Providing insight into an organization's risk
服务组织控制(SOC)报告(不要与其他SOC首字母缩略词混淆), security operations center)是一种在您将业务功能外包给该组织之前验证该组织是否遵循某些特定最佳实践的方法. These best practices are related to finances, security, processing integrity, privacy, and availability. The reports, which are created and validated by third-party auditors, 是为了提供独立的保证,并帮助潜在的客户/合作伙伴了解与被评估的组织合作所涉及的任何潜在风险.
SOC报告传达了公司正在执行的检查和平衡,以根除不一致,并向客户发出强烈的信息,即您正在关注如何遵循政策和程序. No decision is ever completely risk-proof, 但SOC报告将为您提供确定所涉及风险量所需的背景.
SOC报告很重要,因为它们提供了在公共和一致的框架中交付的全面业务概述, canvassing the organization’s in-scope systems in a logical way. 无论是进入一个新的合作伙伴关系,还是回顾你目前的业务关系, 这份公正的报告提供了与供应商生命周期的许多阶段相关的有价值的信息.
取决于所需要的信息和所涉及的组织类型, there are several versions of SOC reports.
SOC 1:
对用户实体的财务报表有直接或后续影响的控制报告. Based on the SSAE 16 reporting standard.
|
Type I •表明内部控制设计得如何,以防止有关财务交易/报表数据的错误. ● Testing is done at one point in time; does not test the operating effectiveness of the control set. |
Type II ● Tests the operating effectiveness of the internal controls (business process and IT general controls); designed to mitigate the risk of a financial inaccuracy of the user entity. ● Testing is conducted over a period of time, 并采用抽样方法来准确地描述操作效率. |
SOC 2:
Reports on controls related to security, availability, processing integrity, confidentiality, privacy. Security controls testing is mandatory, while the rest (availability, processing integrity, confidentiality, and privacy) are optional. Based on the AT 101 reporting standard.
|
Type I ● Tests the design of these controls. ● Testing is done at one point in time; does not test the operating effectiveness of the control set. |
Type II ● Tests the operating effectiveness of these controls; designed to mitigate the risk of mishandling customer data. ● Testing is conducted over a period of time, 并采用抽样方法来准确地描述操作效率. |
SOC 3:
|
面向公众的SOC 2 Type II版本,不包含机密信息. ●在不泄露内部控制细节的前提下,为普通客户提供高层次的总结. ●通常仅用于过去进行过许多SOC报告的组织,并且具有健壮和成熟的控制环境. |
Every Security Operations Control report will contain the auditor’s opinion, 哪一项涵盖了服务机构对控制的描述是否公平且设计有效. If a report is unqualified, 这意味着审计师发现公司以公平的方式反映了其设计和运营效率, while a qualified 意见意味着他们发现公司的陈述与现实之间存在重大差异. The opinion is considered adverse if multiple controls failed, causing an entire objective not to be met.
该报告还将包括服务组织的断言,即在审计员检查期间,所有被测试的控制都是活跃的, a description of the system itself, and what the auditor saw while the system was in use. Essentially, 读者应该看到一个故事,说明系统的目的是做什么,以及它实际做了什么. It should show the scope and purpose of the testing performed, including data on the management structure, communications policies, information security risk management, system monitoring、文件程序、系统操作和控制的物理访问.
当收到来自另一个组织的服务组织控制报告时, you should read all information with a critical eye. 仅仅因为你收到了一份不合格的报告,并不意味着没有例外,最终可能会给你的组织带来危险信号——不合格只意味着目标没有失败 completely. 审查管理层对任何控制措施失败的响应,以确定是否存在任何补偿控制措施,以及发生了哪些补救措施(如果有的话)。.
考虑审核员发现的任何例外/偏差,看看你是否可以接受任何相关风险. 确保你理解了所有内容,并且感觉你已经彻底掌握了所有控件的工作原理. Discuss concerns you have with the company, 并了解自报告发布以来,他们是否采取了措施来解决任何潜在问题. 使用这些信息来推动内部讨论,讨论由于将业务功能外包给服务组织而可能产生的任何潜在风险.
While it’s true that no decision will ever be risk-proof, SOC报告的存在是为了帮助组织更好地了解与重要业务和安全决策相关的风险水平. The best offense truly is a great defense, 这就是计划和准备——以及SOC报告提供的见解——将发挥作用的地方.