*By Kelly Ribeiro
Information security and privacy are increasingly relevant topics these days and the failure or absence of controls and procedures can cause huge financial losses and damage to the image of companies. Naturally, these companies, in addition to seeking to improve their internal controls, are observing more carefully and requiring their suppliers and partners to also demonstrate, increasingly, a commitment to the adoption of controls that ensure the security and privacy of their information.
In light of this market movement, the American Institute of Certified Public Accountants (AICPA) has developed a cybersecurity risk management reporting framework and companies can make use of SOC reports. (Service Organization Controls) to demonstrate your cybersecurity risk management efforts and present the systems, processes and controls in place to detect, prevent and respond to breaches. Next, we break down what SOC reports are and why they are important.
SOC Report 1 - Control over financial information (ISAE 3402, /SSAE18)
The report documents an organization's controls that may be relevant to financial reporting. The Statement on Standards for Attestation Engagements (SSAE 18) and International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which the audit is performed and are the basis of the report. SOC 1.
SOC Report 2 – Operational Controls and Compliance
The purpose of this report is to provide the customer and interested parties with an opinion on service delivery controls related to information security, availability, confidentiality and privacy.
The scope considers the control environment related to the provision of services that the company provides to its customers, and does not include the evaluation of third parties that may be considered relevant for the provision of services. The scope is defined based on the Trust Service Criteria TSP 100 issued by the AICPA. It is mandatory to include the “Security” category in the scope. The other categories (availability, processing integrity, confidentiality and privacy) are optional, depending on the relevance of providing the service to customers.
SOC 3 - Operational and Compliance Controls
The SOC Report 3 is for public use and provides stakeholders with an opinion on the service organization's controls related to security, availability, processing integrity, and/or privacy. The SOC 3 audit report is always based on the results of a SOC 2 Type II assessment.
Report Types I and IIThe SOC 1 and SOC 2 audit report can be either Type I or Type II. The difference is that Type I is a point-in-time assessment of controls and Type II is an assessment of the effectiveness of controls over a period of time, typically six months or more.
These reports are very detailed and useful for:
- Organization supervision;
- supplier management programs;
- Internal corporate governance and risk management processes;
- regulatory oversight
The SOC 2 audit provides an organization's customers and stakeholders with assurance about the adequacy and effectiveness of its data controls, based on their compliance with the trust services criteria established by the AICPA. These criteria are divided into four categories: logical and physical access controls, system operations, change management, and risk mitigation. SOC 2 is not a certification, but rather an examination of an organization's data controls and an accredited third party's opinion of the adequacy of those controls.
THE SAFEWAY is a company of Information security, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Let's make the world a safer place to live and do business!