SOC2 Compliance

By : admin In: Articles, Blog January 6, 2017

SOC2 Compliance - Penetration Testing

https://www.provensec.com/wp-content/uploads/2017/01/SOC2-Compliance-Penetration-Testing.png

SOC means Service Organization Control and SOC2 Compliance is one of the industry standards given for service organizations that are into technology, cloud service etc. SOC2 Compliance Audit is done to differentiate you from other organizations identifying the validity of the controls, policies and standards set forth without affecting the client’s internal controls over reporting and thus giving your clients the assurance to feel confident. No one will wish to invest or partner or work with a company that is not having any industrial compliance or standards. That’s why organizations have to undergo regular Penetration Testing to make sure that they are secured.

Companies needed to be accredited by SOC2 Compliance opt for the SOC2 Compliance Auditing and Report. But actually what many don’t know is that SOC2 Compliance also extends to other accreditation like NIST SP800-53 and also vice versa. The reason that these two compliances extends to each other is that their underlying framework of transparency like Operations of Controls and Design are almost similar. So if you conduct a SOC2 Compliance Auditing, you have done a major part of work for other accreditation like NIST SP800-53.

The rapid increase in technology has led to increase in cyber frauds and attacks over the organizations. If you are not properly secured and become a victim of Cyber Attack, then you will lose your reputation which in turn will affect your business heavily. This is the reason we do regular testing to check whether all the security measures have been taken well or all the security controls are in place etc. Once you are secured enough and have implemented the needed security policies and controls, then you can apply for the industry standard accreditation and get complied which will gain customer confidence.

SOC2 audit policy is built and focussed on the Trust Service Principles [TSP] such as Security, Availability, Processing Integrity, Confidentiality and Privacy of Service Organizations. Those 5 are also called as controls which are explained below.

The five TSPs as mentioned in ssae16 are the following:

  • Security: The system is protected, both logically and physically, against unauthorized access.
  • Availability: The system is available for operation and use as committed or agreed to.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

The Audit has been separated into two type based on the time covered during the process of auditing called as Type I Audit and Type II Audit.
Type I Audit tests the controls that are placed in operation at a specific point of time in meeting the Criteria set by the AICPA Trust Service Principles.
Type II Audit tests the operating effectiveness of these controls that are mentioned above over a period of time at least six consecutive months.

For SOC2 compliance it is not a must to have all the above-mentioned controls to be in place. Actually, policies and controls are setup according to the service that the organization is providing. Therefore during the SOC2 compliance audit, it will be checked whether those policies and controls which are relevant to the service provided are implemented or not. Security is one of the important controls and almost every Organization is expected to be secured well logically and physically. Therefore regular Penetration Testing is required as part of being complied according to the industrial standards. Once annual penetration testing was considered as a good practice. But nowadays due to the rise of cyber-attacks, it is required to make half-yearly or quarterly penetration testing. Moreover whenever you make changes in your infrastructure or network devices or whenever you make changes in software or server etc. conduct a penetration test immediately to make sure everything is good and secure.

Why Choose Provensec?

For Provensec security research is a core business and a competitive edge. 100 + Acknowledgements From Blue Chip Companies for finding Security Flaws in their products and technology , being amongst Top 10 Contributors for March 15 , next to HP and Cisco for Packet Storm and releasing 33 Zero Day Exploits including 4 CVE’s are some of the examples. We have served clients in 8 countries and continue to grow at a fast pace.

Our Experts are holding some of the best Industry standard certifications and are capable of researching and applying new tactics and attack vectors during a Penetration Testing.