The SOC 2 Cloud Security Standard
The American Institute of Certified Public Accountants (AICPA) issues a certification, SOC 2 (Service Organization Control), which evaluates an organization's information systems' security, their availability and processing integrity, and how well it maintains the confidentiality and privacy of data. SOC 2 reports are relevant for any company that stores its clients' data in the cloud, using SaaS (Software as a Service).
In order to achieve SOC 2 compliance it's necessary to take the following steps:
1. Monitor unusual system activity, system configuration changes, and modification of user access levels. Normal activity needs to be baselined, so abnormal activity can be detected.
2. Alerts must be implemented to notify users about security threats, and these alerts must not be given in response to false positives too often. Alerts should be issued for unauthorized file transfers, or the disclosure of data or data controls.
3. Audit trails should track changes to key system components; modifications to data; and the extent and source of an attack.
4. An organization must have the ability to respond rapidly to attacks. In order to do this it has to know where attacks originate; which parts of a system an attack impacts; and how an attack will develop.
Relativity has received SOC 2 certification Relativity One operates over Microsoft Azure, which is itself SOC 2 compliant.