Why SOC Reports?
- Some industry require SOC2 or local compliance audit.
- Many organizations who know compliance, know SOC2 Type 2 consider it a stronger statement of operational effectiveness than ISO 27001 (Continuous Testing).
- Many organization's client will accept SOC2 of the right to audit.
SOC2 security
- Name: Trust services Principles and criteria for security - The system is protected against unauthorized access.
- Governance: AICPA
- Purpose: Assist service organization management in reporting to customers that it has established security criteria that ensure that the system is protected against unauthorized access (both physical and logical).
- Best use: Measure a service organization against static security principles and criteria.
- Certification: CPA Firm attest Examination opinion.
- Infrastructure: CPA/CA Firms worldwide.
- Periodic cover: Point in time (Type 1) or Period of Time (Type 2)
- Nature of audition of certification of testing: Design effectiveness and operating effectiveness (Type 2).
- Report: Report containing the auditors opinion,management's assertion,description of controls ,user control consideration,tests of controls and result.
- Difficulty to achieve: Higher difficulty.
ISO 27001
- Name: ISO/IEC 27001,second Edition 2013-10-01,IT-Security techniques-Information security Management system.
- Governance: ANCI-ASQ National Accreditation Board (ANAB)
- Purpose: Assist organization management in establishment and certification of an Information security M.S (ISMS) that meets specified requirements and is able to be certified as best practice.
- Best use: Establish,implement,maintain and improve an ISMS.
- Certification: ISO Accredited Registrar certification.
- Infrastructure: Lots of consultants,few certifiers.
- Period covered: Point in time.
- Nature of audit on certification of testing: Design effectiveness.
- Report: Single page certification.
- Difficulty to achieve: Moderate difficulty.
----------------------------------------------------------------------------------------------------------------------------------------
SOC1
- Used for situations where the systems are being used for financial reporting.
- Also referenced as statement on standards for Attestation Engagements (SSAE)18AT-C 320.(formerly SSAE 16 or AT 801)
SOC2
- Addresses a service organization's controls that are relevant to their operations and operations and compliance,more generally than SOC1.
- Restricted use report contains substantial detail on the system,security practices,testing methodology and result.
- Also SSAE 18 standard,sections AT-C 105 and AT-C 205.
SOC3
- General use report to provide interested parties with a CPA's opinion about same controls in SOC2.
Scoping considerations -SO2 principles
Report scope is defined based on the Trust Service Principles and can be expanded to extend to additional subject matter.
- Security
- Availability
- Confidentiality
- Processing Integrity
- Privacy
What are auditors looking for?
- Accuracy - are controls results bring assessed for pass/fail.
- Completeness - do controls implementation over the entire offering .e.g. no gaps in inventory,personnel etc.
- Timeliness - are controls performed on time with no gaps in coverage. If a control cannot be performed on time , are there appropriate assessment (risk) approvals BEFORE the control is considered.
- Consistency: Shifting control implementation raises concerns about above , plus increases testing.
- Primary control: Provides the feature/function/operation of the control.e.g.
1.Access management
2.Approvals exist for every user/system/role.
3.Continuous business need assessment.
4.Employment verification to ensure timely removal of employees on
separation from an organization.
- Secondary Control: Provides support or backup to ensure primary control is effective.e.g Access management Periodic reconciliation to confirm approval records match live system.No n]one has circumvented the Access management and created local ids, changed role eels etc.