What is AICPA SOC?
The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) is a suite of service offerings CPAs may administer in connection with system-level controls of a service organization or entity-level controls of other organizations. SOC provides internal control reports on the services provided by a service organization. It also gives beneficial information users need to determine and address the risks associated with an outsourced service.
SOC for cybersecurity is a new reporting framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management program. CPAs can also report on such data to meet the cybersecurity information needs of a wide range of collaborators.
Trust Service Criteria
SOC 2 Report is based upon the Trust Services Principles, with the ability to test and report on the design and operating effectiveness of a service organization’s controls. The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. SOC 2 is broken into two types of reports: Design and Operating.
These reports are imperative to:
~ Oversight of the organization
~ Vendor management programs
~ Internal corporate governance and risk management processes
~ Regulatory oversight
Four Broad Areas
The Trust Service Principles which SOC 2 is based on are modeled around four broad areas: policies, communications, procedures and monitoring. Each one of the principles have defined controls, which must be met to demonstrate devotion to the principles and produce an unqualified opinion where no significant exceptions are found during the audit. Since the criteria businesses must meet are predetermined, this makes it easier for business owners to comply with the requirements and for users of the report to read and determine the adequacy.
Many businesses outsource tasks or entire functions to a service organization that will operate, collect, process, transmit, store, organize, maintain and dispose of data for user entities. SOC 2 was put in place to focus demands for assurance over non-financial controls to prevent SOC 1 from being misused.
SOC 2 + Expansion
The AICPA recently made efforts to expand the use of SOC 2 in two significant ways. The first being, additional reporting criteria, and the second being, alignment with other significant and sometimes, required, IT Security regulations. This expansion increases the utility of the SOC 2 report and overall compliance costs and efforts of each small, medium and large business.
The additional subject matter expands the adequacy of the SOC 2 report to encompass the scope of significant concerns that business partners have when outsourcing certain activities given the current, expanding compliance landscape.
SOC2 Risk Assessment and Gap Assessment
As part of the SOC2 assessment, your organization is required to have a formal risk assessment from a qualified 3rd party firm. NightLion Security specializes in providing advanced advanced risk assessment services. Our patented methodology is designed to help save your organization time and resources by creating a control framework mapping designed for your organization. We can help you test and comply with multiple frameworks simultaneously.
Click here to learn more about our SOC2 Risk Assessment services.
SOC2 Penetration Testing
NightLion Security provides advanced penetration testing services for networks and web applications, and can help you prepare your infrastructure to be ready to meet the challenges of the SOC2 certification audit.
SOC2 Custom Control Mappings
If you are interested in mapping the SOC2 controls against any other security framework, check out our free security control mapping tool. You can also contact us if you would like to request a free mapping of SOC2 against any other information security framework.
Download the 2016 SOC2 TP Controls
Check us out at www.securitycheckbox.com