提供对组织风险的洞察
Topic Overview
A service organization controls (SOC) report (not to be confused with the other SOC acronym, 安全运营中心) is a way to verify that an organization is following some specific best practices before you outsource a business function to that organization. 这些最佳实践与财务有关, security, 处理完整性, privacy, 和可用性. The reports, 哪些是由第三方审核员创建和验证的, are built to provide independent assurance and to help potential customers/partners understand any potential risks involved in working with the organization that was evaluated.
SOC reports communicate the checks and balances a company is enforcing to root out inconsistencies and send a strong message to customers that you're paying attention to how policies and procedures are followed. 没有任何决策是完全没有风险的, but a SOC report will give you the context needed to determine the amount of risk involved.
SOC reports are important because they provide thorough business overviews delivered in a common and consistent framework, 以合理的方式检查组织的范围内系统. Whether entering a new partnership or reviewing your current inventory of business relationships, this unbiased report provides valuable information that will be relevant in many stages of the vendor lifecycle.
取决于所需要的信息和所涉及的组织类型, SOC报告有几个版本.
SOC 1:
Reports on controls that have an immediate or downstream effect on a user entity’s financial statements. 基于ssae16报告标准.
|
Type I ● Shows how well the internal controls are designed to prevent mistakes regarding financial transaction/statement data. ● Testing is done at one point in time; does not test the operating effectiveness of the control set. |
Type II ● Tests the operating effectiveness of the internal controls (business process and IT general controls); designed to mitigate the risk of a financial inaccuracy of the user entity. ●在一段时间内进行测试, and a sampling methodology is used for an accurate portrayal of operating effectiveness. |
SOC 2:
与安全相关的控制报告, availability, 处理完整性, confidentiality, privacy. 安全控制测试是强制性的, 而其余的(可用性), 处理完整性, confidentiality, 和隐私)都是可选的. 基于at101报告标准.
|
Type I 测试这些控件的设计. ● Testing is done at one point in time; does not test the operating effectiveness of the control set. |
Type II ● Tests the operating effectiveness of these controls; designed to mitigate the risk of mishandling customer data. ●在一段时间内进行测试, and sampling methodology is used for an accurate portrayal of operating effectiveness. |
SOC 3:
|
● A public-facing version of a SOC 2 Type II that does not include confidential information. ● Provides a high-level summary for general customers without compromising or revealing details on the internal controls. ● Usually only utilized by organizations that have conducted many SOC reports in the past and have a robust and mature control environment. |
Every Security Operations Control report will contain the auditor’s opinion, which covers whether the service organization’s description of controls is presented fairly and designed effectively. If a report is unqualified, it means the auditor found that the company represented its design and operating efficiency in a fair manner, while a qualified opinion means that they found significant discrepancies between the company's statements and reality. 该意见被考虑 adverse 如果多个控制失败,导致整个目标无法实现.
The report will also include the service organization’s assertion that all the controls being tested were active during the auditor's checks, 对系统本身的描述, 以及审计员在使用系统时看到的内容. Essentially, the reader should see a story about what the system was purported to do and what it actually did. 它应该显示所执行测试的范围和目的, 包括管理结构的数据, 通信政策, 信息安全风险管理, 系统监控, documentation procedures, system operations, and physical access of controls.
When receiving a service organization controls report from another organization, 你应该用批判的眼光来阅读所有的信息. Just because you receive an unqualified report does not mean there aren't exceptions that may ultimately present red flags for your organization—unqualified only means that an objective did not fail completely. Review the management responses to any controls that failed to determine whether there are any compensating controls in place and what remediation occurred (if any).
Consider any exceptions/deviations the auditor found to see if you can accept any related risk. Ensure you understand everything and feel you have a thorough grasp on how all the controls work. 讨论你对公司的担忧, and find out if they've taken steps to fix any potential problems since the time of the report. Use the information to fuel internal discussions about any potential risks that may arise as a result of outsourcing a business function to the service organization.
虽然没有任何决定是没有风险的, SOC reports exist to help organizations get a better idea of the level of risk involved with important business and security decisions. 最好的进攻就是最好的防守, and that’s where planning and preparation—and the insights SOC reports provide—will come into play.