The Service Organization Controls 2 (SOC 2) report is intended to support a board range of customers and provides assurance related to the service organization’s controls supporting achievement of the American Institute Certified Public Accountants (AICPA’s) Trust Services Categories – Security, Availability and Confidentiality (as applicable). CenturyLink (the “service organization”) undergoes annual Type 2 SOC 2 assessments.
SOC 2 Reports are intended to meet the needs of a broad range of users that need information and assurance of the controls at a service organization using the five categories (as applicable). SOC 2 reports are an alternative to SOC 1 examinations which may only opine on service organization’s controls that are likely to be relevant to user entities’ internal controls over financial reporting.
Report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports is generally restricted.
Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. Use of these reports is generally restricted..
SOC 2 Reports address one or more of the following five categories:
SOC 1 provides customers assurance of controls at the service organization relevant to customers’ internal control over financial reporting.
SOC 2 provides customers assurance of controls at the service organization relevant to the achievement of the AICPA Trust Services Categories and related criteria. The AICPA Trust Services Categories include Security, Availability, Confidentiality, Processing Integrity, and Privacy.
SOC 3 is a general-use report based on the AICPA’s Trust Services Categories and related criteria. A SOC 3 report can be made publicly available as it does not contain all of the details of the SOC 2 report.
A Type 1 report describes the service organization’s controls as of the specified report date (point in time). This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor’s opinion, management’s assertion, and the description of the system, including the controls specified by the service organization to meet the intended control objectives (SOC 1) or Trust Services Criteria (SOC 2)
A Type 2 report focuses on both the design and operating effectiveness of controls throughout the specified review period (recommended as a minimum of six months or greater). Type 2 reports include all of the information in a Type 1 report along with the testing performed by the service auditor and corresponding test results for each control activity.
Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements, like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.
No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “…controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “…report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that hosting providers cannot use SOC 2 examinations as a substitute for SOC 1 examinations.
These colocation data centers are certified for SOC1 Type 2 and SOC2 Type 2 compliance:
Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.
Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.
A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.