Why do we need to fill out Security Questionnaires if we have a SOC 2 Type 2 Report?

SOC 2 applies to any technology service provider or SaaS company that handles or stores customer data. Going through a SOC 2 audit is a rigorous 8-9 month process, but in spite of that, the organization’s customers may still require the organization to fill out an elaborate security questionnaire. While part of the questionnaire is typically customized to the prospective business between the two companies, a significant part of these security questionnaires relate to the cloud infrastructure and are generic in nature. These security questionnaires involve many controls not covered in the SOC 2 process and hence makes it difficult to provide a satisfactory response. So the question arises why there are these new sets of controls that were not covered in SOC 2. Why is just a SOC 2 Type 2 report not sufficient?

SOC 2 is non-prescriptive

SOC 2 is not a prescriptive list of controls, tools, or processes. It cites the criteria required to maintain robust information security, thereby allowing each vendor to adopt the practices and processes relevant to their own objectives and operations. For example, the Security Services criteria refers to the protection of information and systems from unauthorized access, but leaves the details of implementation like firewalls, two factor authentication, etc., up to the vendor. Some vendors may make a determination that only an inbound firewall is necessary while others may want an outbound proxy, while a third might want to block all external access. Some may find an Intrusion Detection mechanism unnecessary and so on. Because of this ambiguity, the customer’s IT team will not rely purely on the judgment of the vendor, but instead will require the vendor to implement controls that meet their own IT standards. Some examples are:

  • Intrusion Detection and Prevention
  • Outbound Network Proxy
  • Allowed Encryption Ciphers
  • Image baseline configuration

SOC 2 Auditors are CPAs, not Security Specialists

Many technology leaders ask us why a financial specialist performs the SOC 2 audit rather than someone with cyber security credentials. There are a few reasons:

  • SOC 2 is a standard from American Institute of CPAs (Certified Public Accountants)
  • Attestation standards, such as SSAE18, and the #SOC 2 Trust Services Criteria, were codified by the AICPA
  • CPAs are subject matter experts in risk management
    • It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk

While CPAs understand how to use their professional judgment to determine if the security risks are mitigated, they do not know the nuances of application security configurations and their implementation. They don’t have certifications in the security domain like AWS, Azure, Offensive Security Certified Professional (OSCP), etc.

There is no Pass-or-Fail in SOC 2

SOC 2 reports are simply a summarization of the control design and depending on the type of report being issued, the effectiveness of those controls. While the service auditor will include their opinion in the report, there is no “pass or fail” component and therefore no certification. SOC 2 reports are intended to give service organizations vital insight into their system controls in order to determine whether or not additional action needs to be taken to increase security measures. These reports can sometimes be more subjective and at times even abstract.  

Conclusion

SOC 2 is an important compliance standard and is probably the most widely adopted in the industry. While there is strong focus on processes and policies, the security controls are non-prescriptive. The audit process does not involve much depth in the implementation of infrastructure security, neither are the auditors required to be certified in the area of cybersecurity. Despite the widespread use of SOC 2, it’s easy to understand why client IT organizations don’t completely rely on a SOC 2 report, but prefer instead to validate for themselves based on a set of prescriptive security controls.

Security questionnaires are therefore the best way to obligate a vendor to adhere to each company’s security posture.