What is Data Security? What SOC 2 Auditors Look For in Practice

Data security refers to the controls implemented by a company to protect its data from unauthorized access, corruption, and theft. A good control environment around data security isn’t built on trust alone; it’s built on a combination of controls that are operating effectively, allowing corroboration and adequate oversight.

Behind the polished “Security” page of many corporate websites lies a different reality that we, as auditors, may see every day. In practice, data security isn’t a destination—it’s a living, breathing set of habits that are either protecting your company or quietly eroding your defenses.

When I walk into a SOC 2 audit, I’m not just looking for a firewall. I’m looking for the “muscle memory” of the organization. In this guide, we’ll move past the generic definitions to explore what data security actually looks like under the microscope of an audit, where well-intentioned companies fall short, and how you can bridge the gap between “having a security policy” and being secure.

The Auditor’s Notebook: What We Actually See During  Fieldwork

If you’re preparing for a SOC 2 audit based on the trust services criteria relevant to security, you might be surprised by where we generally find issues. It’s rarely the lack of a tool; it’s the lack of follow-through. Here are three common exceptions seen in many “first-time” audits:

1. The Access Review: A company maintains a robust access control policy, but when asked for the most recent access list, a former employee is still listed with access. They were offboarded by Human Resources (HR), but the “manual” step to remove all of their system access was missed. Quarterly access reviews help to make sure access across the organization continues to be appropriate and help to detect permission creep.
2. The Third-Party: Clients often collect SOC 2 reports from their sub-service providers (e.g., AWS or their payroll software, etc.) but never actually read them. If your sub-service provider has a “qualified opinion” and it wasn’t noticed, your own data may be at risk. Additionally, if effective control activities are not in place to address the applicable complementary user entity controls, the sub-service provider’s controls may not compensate for such weaknesses.
3. The Incident Response Plan: Companies should have an Incident Response Plan (IRP). But when asked, “When was the last time you ran a tabletop simulation for a cyberattack?” the room often goes silent. An untested IRP is just a plan in a folder, not a defense mechanism.

SOC 2 Data Security Considerations: What Auditors Will Request

When an auditor evaluates how data security is managed, tangible evidence that controls are “operating effectively” over time will be requested for a Type II report, not just on the day of the audit or at a point in time for a Type I report.

Evidence Commonly Requested

• Identity Management: Evidence of multi-factor authentication (MFA) enforced for all users, configuration settings from your single sign-on (SSO) provider, and timestamped results of your last access review.
• Endpoint Protection: Evidence of mobile device management (MDM) tool configuration settings that enforce workstations managed by the tool to be encrypted and have antivirus/ antimalware software installed. In addition, a screenshot showing that full disk encryption is actually enabled and antivirus/ antimalware software is installed on an endpoint device.
• Vulnerability Scans: Proof that regular scans are being performed and that critical “patches” are applied within policy-defined timeframes (e.g., 30 days, etc.) based upon severity.
• Evidence of Encryption: Configuration settings showing that sensitive data is encrypted “at rest” in your databases and “in transit” via TLS.

Why is Data Security Important? (The Stakeholder’s Perspective)

Beyond passing a SOC 2 audit, data security is the foundation of any organization’s reputation. Prospective customers will be apt to bypass a service agreement without seeing a clean SOC 2 report. The benefits of data security are clear:

• Competitive Advantage: A SOC 2 report proves to prospective customers that they can trust your company with their data, often shortening the sales cycle.
• Operational Maturity: Building controls that help achieve compliance with the applicable SOC 2 criteria encourages your company to move away from “ad-hoc” fixes to scalable, repeatable processes.
• Mitigation of Financial Loss: Ransomware payments or substantial fines for non-compliance with laws like the General Data Protection Regulation (GDPR) or the California Consumer Protection Act (CCPA) can cripple a growing company.

Building a Layered Defense: Modern Data Security Measures

To mitigate data security risk, a single “silver bullet” can’t be relied upon, but rather a “defense in depth” strategy is best.

1. Information Security Awareness Training

People can be your strongest link if they are skeptical of suspicious emails and links, or they can be your weakest link if easily persuaded to click. Information security awareness training provided to new hires during onboarding and to all staff annually helps to empower staff members with the latest schemes used by hackers.

2. The Principle of Least Privilege

Users should only have the access needed for their specific job responsibilities. This is the core of how to provide data security effectively: if a marketing manager’s account is compromised, the attacker shouldn’t be able to access the source code or customer payment data.

3. Identity and Access Control (Modern Standards)

Modern identity and access management guidance focuses on:

• Password Managers: Encouraging employees to use tools to generate and store unique, 12+ character passphrases.
• Multi-Factor Authentication (MFA): It is the single most effective way to prevent unauthorized access and should be enabled for every system that allows for it.
• Conditional Access: Policies in place that only allow logins from trusted geographic locations or “managed” devices.

4. Data Encryption

Encryption scrambles data into a format that is unable to be read without the correct decryption key. Customer data that is encrypted at rest and in transit, and enabling encryption on workstations, are common controls for data security.

Who’s Responsible for Data Security in the Cloud?

Don’t assume your cloud sub-service provider (e.g.,  AWS, Google Cloud Platform, etc.) handles everything because cloud hosting services incorporate a shared responsibility model for data security in the cloud.

• The Sub-Service Provider is responsible for the security of the cloud (e.g., physical servers, data centers, etc.).
• The User Entity is responsible for the security of data in the cloud (e.g., configurations, encryption settings, user access, and firewall rules, etc.).

Failure to properly configure an S3 bucket or a database is a threat to data security in the cloud and increases the risk to data integrity, confidentiality, and availability.

Incident Response Plan: Responding to a Data Security Incident

When a security incident happens—and according to many, it isn’t a matter of if, but when—your Incident Response Plan (IRP) is your roadmap to respond effectively. A mature IRP covers:

1. Preparation: Training your team before anything goes wrong, including performing a test of the IRP at least annually.
2. Identification: Detecting the breach (often through monitoring tools).
3. Containment: Stopping the “bleeding” (e.g., isolating an infected server, etc.).
4. Eradication: Removing the threat.
5. Recovery: Restoring data from back-ups.
6. Lessons Learned: Updating your IRP annually based on what actually happened.

Common Data Security Questions

Below, we answer some of the questions we hear most often when clients are building out their data security programs.

What Are the Types of Data Security?

Auditors generally categorize data security into three main areas: Administrative (e.g., policies and training, etc.), Technical (e.g., encryption, MFA, and firewalls, etc.), and Physical (e.g., keycard access and secure data disposals, etc.).

What Are Five Ways to Secure & Manage Your Data?

1. Enforce MFA across every single application in your stack.
2. Encrypt sensitive data both while it’s stored at rest and while it’s in transit.
3. Implement Least Privilege so no one has “unlimited” power by default.
4. Perform regular back-ups and store them separately from your production environment.
5. Patch your software in a timely manner when security updates are released.

What Is an Example of Data Security?

A common example of data security is data masking. In a support environment, a customer service representative may view a masked credit card number (e.g., **** **** **** 1234), so that they can help the customer without seeing sensitive financial data not needed for their job.

What Are Examples of Risks to Data Security?

The biggest risks of data security are not just the breach itself, but also the “aftershocks”: loss of customer trust, reputational damage, fines and lawsuits, and the operational downtime that can halt your business for days or weeks.

What Are Five Threats to Data Security?

1. Phishing/Social Engineering: Tricking staff members into giving up credentials.
2. Unpatched Vulnerabilities: Hackers exploiting known “holes” in your infrastructure and applications.
3. Insider Threats: Accidental data leaks or malicious acts by staff members.
4. Ransomware: Encrypting your data and demanding payment for the decryption key.
5. Third-Party Breaches: When your data is compromised because your third-party was hacked.

The Bottom Line on Data Security

The primary objective of data security controls is to protect sensitive data from unauthorized access, corruption, and theft. Failure to adequately maintain data security may result in damage to your company’s reputation, substantial fines for noncompliance with laws and regulations, as well as other potential financial losses should existing customers churn. Data security is broad and complex in nature; however, creating a combination of controls targeted to protect your data is paramount to your company and to your customers. By being prepared to respond to security incidents and by focusing on a combination of effective data security controls, the company will build upon its resiliency.

If you would like to learn more about how Linford and Company can assist your organization in implementing data security best practices, navigating compliance with the SOC 2 criteria, or other services such as SOC 1, ISO/IEC 27001:2022, HIPAA, HITRUST, or FedRAMP audits, among others, please don’t hesitate to contact us.