SOC reports.

Alright, what is a SOC1 report?

SOC1 reports are documentation of the internal controls that cover an organization’s financial statements. The information in the documentation is compiled during an audit by an outside company and included in the report. A type of organization that would use this type of audit and report is a trust department.

That was almost painless. What is a SOC2?

SOC2 reports are written documentation of controls (policies and procedures) that are related to data centers, IT managed services, software as a service (SaaS) vendors and many other technology and cloud computing-based businesses. Just like the SOC1, the information contained in the documentation is compiled during an audit by a third party.

Unlike the SOC1, there is a framework in the SOC2 that is a comprehensive set of criteria known as the Trust Services Principles (TSP) that comprise the following five sections:

• The security of the organization’s system.
• The availability of an organization’s system.
• The processing integrity of an organization’s system.
• The confidentiality of the information that the service organization’s system processes or maintains for user entities.
• The privacy of personal information that the organization collects, uses, retains, discloses and disposes of for users.

The easy way to view a SOC2 is to imagine a large report with comprehensive data center audit information that uses the TSP listed above (the data center reference may necessarily apply when referring to SaaS or managed services, but the same TSP holds true). It generally must be requested and is not freely distributed and is specialized in nature.

SOC2 is a deep dive of data center, cloud security and privacy controls.

That leaves a SOC3. What is it?

A SOC3 reports on the same information as a SOC2. The main difference is that a SOC3 is intended for a general audience. These reports are shorter and not as detailed as the others.

To recap, SOC1 is financials, SOC2 is in-depth security and privacy and SOC3 is a synopsis of what is contained in the SOC2.

Specifically to SoftLayer, the SOC2 is a very important report. Because we do not allow data center tours (would you want someone wandering around servers with your data?!), the SOC2 can give a customer the view needed to feel comfortable with your policies, procedures and operations. Why? They can have peace of mind knowing that a third party has done the audit and that the standard set of criteria from the AICPA has been used in reporting the findings. The SoftLayer SOC2 becomes a hard-copy data center tour for the customer and they never had to leave their desk!

You might wonder if a SOC1 or SOC3 is currently available for SoftLayer. There is a depreciated SOC1 that will be replaced in Q1 2015 with a fully qualified version and a SOC3 will be coming in Q1 as well.

Finally, to address that original question at the beginning: bears don’t wear SOCs—they have bear feet!

Feel free to comment below or connect with me on Twitter @MariHeiser to continue the discussion.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading