Service Organisation Control (SOC) compliance is necessary for any business that handles sensitive data, like financial records or healthcare data, through Amazon Web Services (AWS).
Australian firms may need a SOC audit from an accredited organisation to ensure compliance and maintain the highest level of data protection. Learn how an AWS specialist like WOLK can help you prepare for a SOC audit and ensure the safe handling and storage of your most sensitive data.
The Five Trust Services Criteria
The versions of SOC that work best with AWS—SOC 2 and SOC 3—are based on five key principles known as the Five Trust Services Criteria:
-
*Security. *Protecting the data from unauthorised access, such as data breaches, misuse, or destruction.
-
*Availability. *Monitoring the systems hosting the data to ensure their continued availability to authorised users and clients.
-
*Processing integrity.* Ensuring the systems processing the sensitive data produce complete, valid, and accurate outputs, preventing errors or unintended modifications as much as possible.
-
*Confidentiality. *Protecting sensitive data or the confidential information it contains from restricted access or disclosure, such as proprietary data or a client’s personal information.
-
*Privacy.* Collecting, using, disclosing, retaining, and disposing of data in compliance with all relevant privacy legislation and rules, such as the Privacy Act 1988 and the Australian Privacy Principles (APPs).
To comply with either version of SOC, you must meet the Security criteria. Depending on your industry or business sector, you might also need to follow some or all of the other four trust services criteria.
Achieving SOC Compliance on AWS
Amazon handles compliance at the infrastructure level, meaning compliance is only guaranteed for the hardware and networking connections on which your data resides. Your organisation is responsible for security and compliance at all other levels: software, data, applications, and user access rights under the Shared Responsibility Model.
Businesses using AWS to manage sensitive data can tap into specific resources to help prepare for an audit and simplify the compliance process.
-
*AWS Artifact. *This resource allows your organisation to view the AWS SOC Reports and other audit documentation, such as ISO 27001. You can show copies of these reports to reduce your audit burden and demonstrate the infrastructure’s compliance.
-
*AWS CloudTrail. *This tool provides logging and auditing of all AWS accounts and activity in your AWS environment, such as user access or API calls. They are necessary for Security and Processing Integrity compliance.
-
*AWS Config. *This service monitors and records all configuration changes in your AWS environment, such as alterations to a security group, helping with Security and Availability compliance.
-
*AWS KMS. *Key Management Service (KMS) is a commonly used AWS service that lets organisations create and enforce strong data encryption and key management standards, which can help with Confidentiality and Privacy compliance.
Let WOLK Help You Prepare for a SOC Audit
Cloud computing and AWS experts like WOLK can help assess your needs and prepare you for a SOC audit. We handle everything from broad Well-Architected Reviews to gap assessments and specialized tasks like compliance monitoring and security checks. Every business is different—reach out to our team to learn how we can support yours.