CenturyLink publishes a SOC 2, Type 2 report, providing an auditor’s detailed evaluation of the design suitability and effectiveness of the controls
Service Organization Controls 2 (SOC 2) is another mechanism for improving security and availability of customer data. It is a set of standards for system design to meet the criteria for the security and availability principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
n addition to individual data center audits, CenturyLink also publishes a SOC 2, Type 2 report. The SOC 2 report provides the auditor’s detailed evaluation of the design suitability and effectiveness of the controls. This report demonstrates CenturyLink’s commitment to protecting the security and availability of customer data and provides evidence that our controls have been independently evaluated against a leading industry standard.
SOC 2 Reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization. These controls affect the security, availability and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. Similar to a SOC 1 Report, there are two types of SOC 2 reports:
Report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports is generally restricted.
Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
SOC 2 Reports are examination engagements performed by an auditor in accordance with AT Section 101, Attest Engagements, of SSAEs (Statement on Standards for Attestation Engagements) using the predefined criteria as outlined in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. A system is designed, implemented, and operated to achieve specific business objectives in accordance with management-specified requirements.
The purpose of the system description is to delineate the boundaries of the system, which includes the services outlined above and the five components described below:
SOC 2 Reports specifically address one or more of the following five key system attributes:
A SOC 1 report is the SSAE 16 or equivalent standard (i.e. ISAE 3402 or the former SAS70)) examination and is used by customers when performing their SOX audits. A SOC 2 is a report on Security, Availability, Processing Integrity, Confidentiality or Privacy and is based on the Trust Services principles. A SOC 3 is Trust Services Certificate using the information from a SOC 2.
A Type 1 report describes the service organizations controls at a point in time. This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor’s opinion, management’s assertion, and the description of the system.
A Type 2 report focuses on both the design and operating effectiveness of controls over a period of time of at least six months. It includes all of the information in a Type-1 report with the addition of the service auditor’s testing performed for each control.
Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.
No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “…controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “…report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that hosting providers cannot use SOC 2 examinations as a substitute for SOC 1 examinations.
No. There is absolutely nothing in the current guidance that supports the position that SOC 2 is “better” or “more appropriate” than SOC 1 for data center examinations. Both guides contain unambiguous applicability requirements. Data centers either meet the requirements for SOC 1 and/or SOC 2, or they do not. In the absence of new AICPA guidance, all claims to the contrary are personal opinion and should be treated as such.
Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.
Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.
A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.