User:MtuSmart/System and Organization Controls
This is the sandbox page where you will draft your initial Wikipedia contribution.
If you're starting a new article, you can develop it here until it's ready to go live. If you're working on improvements to an existing article, copy only one section at a time of the article to this sandbox to work on, and be sure to use an edit summary linking to the article you copied from. Do not copy over the entire article. You can find additional instructions here. Remember to save your work regularly using the "Publish page" button. (It just means 'save'; it will still be in the sandbox.) You can add bold formatting to your additions to differentiate them from existing content. |
Article Draft
[edit]Lead
[edit]System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria.[1] The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017 (2017 TSC). These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled inconformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (COSO Framework). In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.
Article body
[edit]Trust Services Criteria
[edit]Trust Services Criteria were designed such that they can provide flexibility in application to better suit the unique controls implemented by an organization to address its unique risks and threats it faces. This is in contrast to other control frameworks that mandate specific controls whether applicable or not. Trust Services Criteria application in actual situations requires judgement as to suitability. The Trust Services Criteria are used when "evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of information and systems used to provide product or services" - AICPA - ASEC.
Organization of the Trust Services Criteria are aligned to the COSO framework's 17 principles with additional supplemental criteria organized into logical and physical access controls, system operations, change management and risk mitigation. Further, the additional supplemental criteria are shared among the Trust Services Criteria - Common Criteria (CC) and additional specific criteria for availability, processing integrity, confidentiality and privacy.
Common criteria are labeled as, Control environment (CC1.x), Information and communication (CC2.x), Risk assessment (CC3.x), Monitoring of controls (CC4.x) and Control activities related to the design and implementation of controls (CC5.x). Common criteria are suitable and complete for evaluation security criteria. However, there additional category specific criteria for Availability (A.x), Processing integrity (PI.x), Confidentiality (C.x) and Privacy (P.x). Criteria for each trust services categories addressed in an engagement are considered complete when all criterial associated with that category are addressed.
SOC 2 reports focus on controls addressed by five semi-overlapping categories called Trust Services Criteria which also support the CIA triad of information security:[2]
- Security - information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system.
- Firewalls
- Intrusion detection
- Multi-factor authentication
- Availability - information and systems are available for operational use.
- Performance monitoring
- Disaster recovery
- Incident handling
- Confidentiality - information is protected and available on a legitimate need to know basis. Applies to various types of sensitive information.
- Encryption
- Access controls
- Firewalls
- Processing Integrity - system processing is complete, valid, accurate, timely and authorized.
- Quality assurance
- Process monitoring
- Adherence to principle
- Privacy - personal information is collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information.
- Access control
- Multi-factor authentication
- Encryption
Reporting
[edit]Levels
[edit]There are two levels of SOC reports which are also specified by SSAE 18:[3]
- Type I, which describes a service organization's systems and whether the design of specified controls meet the relevant trust principles. (Are the design and documentation likely to accomplish the goals defined in the report?)
- Type II, which also addresses the operational effectiveness of the specified controls over a period of time (usually 9 to 12 months). (Is the implementation appropriate?)
Types
[edit]There are three types of SOC reports.[4]
- SOC 1 – Internal Control over Financial Reporting (ICFR)[5]
- SOC 2 (Type I and Type II) – Trust Services Criteria[6][7]
- SOC 3 – Trust Services Criteria for General Use Report[8]
Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain.[9]
SOC 1 and SOC 2 reports are intended for a limited audience – specifically, users with an adequate understanding of the system in question. SOC 3 reports contain less specific information and can be distributed to the general public.
References
[edit]- ^ "SOC 2 Compliance". imperva.com. Imperva. Retrieved 25 February 2020.
- ^ "SOC 2 Compliance". imperva.com. Imperva. Retrieved 25 February 2020.
- ^ "SOC 2 Compliance". imperva.com. Imperva. Retrieved 25 February 2020.
- ^ "System and Organization Controls: SOC Suite of Services". AICPA. Retrieved 2020-03-06.
- ^ "SOC 1 – SOC for Service Organizations: ICFR". AICPA. Retrieved 2020-03-06.
- ^ "SOC 2 – SOC for Service Organizations: Trust Services Criteria". AICPA. Retrieved 2020-03-06.
- ^ "2018 SOC 2® Description Criteria (With Revised Implementation Guidance – 2022)". AICPA.org. Retrieved February 27, 2023.
{{cite web}}
: CS1 maint: url-status (link) - ^ "SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report". AICPA. Retrieved 2020-03-06.
- ^ "System and Organization Controls: SOC Suite of Services". AICPA. Retrieved 2023-02-22.