{"id":9174,"date":"2020-03-16T16:24:08","date_gmt":"2020-03-16T16:24:08","guid":{"rendered":"https:\/\/ermprotect.com\/?page_id=9174"},"modified":"2020-08-11T14:05:29","modified_gmt":"2020-08-11T14:05:29","slug":"soc-compliance-services","status":"publish","type":"page","link":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/soc-compliance-services\/","title":{"rendered":"SOC Compliance Services"},"content":{"rendered":"
\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tSOC Compliance Services\t\t\t\t\t\t<\/h1>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\tSOC examinations provide independent assurance regarding the design and effectiveness of cybersecurity controls. Here\u2019s what you need to know to understand them.\t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n\t\t\t\n\t\t\n\t\t\t\n\t\t\tOur SOC 2 Services\t\t<\/span>\n\t\t\t<\/a>\n\t<\/div>\n<\/div><\/div><\/div><\/div><\/div>
\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tWhat is SOC?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

Organizations face pressures from regulators and stakeholders to demonstrate the operational effectiveness of controls that safeguard sensitive data. To assist organizations, the American Institute of Certified Public Accountants (AICPA) created a framework called \u00a0\"System and Organizational Controls\u201d (SOC) that enables CPAs to review and comment on the adequacy of controls protecting transactions and sensitive data.<\/p>\n

The underlying goal is to reduce cybersecurity risk, while also providing assurance to investors, customers, business partners and regulators regarding a service provider\u2019s cybersecurity posture.<\/p>\n<\/div>\n<\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tWhy is SOC Important?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

The SOC framework is used to assess service providers who collect, process, transmit or store sensitive data. Service providers are an integral part of any businesses strategy since outsourcing allows organizations to focus on their core strengths while increasing efficiency and growth. But a breach at a third-party service provider (TSP) handling an organization\u2019s sensitive data could have a huge impact.<\/p>\n

That\u2019s because organizations that contract with TSPs are responsible for monitoring their service provider\u2019s cybersecurity controls. Remember: While organizations can delegate tasks and even authority to TSPs, they can\u2019t delegate responsibility and accountability for security and controls. That\u2019s where a\u00a0 SOC comes into play.<\/p>\n<\/div>\n<\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tDoes My Organization Need a SOC?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

SOC examinations have become a necessity.\u00a0 They assure clients that they can trust third-party service providers (TSPs) with sensitive data, so that the contracting organization can fulfill its monitoring and oversight responsibilities. A TSP that achieves a clean SOC opinion demonstrates assurance in the products and services they offer - and\u00a0 compliance with regulations.\u00a0 This, in turn, boosts confidence among existing customers and in the marketplace.\u00a0 Many organizations and government entities now require their service providers to achieve a clean SOC report.<\/p>\n<\/div>\n<\/div><\/div><\/div>

Table of Contents<\/h3>\n
\n\t

What are the Types of SOC Assessments?<\/a><\/p>\n

SOC 1<\/a><\/p>\n

SOC 2<\/a><\/p>\n

SOC 3<\/a><\/p>\n

SOC for Cybersecurity<\/a><\/p>\n

SOC 2: What Do TSPs Need to Know?<\/a><\/p>\n

What to Consider When Hiring a SOC Auditor?<\/a><\/p>\n

How to Get Ready for a SOC 2 Audit?<\/a><\/p>\n

How is a SOC for Cybersecurity different from a SOC 2?<\/a><\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tAt a Glance, What are the Types of SOC Assessments?\t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\tA SOC report has different reporting options \u2013 SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity.\t\t\t\t\t\t<\/p>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tSOC 1 \t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

Examinations focus solely on systems and controls that may be relevant to your TSP\u2019s internal control over financial reporting. In simpler terms, if your TSP\u2019s main focus is the processing or handling of financial information, then a SOC 1 may be appropriate.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tSOC 2 \t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

Examinations focus on controls at a TSP that are aligned with one or more \u201ctrust service\u201d principles, including data security, data availaility, data processing integrity, data confidentiality, and data privacy. Put simply, if your TSP\u2019s main focus is on the protection of sensitive data, then a SOC 2 might be appropriate. Learn how SOC 2 audits safeguard data and elevate customer confidence.<\/a><\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tSOC 3\t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

Examinations are based on the same concept and trust service principles as a SOC 2, but do not include an opinion, detailed control descriptions, or results of testing as in a SOC 2 examination. As a result, a SOC 3 report can be posted on an organization\u2019s website or shared with any party.\u00a0 It\u2019s important to note that the same is not true with SOC 2 reports, which are restricted-use reports because they may expose critical cybersecurity measures.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tSOC for Cybersecurity \t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

Reports are designed to examine an organization\u2019s entity-wide Cybersecurity Risk Management Program. This program includes policies, processes and controls designed to protect information and systems. A SOC for Cybersecurity can serve as a very efficient way for an organization to demonstrate the effectiveness of its cybersecurity controls over all aspects of its operations to board members, investors, business partners and other stakeholders.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>

\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\tDeeper Dive: What are the Types of SOC Assessments?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
\n
\n\t

The main purpose of a SOC examination is to provide independent assurance on the design and operating effectiveness of controls at a TSP. But there are several types of SOCs, and they differ in scope. Organizations need to understand what these are so that they can appropriately choose which one best fit their customer and regulatory requirements.<\/p>\n

SOC 1<\/h3>\n

A SOC 1 examination evaluates the design and operating effectiveness of controls at a TSP relevant to financial reporting. A SOC 1 examination is generally required when a TSP is processing financial information such as employee payroll, claims, or other data that rolls up into financial statements.\u00a0 The scope of a SOC 1 examination is determined by the people, processes, and systems used to provide an organization\u2019s products\/services.\u00a0 Because SOC 1 reports can include sensitive information, distribution is restricted to current customers, their auditors, and other regulatory agencies.<\/p>\n

There are two types of SOC 1 reports \u2013 Type 1 and Type 2.<\/h3>\n<\/div>\n<\/div><\/div><\/div>
\n
\n\t
    \n
  • A Type I<\/strong> examination and report provides an opinion on the fairness and suitability of management\u2019s description of the system as of a particular date. A Type 1 examination only focuses on whether internal controls are suitably designed and does not determine whether they are operating effectively.<\/li>\n

    <\/p>\n

  • A Type II<\/strong> examination and report provides an opinion on the fairness and suitability of management\u2019s description - and the operating effectiveness of controls - for a period of time, typically six to twelve months. A successful SOC 1, Type II, examination demonstrates that there are adequate internal controls at the TSP surrounding the financial reporting process and that they are operating as intended.<\/li>\n<\/ul>\n

     <\/p>\n

    SOC 2<\/h3>\n

    A SOC 2 examination is probably the more important examination in today\u2019s environment due to the increased number of security breaches and concern over the security, availability, processing integrity, confidentiality, and privacy of data.\u00a0 A SOC 2 examination provides deeper assurance of a TSP\u2019s controls over the infrastructure, software, people, procedures, and data used in providing products and services.\u00a0 In simple terms, a SOC 2 examination and report focuses on at least one or more of following five trust service principles:<\/p>\n<\/div>\n<\/div><\/div><\/div>

    \n
    \n\t

    Security:<\/strong> The system is protected against both physical and logical unauthorized access.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

    \n
    \n\t

    Availability:<\/strong> The system is available for operation and use, as committed or agreed.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

    \n
    \n\t

    Processing Integrity:<\/strong> System processing is complete, accurate, timely, and authorized.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

    \n
    \n\t

    Confidentiality:<\/strong> Information designated as confidential is protected as committed or agreed.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

    \n
    \n\t

    Privacy:<\/strong> Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity\u2019s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants (CICA).<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>

    \n
    \n\t

    There are two types of SOC 2 reports \u2013 Type 1 and Type 2.<\/h3>\n
      \n
    • A Type 1<\/strong> examination and report provides an opinion on the fairness and suitability of management\u2019s description of the system as of a particular date. A Type 1 examination only focuses on whether trust service principles criteria and controls are suitably designed and does not determine whether they are operating effectively.<\/li>\n

      <\/p>\n

    • A Type 2<\/strong> examination and report provides an opinion on the fairness and suitability of the description of the system - and the operating effectiveness of controls - for a period of time, usually between six to twelve months. Like a SOC 1, SOC 2 reports are restricted-use reports since they contain sensitive information. The unauthorized access or distribution of a SOC 2 report poses a security risk to the TSP since information in the report\u2019s description can be used to discover potential security vulnerabilities.<\/li>\n<\/ul>\n

      SOC 3<\/h3>\n

      SOC 3 reports are similar to SOC 2, Type 1, reports in that they provide an abbreviated version of the description of the system.\u00a0 No opinion or information on the testing of controls is provided. But unlike SOC2 reports, a SOC 3 is classified as a general use report and can be posted on an organization\u2019s web page and shared with the public. \u00a0A SOC 3 report expands an organization\u2019s marketing initiatives and demonstrates its commitment toward providing outstanding services through adherence to one of more of the five trust services principles.<\/p>\n

      SOC for Cybersecurity<\/h3>\n

      SOC for Cybersecurity is designed to evaluate an entity-wide Cybersecurity Risk Management Program for organizations. The examination can be performed for any organization, not just third- party service providers (TSPs). CPAs who are experts in cybersecurity evaluate the businesses\u2019 description of its cybersecurity risk program and the effectiveness of controls used to achieve its security objectives. The evaluation must be performed by a firm staffed by CPAs with extensive knowledge in all areas of cybersecurity.<\/p>\n

      A SOC for Cybersecurity has three key components:<\/p>\n

        \n
      • Management\u2019s Description<\/strong>: In the first component, organization management provides a description of its Cybersecurity Risk Management Program. The description should address the identification of information assets, how cybersecurity risks that threaten these assets are managed, and the key security policies and procedures in place to protect information assets against risks.<\/li>\n

        <\/p>\n

      • Management\u2019s Assertion<\/strong>: In the second component, organization management provides an assertion of whether the described Cybersecurity Risk Management Program is in accordance with SOC for Cybersecurity criteria and whether the controls of the Program operate effectively in meeting cybersecurity objectives.<\/li>\n

        <\/p>\n

      • Practitioner\u2019s Report<\/strong>: In the third component, an independent auditor\u2019s report includes an opinion of whether the description of the Cybersecurity Risk Management Program was designed in accordable with SOC for Cybersecurity criteria and whether controls in the Program are operating effectively. The SOC for Cybersecurity report can be distributed to regulators, stakeholders, and current and prospective customers to demonstrate a commitment to cybersecurity.<\/li>\n<\/ul>\n

        There are two kinds of SOC for Cybersecurity reports:<\/h3>\n
          \n
        • Type I report:<\/strong> The CPA firm independently examines the description of the organization\u2019s controls on a particular date to ensure they are designed in accordance with SOC for Cybersecurity criteria.<\/li>\n

          <\/p>\n

        • Type II report:<\/strong> The CPA firm includes the components of a Type I report and comments on the operating effectiveness of controls over a period of time, usually six to twelve months.<\/li>\n<\/ul>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div>
          \n\t\t\t\t\t\t\t

          \n\t\t\t\t\t\tThe SOC 2: A Sought-After Assessment\t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
          \n
          \n\t

          The continued growth of technology-oriented third-party service providers (TSPs) has caused the SOC 2 to become a widely sought-after attestation. A SOC 2 evaluates the cybersecurity posture of any TSP that collects, processes, transmits, or stores sensitive data whether it be in a local data center, the cloud, or with another vendor (subservice organization).<\/p>\n

          In a SOC 2 examination, an independent CPA firm (service auditor) performs an on-site assessment and test procedures on a system that is defined as the infrastructure, software, people, procedures and data used to provide services or products. The CPA formally attests to whether the system adheres to trust service principles pertaining to sensitive data including security of data, availability of data, processing integrity of data, confidentially of data and privacy of data.<\/p>\n

          A SOC 2 examination demands granular visibility into the governance of the system and the roles and responsibilities of the customer organization, TSP, and any subservice organizations used.\u00a0 In simple terms, the SOC 2 service auditor examines how the TSP meets trust service principles and requirements and commitments made to customers in providing their products and services.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div>

          \n\t\t\t\t\t\t\t

          \n\t\t\t\t\t\tSOC 2: What Do TSPs Need to Know?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t\t\t\t\t\t\t

          \n\t\t\t\t\t\tA SOC 2 brings with it some responsibilities and potential associated liabilities that TSPs need to keep in mind. Let\u2019s take a look at these:\t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
          \n
          \n\t
          \n
          \n
          \n
          \n
          \n
            \n
          • \n

            Scope Definition<\/strong><\/h3>\n

            Defining the scope for a SOC 2 examination is crucial. A narrow scope might not give the assurance customers want. Too broad of a scope might cause unnecessary work affecting budget and other priority initiatives. The key lies in defining the system and selecting the trust service principles that are necessary to meet service requirements and commitments. For example, if a TSP provides data storage services, but performs no information processing, security and availability trust service principles may apply. Further, if the data stored is protected health information (PHI) or personally identifiable information (PII), then the privacy trust service principle may also apply.<\/p>\n<\/li>\n

          • \n

            Documentation<\/strong><\/h3>\n

            A TSP should have comprehensive policies and procedures in place that incorporate what the service auditor is essentially going to be looking for \u2013 how system trust services principles and criteria are met. It is important to remember that not all of the five trust principles may be in scope and that policies and procedures will need to only focus on the in-scope areas.<\/p>\n<\/li>\n

          • \n

            Written Assertion<\/strong><\/h3>\n

            A SOC 2 examination requires that the TSP provide both a written management assertion on the description of the system and management representation of certain responsibilities.\u00a0 Hence, it is imperative that a TSP have a complete understanding of the description of the system.\u00a0 Their assertions and representations are to be taken seriously as they define responsibility and potential subsequent liability.<\/p>\n<\/li>\n

          • \n

            Service Auditor Selection<\/strong><\/h3>\n

            A SOC 2 examination needs to be performed by a CPA firm whose professionals have auditing experience and deep knowledge of information-security. A CPA without information security expertise would not be able to provide the service properly. SOC 2 examinations are conducted in accordance with American Institute of Certified Public Accountants (AICPA) Attestation Standards.<\/p>\n<\/li>\n

          • \n

            Do Not Share<\/strong><\/h3>\n

            The distribution of a SOC 2 report is intended solely for the information and use of TSP management, user entities of the system during some or all of the service period, and practitioners and regulators providing services to user entities.\u00a0 Because of the propriety and confidential information discussed in the description, SOC 2 reports should not be shared openly.\u00a0 Ensuring that a SOC 2 report doesn\u2019t fall into the wrong hands is a TSP responsibility.<\/p>\n<\/li>\n

          • \n

            Bottom Line<\/strong><\/h3>\n

            Getting a SOC 2 examination is not a one-time event. Subsequent examinations after the first year are typically performed on an annual basis.\u00a0 SOC 2 compliance demands a control-focused culture practicing continuous improvement.<\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>

            \n\t\t\t\t\t\t\t

            \n\t\t\t\t\t\tWhat to Consider When Hiring a SOC Auditor?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
            \n
            \n\t

            SOC 2 examinations are unique to each TSP.\u00a0 The success or failure of a TSP\u2019s controls can have both a direct and indirect impact on the TSP\u2019s reputation. Hence, selecting the right service auditor and getting him or her involved early in the SOC 2 planning process is critical to achieving a favorable SOC 2 report. TSPs also need to be mindful of the responsibilities and potential liabilities of service auditors and ensure auditors acknowledge their share of responsibilities.<\/p>\n

            Here are a few things that the service auditor performing a SOC 2 examination should follow and assist the TSP with:<\/p>\n<\/div>\n<\/div><\/div>

            \n
            \n\t
            \n
            \n
            \n
            \n
            \n
              \n
            • \n

              Scoping<\/strong><\/h3>\n

              The service auditor can guide the TSP in defining the system and description that is used to provide products\/services as well as the trust service principles that should be in scope.\u00a0 However, when providing assistance to the TSP, the service auditor cannot make decisions on the TSP\u2019s behalf; otherwise the service auditor\u2019s independence and objectivity will be compromised.<\/p>\n<\/li>\n

            • \n

              Service Auditor Standards<\/strong><\/h3>\n

              The service auditor performing the SOC 2 examination is required to maintain a certain level of professional ethics, follow quality control standards, and comply with applicable legal and regulatory requirements. The service auditor must be a Certified Public Accountant and perform the examination in accordance with American Institute of Certified Public Accountants (AICPA) Attestation Standards.\u00a0 The service auditor must also display the highest levels of ethics, objectivity, and independence at all times. The SOC 2 examination is simply a service auditor\u2019s opinion on how the TSP meets it service requirements and commitments made in its assertion.<\/p>\n<\/li>\n

            • \n

              Examination Process<\/strong><\/h3>\n

              The service auditor should provide the TSP with a list of requirements at least one month in advance that includes the evidence necessary to evaluate the fairness and suitability of the design of controls and their operating effectiveness.\u00a0 The service auditor should also provide the TSP with examples of written assertions prior to the actual examination.\u00a0 During the examination, the service auditor will visit the TSP to perform on-site interviews and evaluations, and document results. The service auditor should also perform a thorough analysis of the policies and procedures in place.<\/p>\n<\/li>\n

            • \n

              Do Not Share<\/strong><\/h3>\n

              Because a SOC 2 report contains sensitive information, the TSP should be very cautious to restrict distribution.\u00a0 TSPs should require a service auditor to sign a non-disclosure agreement (NDA) before a SOC 2 report is released.<\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>

              \n\t\t\t\t\t\t\t

              \n\t\t\t\t\t\tHow to Get Ready for a SOC 2 Audit?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t\t\t\t\t\t\t

              \n\t\t\t\t\t\tPenetration testing is a great tool. But if an organization doesn\u2019t follow up to address the human - as well as technical - vulnerabilities exposed by penetration testing, hackers will still find their way in. Remember: Employees are an organization\u2019s first line of defense against cyberattacks. It it\u2019s imperative that they be cyber-aware.\t\t\t\t\t\t<\/h3>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
              \n
              \n\t
              \n
              \n

              Prior to the commencement of the actual SOC 2 examination, it\u2019s imperative that TSPs take steps to ensure that they are well-prepared.\u00a0 Sufficient preparation can be complicated, time consuming, and draining. However, if an organization has a control-focused culture that emphasizes continuous improvement, then the actual SOC 2 examination can be painless, and even simple.<\/p>\n

              Here is what you need to know and incorporate when readying yourself for a SOC 2 examination:<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>

              \n
              \n\t
              \n
              \n
              \n
              \n
              \n
                \n
              • \n

                Readiness Assessment<\/strong><\/h3>\n

                A readiness assessment gives a TSP a chance to warm up before an actual examination takes place and allows for the remediation of shortcomings that are identified during the assessment. A readiness assessment can be performed internally or by a service auditor.\u00a0 An assessment performed by a service auditor would obviously be more objective, independent, and honest about the design and operating effectiveness of controls.<\/p>\n<\/li>\n

              • \n

                Risk Assessment<\/strong><\/h3>\n

                A risk assessment identifies critical gaps in the information security architecture that prevent the achievement of information security goals and objectives. Conducting a thorough risk assessment on a periodic basis identifies and evaluates ever-changing risks and provides an opportunity to remediate identified gaps.\u00a0 The main focus of a risk assessment is to examine the greatest threats to the infrastructure, software, people, procedures, and data used by the system to provide products and services.\u00a0 The performance of a periodic risk assessment allows a TSP to effectively manage and mitigate risk.<\/p>\n<\/li>\n

              • \n

                Documentation<\/strong><\/h3>\n

                Comprehensive policies and procedures are critical for a successful SOC 2 examination.\u00a0\u00a0 To pass a SOC examination, they must also be monitored, enforced, and periodically updated.\u00a0 Remember that the service auditor will not just stop at a cursory review of the documentation in place. The service auditor\u2019s larger goal is to observe how much of what is documented is actually practiced.\u00a0 Once policies and procedures are developed and implemented, they must be periodically reviewed to ensure that they are current.<\/p>\n<\/li>\n

              • \n

                The 3 P's<\/strong><\/h3>\n

                Unpredictable and unforeseen events, ranging from data breaches to natural disasters affect all TSPs.\u00a0 These events can halt day-to-day operations and a quick recovery is needed to ensure uninterrupted delivery of products and services.\u00a0 An Incident Response Plan (IRP), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP) all play a major role in providing transparency.\u00a0 To be effective, these plans must be in place and tested and updated on a periodic basis.<\/p>\n<\/li>\n<\/ul>\n

                  \n
                • \n

                  Security Awareness Training<\/strong><\/h3>\n

                  Even with the most robust technology and highly skilled professionals in place, the weakest link when it comes to controls and security are employees. Ongoing and engaging cybersecurity awareness training will make employees aware of ever-evolving cyber threats that target human vulnerabilities. The key word here is \u201cengaging.\u201d To be effective, security awareness training cannot be boring and should be provided to everyone on a regular basis. By adopting a comprehensive security awareness training program, TSPs can greatly improve their overall controls and security posture by creating human firewalls that help guard the TSP\u2019s information.<\/p>\n<\/li>\n

                • \n

                  Vendor Management<\/strong><\/h3>\n

                  The continued growth in outsourcing is the main catalyst for mandatory governance and oversight of TSPs through the formalization of vendor management risk practices. Many data breaches in recent years have materialized due to vulnerabilities that were poorly managed by TSPs. The use of vendors (subservice organizations) to augment the products and services provided by a TSP requires oversight and monitoring. In this scenario, the TSP evaluates the security and controls of subservice organizations using methods similar to how customers evaluate TSPs. Periodic risk assessments of subservice organizations should be performed and integrated into the TSP\u2019s enterprise-wide risk management process. Adopting a proactive approach to managing risks associated with subservice organizations is required for a SOC 2 examination and will be assessed by the service auditor.<\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>

                  \n\t\t\t\t\t\t\t

                  \n\t\t\t\t\t\tHow is a SOC for Cybersecurity different from a SOC 2?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t<\/div>\n<\/div><\/div>
                  \n
                  \n\t
                  \n
                  \n

                  A SOC 2 examination is designed to evaluate the security control measures of a TSP\u2019s systems and services as it relates to the data services provided to their customers and clients. A SOC for cybersecurity is designed to address an entity-wide Cybersecurity Risk Management Program.<\/p>\n

                  Here are some of the differences:<\/p>\n

                    \n
                  • <\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>
                    \n
                    \n\t

                    A SOC 2 examination uses the trust service principles and criteria as a baseline to measure compliance. A SOC for Cybersecurity uses the American Institute for Public Accounting (AICPA) Cybersecurity Management Program criteria as a baseline to measure compliance.\u00a0 However, other reputable information security frameworks by the National Institute of Standards and Technology (NIST) or the International Standards Organization (ISO) can be used as baselines to measure compliance. These include NIST\u2019s 800-53 or ISO\u2019s 27001 \/ 28002 frameworks.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

                    \n
                    \n\t

                    In a SOC 2 examination, TSPs can choose to exclude from their examination the supporting services provided by other vendors, if the subservice organization is not providing a core service. In a SOC for Cybersecurity examination, all organizations providing services for any aspect of the Cybersecurity Risk Management Program must be included in scope.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div>

                    \n
                    \n\t

                    A SOC 2 report is a restricted use report intended for internal use by management. In contrast, a SOC for Cybersecurity report can be shared with all stakeholders including current and prospective customers. This is because detailed testing is eliminated from the report that could be used to discover vulnerabilities in planning a cyberattack.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>

                    \n\t\t\t\t\t\t\t

                    \n\t\t\t\t\t\tDid you find this helpful?\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t\t\t\t\t\t\t

                    \n\t\t\t\t\t\tSee our resources on other key cybersecurity topics\t\t\t\t\t\t<\/h2>\n\t\t\t\t\t\t\t\t\t\t\t
                    \n\t\t\t\t\t\t
                    <\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n<\/div><\/div>
                    \n\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t<\/span>\t\t\t<\/a>\n\n\t\t\t
                    \n\t\t\t\t\n\t\t\t\t\t\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tPCI Compliance\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t<\/h5>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/li>\n\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/a>\n\n\t\t\t
                    \n\t\t\t\t\n\t\t\t\t\t\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tPenetration Testing\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t<\/h5>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/li>\n\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t<\/span>\t\t\t<\/a>\n\n\t\t\t
                    \n\t\t\t\t\n\t\t\t\t\t\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tDigital Forensics\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t<\/h5>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/li>\n\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t<\/span>\t\t\t<\/a>\n\n\t\t\t
                    \n\t\t\t\t\n\t\t\t\t\t\t\t\t\t
                    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tSecurity Awareness Training\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t<\/h5>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/li>\n\n\t<\/ul>\n<\/div><\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"

                    Organizations face pressures from regulators and stakeholders to demonstrate the operational effectiveness of controls that safeguard sensitive data. To assist organizations, the American Institute of Certified Public Accountants (AICPA) created a framework called \u00a0“System and Organizational Controls\u201d (SOC) that enables CPAs to review and comment on the adequacy of controls protecting transactions and sensitive data. […]<\/p>\n","protected":false},"author":5,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-9174","page","type-page","status-publish","hentry","post"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/pages\/9174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/comments?post=9174"}],"version-history":[{"count":0,"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/pages\/9174\/revisions"}],"wp:attachment":[{"href":"https:\/\/uln.ucp.mybluehost.me\/website_c8c6d12e\/wp-json\/wp\/v2\/media?parent=9174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}