Talent Atlas is actively pursuing SOC 2 certification. We are building our system from the ground up with a focus on the five principles of service trust: Privacy, Security, Confidentiality, Processing Integrity, and Availability. These principles are at the heart of the Talent Atlas system architecture. 

Graphic Source: https://www.imperva.com/learn/data-security/soc-2-compliance/

As described by Wikipedia: “Trust Services Criteria were designed such that they can provide flexibility in application to better suit the unique controls implemented by an organization to address its unique risks and threats it faces. This is in contrast to other control frameworks that mandate specific controls whether applicable or not. Trust Services Criteria application in actual situations requires judgement as to suitability. The Trust Services Criteria are used when “evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of information and systems used to provide product or services” – AICPA – ASEC.

Organization of the Trust Services Criteria are aligned to the COSO framework’s 17 principles with additional supplemental criteria organized into logical and physical access controls, system operations, change management and risk mitigation. Further, the additional supplemental criteria are shared among the Trust Services Criteria – Common Criteria (CC) and additional specific criteria for availability, processing integrity, confidentiality and privacy.

Common criteria are labeled as, Control environment (CC1.x), Information and communication (CC2.x), Risk assessment (CC3.x), Monitoring of controls (CC4.x) and Control activities related to the design and implementation of controls (CC5.x). Common criteria are suitable and complete for evaluation security criteria. However, there additional category specific criteria for Availability (A.x), Processing integrity (PI.x), Confidentiality (C.x) and Privacy (P.x). Criteria for each trust services categories addressed in an engagement are considered complete when all criterial associated with that category are addressed.

SOC 2 reports focus on controls addressed by five semi-overlapping categories called Trust Service Criteria which also support the CIA triad of information security: ^[1]

Security – information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system.

1. Firewalls
2. Intrusion detection
3. Multi-factor authentication

Availability – information and systems are available for operational use.

1. Performance monitoring
2. Disaster recovery
3. Incident handling

Confidentiality – information is protected and available on a legitimate need to know basis. Applies to various types of sensitive information.

1. Encryption
2. Access controls
3. Firewalls

Processing Integrity – system processing is complete, valid, accurate, timely and authorized.

1. Quality assurance
2. Process monitoring
3. Adherence to principle

Privacy – personal information is collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information.

1. Access control
2. Multi-factor authentication
3. Encryption

Talent Atlas is building its system to deliver a SOC 2 compliant offering.