Any company that wants to show they are serious about the safeguarding of data for potential clients - and themselves - will put themselves through the rigor of a SOC 2 audit.
SOC, short for System and Organization Controls, is a standard created by the American Institute of CPAs (AICPA) that assesses the security, availability, processing integrity, confidentiality, and privacy of data within a service organization.
There are actually 3 tiers of SOC - SOCs 1, 2, and 3. Yet, SOC 2 is the typical industry standard companies require of potential vendors before bringing them on board and allowing them to protect their data.
In higher education, the stakes for SOC 2 tend to be more complex than for typical business. This is because Higher Ed has a lot of disparate data and security vulnerabilities that are rife for plucking by cyber criminals. The goal of SOC 2 isn’t to simply check a box, it’s to actually have better security in place for clients and for ourselves.
Cyber crimes today are about opportunity more than anything, so any holes or vulnerabilities in your security posture leave you exposed. There’s also various types of roles within a higher education setting that could potentially access sensitive information. The SOC 2 audit is a process that evaluates an organization's controls and practices related to security, availability, processing integrity, confidentiality, and privacy of data.
What are key SOC 2 standards and considerations for higher education?
The specific requirements for SOC 2 can vary based on the unique circumstances of each higher education institution. For higher education, there are some common threads that any college or university would want to ensure a potential vendor has covered in their pursuit of SOC 2 compliance.
Security of Data
Security can be all-encompassing, but it really boils down to protecting against unauthorized access from bad actors and ensuring the security of your systems and data.
Some of the common requirements within a SOC 2 audit might include:
- Access controls: Implementing measures to restrict access to authorized personnel.
- Network security: Implementing firewalls, intrusion detection systems, and encryption.
- Physical security: Securing physical access to data centers and sensitive areas.
- Incident response: Having plans in place to address security incidents and breaches.
- Data backup and recovery: Regularly backing up data and testing recovery processes.
A SOC 2 auditor is going to ensure any vendor, such as CORE, adequately can stand up to scrutiny in any of these examples to ensure high education clients are as safeguarded as possible.
Availability of Data
Just like protecting data is important, so is making it available or unavailable depending on the person in question. In the event of a breach where data is accessed and potentially compromised, higher education bodies should have a process providing peace of mind that any compromised data is backed up in a separate location and all data regardless of its location is continuously monitored.
- Redundancy: Implementing backup systems to ensure continuity in case of failures.
- Monitoring: Regularly monitoring systems to detect and address performance issues.
- Incident response: Having plans to quickly restore services in the event of downtime.
How is data processed? How accurate is it? This comes down to how robust your data processing capabilities are and how well you may or may not integrate with other technology systems.
This is key for higher education use cases because there are several schools that use different systems and have a need for normalized data processing across disparate systems and processes.
Some of the key aspects for processing integrity in a SOC 2 audit include:
- Data validation: Ensuring accurate data entry and processing.
- Error handling: Implementing mechanisms to identify and address processing errors.
Confidentiality is protecting sensitive information from unauthorized access. It’s basically making sure only the right people can access information and use it in a responsible manner without making sensitive information accessible. Subthemes of confidentiality in SOC 2 for high education include:
- Data classification: Categorizing data based on its sensitivity.
- Encryption: Using encryption to protect data both at rest and in transit.
- Access controls: Restricting access to sensitive data to authorized personnel.
Privacy is all about collection, use, retention, and eventually disposal of personal data.
Many institutions now have very clear standards in place for data retention - how long do we keep this data in our system before ridding our system of it? This is always a nuanced decision but one that should be understood with your vendor in relation to SOC 2.
To get as comfortable with a vendor’s SOC 2 privacy posture as possible, understand how they address the following:
- Data protection policies: How clear are their policies for handling personal data?
- Consent management: Do they obtain proper consent for collecting and using personal data?
- Data retention and disposal: What are the guidelines for retaining and deleting personal data?
All of these aspects of SOC 2 should be tailored to the unique needs and risks of a higher education institution. A third-party vendor needs to have broad umbrella-like controls in place, but there will obviously be nuance on a case by case basis and any master services agreement should be able to hammer out the finer details of how each of these (and more criteria) will be addressed.
CORE and SOC 2 Implementation
As stated, CORE is currently undergoing SOC 2 implementation, and the process itself is rigorous. The reason we are undergoing such a process is because the need for data protection and privacy is as important now as ever. We aim to have completed the process by the end of 2023.
The litany of cybersecurity attacks and breaches, particular the most recent large-scale breach from MOVEit, is only casting a hotter light on Ed Tech companies are their ability to put robust measures in place to keep threat actors from accessing and exposing data in the name of a ransom.
Having processes in place to limit flaws like zero day vulnerabilities are the important types of measures to have documented and processed in order to reduce your exposure as much as possible.
For CORE, moving to this next stage of data protection and security posturing makes sense to give our users peace of mind and assure them we take their data as seriously as we take our own to create as best-in-class an experiential learning management experience as possible.
CORE Higher Ed Team