IT Security Compliance Guide

What it is: Service Organization Control 2 — an auditing standard developed by the AICPA for service companies that store, process, or transmit customer data. The de facto standard that enterprise customers require from SaaS, cloud, and technology service providers.

Type I vs Type II: Type I is a point-in-time assessment (are the controls designed correctly?). Type II is over a period (typically 6-12 months) — are the controls operating effectively over time? Customers and prospects increasingly require Type II.

Trust Service Criteria: the five criteria that SOC 2 evaluates — Security (always required), Availability, Processing Integrity, Confidentiality, Privacy. Most companies start with Security only; add others based on customer requirements.

What SOC 2 Security controls cover: logical access controls, encryption in transit and at rest, change management, incident response, vendor management, monitoring and alerting, vulnerability management, penetration testing. This is why SOC 2 is the compliance program that most improves your actual security posture.

The readiness assessment: before the audit, a gap assessment identifies what controls you have, what you need to implement, and what documentation you need to create. Typically 40-120 hours of consultant time.

Timeline: from starting with no program to SOC 2 Type I report: 3-6 months. Type II requires an additional 6-12 month observation period after controls are in place. Total to Type II: 9-18 months.

Cost: readiness assessment $10,000-$25,000, remediation implementation varies, audit firm fee $15,000-$60,000 depending on scope and auditor. Total first-year cost $30,000-$100,000. Compliance automation platforms (Vanta, Drata, Secureframe, Tugboat Logic) significantly reduce ongoing evidence collection burden at $12,000-$30,000/year.

Who needs it: any B2B SaaS company, cloud service provider, managed service provider, or technology company with enterprise customers or prospects. If you're losing deals because prospects ask "do you have a SOC 2?" and you say no — you need it.

What it is: Federal law requiring healthcare organizations and their business associates to protect the privacy and security of Protected Health Information (PHI).

Who it applies to: Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and Business Associates (any vendor or service provider who handles PHI on behalf of a covered entity — cloud providers, billing services, practice management software, MSPs, email providers, EHR vendors).

The Security Rule: requires administrative, physical, and technical safeguards for electronic PHI (ePHI). Key requirements: access controls, audit controls, integrity controls, transmission security, workforce training, risk analysis (required, not optional).

The risk analysis requirement: the most commonly cited HIPAA failure in enforcement actions. Must be conducted regularly, documented, and drive your security program. It must cover all ePHI, all systems that access it, and all threats to its confidentiality, integrity, and availability.

Business Associate Agreements (BAA): any vendor who handles PHI must sign a BAA. If your cloud provider won't sign a BAA, you cannot store PHI there. AWS, Azure, GCP, and most major cloud providers offer BAAs. Google Workspace consumer edition does not — Google Workspace Business or Enterprise does.

Breach notification: HIPAA requires breach notification to affected individuals within 60 days of discovery, to HHS, and (for breaches over 500 individuals in a state) to prominent media. Penalties: $100-$50,000 per violation, up to $1.9M per year for identical violations, criminal penalties for willful neglect.

HIPAA compliance program components: risk analysis, policies and procedures, workforce training, access management, encryption, audit logging, incident response, BAA management, physical security.

What it is: Required for any entity that stores, processes, or transmits cardholder data (credit/debit card numbers). Governed by the PCI Security Standards Council (card brands: Visa, Mastercard, AmEx, Discover).

PCI-DSS v4.0: the current version (effective March 2024 for new requirements). Significant changes from v3.2.1 include increased flexibility for customized approaches, new requirements for phishing-resistant MFA, enhanced e-commerce security requirements.

Merchant levels: 4 levels based on annual transaction volume. Level 4 (under 20,000 e-commerce transactions or under 1M total): Self-Assessment Questionnaire (SAQ). Level 1 (over 6M transactions): Qualified Security Assessor (QSA) on-site audit. Most SMBs are Level 4 — the SAQ is still significant work but not a full audit.

SAQ types: 9 different SAQ types depending on how you process payments. SAQ A (card-not-present, fully outsourced) is the simplest. SAQ D (merchants with cardholder data environment in scope) is the most complex.

Scope reduction: the most important PCI strategy is reducing scope — limiting which systems are in the cardholder data environment (CDE) so fewer systems require PCI compliance. Payment tokenization and point-to-point encryption (P2PE) dramatically reduce scope.

What it is: the international standard for Information Security Management Systems (ISMS). Certification is granted by accredited third-party certification bodies. Unlike SOC 2, ISO 27001 is internationally recognized and provides a certificate.

ISO 27001 vs SOC 2: ISO 27001 is process and management system focused — you demonstrate you have a working information security management system. SOC 2 is controls-effectiveness focused — an auditor tests whether your controls are actually working. They are complementary: ISO 27001 is often preferred by international customers, SOC 2 by US enterprise customers. Many companies pursue both.

Certification process: Stage 1 audit (documentation review) → Stage 2 audit (implementation effectiveness) → Certificate issued (3 years). Surveillance audits annually. Recertification at 3 years.

Timeline: 6-18 months from starting a gap assessment to certification, depending on organization size and starting maturity.

Cost: gap assessment $8,000-$20,000, implementation support $20,000-$80,000 (depending on scope), certification audit $10,000-$30,000. Similar to SOC 2 total investment.

What it is: Department of Defense requirement for contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). CMMC 2.0 aligns with NIST SP 800-171 (for CUI, Level 2) and NIST SP 800-172 (for highest-priority programs, Level 3).

Who it affects: the entire DoD supply chain. If you have or want DoD contracts that involve CUI, CMMC Level 2 certification is required. Implementation period is rolling through 2026.

Timeline and cost: NIST 800-171 gap assessment $10,000-$25,000, remediation varies widely (commonly $50,000-$250,000+ for organizations starting from scratch), C3PAO assessment $30,000-$75,000.

What it is: FTC regulations under the Gramm-Leach-Bliley Act requiring financial institutions to maintain a comprehensive information security program protecting customer financial information.

Who it applies to: non-banking financial institutions — auto dealers, mortgage brokers, accountants, payday lenders, financial advisors, tax preparers, insurance companies. Amended Safeguards Rule (effective June 2023) significantly expanded requirements.

Key new requirements added in 2023: designate a qualified individual (CISO or equivalent) to oversee the information security program, encrypt customer information in transit and at rest, implement multi-factor authentication, develop and test an incident response plan, report to the board annually.