bridging the gap between technology and the people who use it


SOC1, SOC2 and SOC3

SOC Basics
The Service Organization Controls (SOC) are a series of standards that evaluate the control a service provider has in place over financial (SOC1) or any of the Trust Service Principles (SOC2 or 3). Sometimes referred to as SSAE16, the SOC1-3 are audits performed by an external auditor that provide your clients with a reasonable assurance that there is a control structure in place on which they can place some reliance.

 

SOC1

The SOC1 is a report on controls at a service organization relevant to a user entity's internal control over financial reporting. You want this if your client needs assurance for their Sarbanes Oxley (SOX) requirements. The SOC1 has 2 variants: Type 1 and Type 2. The Type 1 is an audit of the control environment desgn. Control operation over time is not evaluated. The Type 1 is a good place to start if your organization has not been through a control audit or you have contractual requirements to show progress in your SOC1 program. Use of the report is restricted to the management of the service organization, user entities, and user auditors.

 

SOC2
The SOC2 is a report on controls at a service organization relevant to the Trust Services Principles and Criteria (TSP). Similar to the SOC1 in that a type 1 or type 2 report is available. You want this report if you process Personally Identifiable Information (PII) or Your customer needs to extend their security program to include your organization. The report includes a description of the service auditor’s tests of controls and results. Use of the report “generally” is restricted

 

SOC3
This is a trust services report for service organizations. It covers the same subject matter as the SOC2. It does not include a description of the service auditor’s tests of controls and results. The description of the system is less detailed than the description in a SOC2 report. You want this if you desire a marketing advantage from having an audited control environment. A seal can be issued on a service organization’s website. The use and distribution of the report is NOT restricted.

 

 

Let our team of IT professionals help you through your SOC implementation and audit. Contact Trevor & Associates.


Getting Results
DDoS attacks are becoming increasingly larger, more complex, and perpetrated by cyber extortionist instead of hacktivists and vandals, according to a recent survey from Arbor Networks. New analysis from Frost & Sull read more ...
The Cloud Security Alliance (CSA) Top Threats Working Group released at RSA Conference an important new research report about cloud computing threats, developed to serve as an up-to-date guide to help cloud users and pro read more ...
CIO - Last month, National Football League special investigator Ted Wells delivered a shocking report about Miami Dolphins player Richie Incognito's bullying tactics aimed at teammate Jonathan Martin. At the heart of t read more ...
Network World - Without updates after April 8 Windows XP is expected to fall prey to any number of zero-day attacks for which Microsoft will provide no defense, but there are some things die-hard XP users can do to mak read more ...
Not only were as many as 110 million Target customers affected by the massive hack on the retailer in December, but banks have also had to deal with the security breach. The hack is said to have cost banks and credit read more ...
The sensitive personal information for more than 300,000 faculty, staff, and students at the University of Maryland were stolen in a "sophisticated" cyberattack on the school's recently bolstered security defenses, the s read more ...
The crowd-funding site Kickstarter has been Hacked! The company suggested to its users to change their password. The popular crowd funding websiteKickstarteris the lastest victim of adata breach. Allusers are invi read more ...
A vulnerability appeared in old d-link routers which allows the attacker to gain admin privileges in the router. The following models are affected: DIR-100 DI-524 DI-524UP DI-604S DI-604UP DI-604+ TM-G524 read more ...
Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild. This means that cyber attacks could now surge and affect Internet Explorer users. read more ...
A Virginia Tech official Tuesday blamed human error for a data breach that may have exposed sensitive data on about 145,000 people who applied online for jobs at the school over the past 10 years. The compromised data read more ...
The iPhone 5S won't hit the streets until tomorrow, but there's already more than $16,000 in cash offered to the first person to hack its Touch ID fingerprint sensor. IsTouchIDhackedyet.com is the brainchild of Nick D read more ...
LAS VEGAS -- More major brand-name Wi-Fi router vulnerabilities continue to be discovered, and continue to go unpatched, a security researcher has revealed at Defcon 21. Jake Holcomb, a security researcher at the Balt read more ...
If you're thinking about encrypting email in light of revelations about U.S. government spying, you may be wasting your time. Recent leaks about surveillance efforts by the secretive National Security Agency have spar read more ...
PC World - For years now I've harangued relatives about their shoddy password practices. Either they use easily hacked passwords or forget the passwords they've created--sometimes both. If you won't take it from me, read more ...
Yet another company has fallen victim to a hack, with attackers breaking into systems at Evernote, maker of a Web-based note-taking application used by about 50 million people. The company said in a security notice th read more ...
A Nationwide Mutual Insurance data breach that took place on October 3 apparently affected over a million Americans. The company reported to the North Carolina Attorney General that 1.1 million American customers may read more ...
Software security testing company Veracode's just-released Supplemental to its 2012 State of Software Security Report focuses on the software supply chain. It reveals that organizations are confronting externally develop read more ...
NASA is scrambling to implement full disk encryption on agency laptops after one containing unencrypted personal information on a "large" number of people was recently stolen. Agency employees were told of the Octob read more ...
Online data vaults are everywhere. On the small storage side, we have options such as Google Drive, Dropbox, and Teamdrive. My Synology NAS, the upcoming 2012 Microsoft Server Suite and any number of virtual appliances c read more ...
Miscreants have reportedly discovered a zero-day vulnerability in latest version of Adobe Reader. Exploits based on the vulnerability, which circumvents sandbox protection technology incorporated into Adobe X and Adob read more ...
Kindsight's Q3 malware report suggests that 13 percent of household networks were infected in Q3, and 6.5 percent of broadband networks are infected with high-level threats. The network security firm's latest Security read more ...
In the biggest data compromise of the year, Social Security Numbers (SSN) belonging to about 3.6 million residents in South Carolina have been exposed in an intrusion into a computer at the state's Department of Revenu read more ...
If your business has any IT resources at all and is connected to the Internet, its not a question of if you will suffer a security incident; its just a matter of when. Just how bad such an incident will be comes dow read more ...
Barnes & Noble has removed PIN pad devices from all of its nearly 700 stores nationwide as a precaution after detecting evidence of tampering with the devices at 63 of its stores in eight states. It a statement read more ...
The PCI Security Standards Council (PCI SSC) is unveiling a set of best practices for mobile payment acceptance security. The standards, announced Sept. 13, follow predictions by analysts that the global mobile paymen read more ...
Two Democratic senators are urging President Obama to direct his administration to publish "advisory" guidelines through an executive order on cybersecurity. In a letter (PDF) sent to the White House today, Delaware's read more ...
Microsoft yesterday warned Windows users of possible "man-in-the-middle" attacks able to steal passwords for some wireless networks and VPNs, or virtual private networks. It won't issue a security update for the pro read more ...
Security researchers have discovered a single piece of malware that is capable of spreading to four different platform environments, including Windows,MacOSX, VMware virtual machines, and Windows Mobile devices. First read more ...
435 PHI breaches documented by HHS impacted 20,066,249 individual records. Under Federal law requiring disclosure, the HHS reports on data breaches of over 500 records (these are the ones they know about, not the inci read more ...
A strong internal audit can be the difference between catching a security failure and spending weeks and months doing a forensic investigation of a breach. With this in mind, professional services firm Pricewaterhouse read more ...
The Attorney General's office of California today announced a new Privacy Enforcement and Protection Unit in the state's Department of Justice that will hold companies accountable for safeguarding consumer data. The n read more ...
Overview US-CERT is providing this Technical Security Alert in response to recent, well-publicized intrusions into several government and private sector computer networks. Network administrators and technical managers s read more ...
Oracle released on July 17 a sizeable security update fixing 87 vulnerabilities spanning a number of products, including 24 for the Oracle Sun product suite. The most critical of the vulnerabilities impacts the Oracle read more ...
The following is an article from CNET. While the title is alarming, individuals practicing net safety are not impacted. Drop me an email if you need more information on safe use of the Internet. (Email Fred) Androi read more ...
Cyber-criminals are now pricing webinjects based on the specific features being requested, underscoring an ongoing movement towards flexibility in the black market, according to security researchers at Trusteer. Webin read more ...
Thousands of office printers from large businesses around the world are churning out page after page of gibberish and wasting vast reams of paper. For once it seems malware is to blame. Dubbed Trojan.Milicenso, i read more ...
One of the primary aims of an anti-virus (AV) engine is to monitor all process activitywhile malware, on the other hand, wants to avoid detection by AV. The philosophy of most rootkits is to run silent and deep, whi read more ...
Organizations need to shield themselves from the rising threat of cyber-attacks and sophisticated sabotage directed at IT infrastructure, according to a report issued by security specialist McAfee and the Pacific Northwe read more ...
(Reuters) - Scores of U.S. companies have not disclosed breaches of their computer systems, even though eight months have passed since U.S. securities regulators issued guidelines on disclosing cyber attacks, according t read more ...
Microsoft and Google have separately warned about a new Internet Explorer zero-day being exploited to break into GMail accounts. The browser flaw, which is currently unpatched, expose Windows users to remote code execut read more ...
A zero-day flaw in versions of Microsoft's XML Core Services (MSXML) is being actively exploited in the wild. The vulnerability, which was discovered by Google, exists when MSXML attempts to access an object in memory read more ...
Apples Siri is unsuitable for business and enterprise networks, according to F-Secure vice-president Maria Nordgren. Why? Not only has Siri read your contacts, knows your calendar off by heart, and probably knows you read more ...
An increasingly complex Web of security measuresand threatsis straining the IT infrastructure of small and midsize businesses, according to a survey of 571 IT managers and directors across North America, Eu read more ...
After it was discovered that more than six million LinkedIn passwords had been leaked as well as many at Last.fm and eHarmony, no one has stopped talking about password and passcode security. Thats actually a good th read more ...
Is printing dangerous? It definitely has privacy and security implications, according to many. The New Jersey legislature, for instance, this week passed a bill (A-1238) that says copy machines and scanners should hav read more ...
Last week, the director of Utah's Department of Technology Services (DTS) resigned in the wake of a massive data breach that exposed the personal information of nearly 800,000 people to hackers believed to have been in E read more ...
An IBM study shows that CISOs are getting more pressure from top executives, but also are gaining a greater voice in their companies. Senior executives in charge of security are finding their roles changing not on read more ...
It has become a cliche in information security: Compliance is not security. But there is still an unsettling amount of denial out there, based on a recent study from HIMSS Analytics and Kroll Advisory Solutions. read more ...
Hewlett-Packard officials are saying that the number of vulnerabilities in commercial applications is continuing to fall, dropping almost 20 percent between 2010 and 2011. However, while the downward trend in vulnerab read more ...
Symantec is urging customers to disable PCAnywhere until it issues a software update to protect them against attacks that could result from the theft of the product's source code. Someone broke into Syma read more ...
Despite the well-known security risks associated with services like Facebook and Twitter, social networking usage in business is becoming even more active, according to a new report from Palo Alto Networks. The social read more ...
by Elinor Mills This was an exciting/anxious year in the Internet security community, with big tech firms like Sony and RSA getting hacked, putting consumer data and corporate networks at risk, and w read more ...
by Jamie Riden It was a bad start to a Monday morning: I arrived at work to find the intrusion detection system so bogged down in alerts that it was barely responsive. Something bad had happened over the weekend. T read more ...
IT budgets and responsibilities are moving out of the control of IT departments and into the hands of others, thanks to trends such as consumerization and cloud computing, Gartner says in its vision for 2012 and the comi read more ...
COBIT 5 is a major strategic improvement providing the next generation of ISACA's guidance on the enterprise governance of IT. Building on the more than 15 years of practical usage and application of COBIT by many enterp read more ...