Data security and SOC 2 user control considerations

Stylized image of an individual reviewing pieces of paper

So you’ve managed to align your current processes with SOC 2 requirements and are ready to start taking the data security world by storm. Great work! But first, you’ll want to make sure the necessary steps are being taken to ensure data and systems protection. Having robust user controls in place will facilitate an environment of data protection and SOC 2 compliance. 

Understanding SOC 2 and the user entity

SOC 2 controls account for a number of different physical and environmental safeguards that rely on the appropriate behavior of user organizations within the service organization’s system.


You may have read all about SOC 2 in our previous posts but to some, this might be a relatively new and albeit confusing topic. SOC 2 or (Service Organization Control Type 2) is a compliance framework developed by the AICPA (American Institute of Certified Public Accountants). The goal of it is to ensure service providers store customer data securely. The corollary to this is that it demonstrates you take user privacy very seriously. 

Complementary user entity controls

A user entity is an organization that utilizes the system, network, and data of a service organization. The user entity’s environment stipulates the use of CUECs (Complementary User Entity Controls) that remain the responsibility of the user entity.

For example, consider a user entity that sends financial information to a service organization. A CUEC listed at the user entity level may stipulate data being shared by the user entity be shared through encryption and will stipulate the type of encryption required. CUECs are a core component of the design and operating effectiveness of user control considerations when working with service organizations.

Ok, so now that we’ve gotten that out of the way, let’s dig a little bit deeper and explore some of those specific controls and the roles they play in protecting sensitive information. 

Access controls

Access controls are at play anytime a customer is allowing a user to access their data within a services’ environment. Physical access controls ensure that access to private data at the user entity level is based on a defined set of rules and policies. They can be granted, modified, or restricted based on how the service implements the controls. Controls can originate from a wide variety of mechanisms including: 

  • User authentication: User entities need to provide their credentials to authenticate their identity. This is where strong password policies like password complexity and expiration should come into place. 
  • Multi-factor authentication: MFA requires users to provide additional factors like security tokens or biometric identification in addition to usernames and complex passwords. While MFA has become a popular tool, it is not without its pitfalls so make sure your surrounding policies like password complexity and employee training are also up to par. 
  • Role-based access controls (RBAC): RBACs restrict organization access to data based on user role. It ensures that users only access data according to their job function. 
  • Access monitoring and logging: Policies that ensure continuous monitoring and logging of the data within the system can help identify unauthorized access and suspicious activity. Notifications to customers are the next logical step here for organizations looking to flex their data security processes. 
  • Regular access reviews: Periodic assessments of data by the customer can ensure that access to data is appropriate. 

Importance: Keeping user logs and working with auditors to check that users are being added and removed as described by the policy is one step to ensure that data is secure. Failing to make regular reviews of which authorized users no longer need access can leave you vulnerable to attacks that could disrupt your systems through malware and other threats. Additionally, when multiple user entities access one network system, the risk of an impact on vulnerable data becomes even greater. Thus, larger organizations should be especially vigilant.

Implementation: Access controls can be brought about by using an IAM solution (Identity Access and Management) that can consolidate the management of authorized users’ identities throughout multiple systems. The IAM can also regularly capture user access reviews as a function of logical access controls.

Data encryption

Controls for data encryption involve implementing encryption technologies for data stored in company systems both at rest and in transit. Stored data should be encrypted using industry-standard encryption methods like AES for data at rest and SSL/TLS for data in transit. 

Importance: Encryption is akin to the last line of defense for your data. Even if a bad actor gets into your system, they still won’t understand the information they have access to. 

Implementation: Data encryption might cause performance degradation. Therefore, it is important to minimize the amount of encryption you use by understanding where your data is stored and which of the data is the most sensitive. Advanced Encryption Standard (AES) is the most popular standard used in the industry with AES-128 being the fastest and AES-256 being the most resistant to cyberattacks. 

Logging and monitoring

User controls for logging and monitoring help detect suspicious activities. Logging records events and activities that occur within the system or network while monitoring involves the ongoing analysis of log data. 

Importance: User controls aligned with SOC 2 requirements help ensure the data has integrity and is secure and available. Logging and monitoring provide visibility into the behavior of users and applications. Preventative mechanisms can detect and respond to security concerns. 

Implementation: A variety of tools can be used when implementing logging and monitoring controls: 

  • Security information and event management (SIEM)
  • Intrusion detection systems (IDS)
  • Endpoint detection and response (EDR)

Implementation procedures involve configuring the logging and monitoring mechanisms to collect and analyze relevant critical data. Consolidated tools can be used to establish alert thresholds and notifications to customers based on suspicious activities found in the log data. 

Incident response

Security incidents are bound to happen. How you respond to the event will determine the potential regulatory fines you face for leaking PII (Personally Identifiable Information) and potential impact to brand reputation and financial risks.. 

Importance: Incident response is all about protecting data confidentiality and the availability of data within an organization’s systems. Failing to implement a SOC 2 compliant incident response protocol can be a major flaw that leads to significant organizational impacts. 

Implementation: SOC 2 compliant incident response controls should have the aim of mitigating security incidents that compromise customer data. Incident response plans should follow a pathway that includes planning, breach detection, containment, log investigation, and recovery. Post-incident analysis analyzes what went wrong, what can be improved, and updates the incident response document accordingly. Establishing clear procedures for cross-functional communication further mitigates security issues over time. 

Data backup and recovery

Data backup and recovery controls like conducting regular backups, managing backup storage, and maintaining backup verification protect against unexpected events by ensuring data is regularly backed up and can be recovered. Successful backup and recovery audits take into account the current risk landscape and set appropriate plans in place. 

Importance: Data backup and recovery are instrumental for business continuity during disasters. Without these controls, daily business activity may grind to a halt, leaving systems vulnerable to external attacks and in violation of regulatory policies. 

Implementation: Establishing backup procedures early on is critical to developing a foundation of excellence for data backup and recovery. This should involve determining data RTO (Recovery Time Objective) and RPO (Recovery Point Objective). These metrics will instruct how frequent data backups should occur as well as the minimum amount of data that can be lost to an unexpected disaster. 

This backup data should then be secured through encryption and access controls and undergo regular maintenance to ensure the systems are working appropriately. 

Business continuity and disaster recovery

Our old BCDR plan returns to us again, now as part of a requirement for the SOC 2 standard. BCDR focuses on the processes and procedures to ensure business continuity in the event of an unexpected disaster. It’s a good practice to make sure BCDR planning meets the needs of your most sensitive data.  

Importance: When mapping to SOC 2, availability is a key element of the Trust Service Criteria (TSC) that are predefined by AICPA (American Institute of Certified Personal Accountants) to comply with SOC 2. 

BCDR controls like redundant systems, regular data backups, and alternate work sites ensure these critical systems and data are available during a disruption. 

Mitigation is the name of the game here and the better you manage a disaster, the greater chance you stand in surviving harsh business conditions. Finally, you should run your controls through SOC 2 audits that can help uncover where certain cracks in the foundation may be residing. 

Auditing and reporting

Auditing plays a critical role not only in receiving compliance but also, more importantly, in setting up streamlined protections against bad data handling practices. 

For example, if your organization is not properly classifying data according to sensitivity and criticality, you might be setting yourself up for inadequate data protection practices. Additionally, the organization may not have a clear understanding of the nature and sensitivity of the data and the impact vulnerable security could have on the organization. 

SOC 2 for startups, Thoropass University
Visit the University
SOC 2 for Startups
what is soc 2 icon-arrow-long

SOC 2 reports

A SOC audit report assesses the policies and procedures for data handling and ensures the proper client control considerations are made. They note whether or not individual control objectives are met that account for data security and satisfy Trust Services Criteria. 

SOC 2 Type I 

The SOC 2 Type I report determines how effective a control is at a particular point in time. While it won’t assess how effective the control is over time, it can assure you of whether the control has been designed and implemented properly. 


SOC Type II reports can detail how well an organization’s controls can handle secure data over a longer period – usually six months or longer. They tend to provide a higher level of assurance than Type I reports because they require additional reporting on the controls over the time period to achieve accurate information. 

Audit testing

When you’re going through your audit, the auditor looking to test how effective your controls are at mitigating risks that could impact availability, processing, security, confidentiality, and privacy (aka the necessary components of the TSC required for SOC 2 compliance). They can turn to three different testing procedures that should give them a better picture of how well the controls are performing: 

Sample testing of user access:

You don’t need all user accounts to figure out if access across the entire system has been authorized appropriately. All you need is a sample size that tells you whether unauthorized users have been granted access to sensitive information. Audit teams can test this by attempting to access systems that specific user accounts should not have access to. 

SoD (Segregation of Duties) analysis:

When using your organization’s systems, you don’t want a user performing incompatible activities that could compromise the data and systems. 

For example, a financial services company would need to implement controls that prevent users from initiating and approving transactions in their accounting systems. This is where an SoD analysis can help identify and mitigate conflicts of interest. One solution could be to ensure authorization based on individual functions or roles. 

Review of user access logs:

Analyzing user access logs helps uncover suspicious activities by looking at access patterns. Audit teams can help by detecting and notifying customers of potential breaches. 

Close up of team members reviewing a checklist for HITRUST assessments

At the end of the day, you need to ensure your controls are adequate in context to your data sensitivity. Through a combination of reporting and auditing, you can ensure data remains available and safe for day-to-day business activities. Building these procedures into your overall plans can help achieve compliance but, more importantly, can save time in the event of potential data breaches. 

Control considerations start from the top

Creating a SOC 2-compliant organization isn’t just about implementing the right user controls in the right places at the right time to secure data. It is about cultivating a culture where influential messaging from the top filters through the organization’s policies and procedures. Setting up this control environment will establish a long-term approach to data security practices appropriate to your business needs.

Complying with SOC 2 can be tricky and complex. Unfortunately, it is a necessity in an age where data is simultaneously more important and more vulnerable than ever. If you need help updating or figuring out your specific compliance processes, don’t hesitate to reach out to an expert.  

Share this post with your network: