Versions Compared

Old Version 49

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 50

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
SOCTable
SOCTable
Comparison of Service Organization Control (SOC) Reports
 SOC 1 ReportsSOC 2 ReportsSOC 3 Reports
PurposeEvaluate a Service Organization’s controls over financial reportingEvaluate a Service Organization’s controls that affect the confidentiality, integrity, availability and privacy of users’ dataSame as a SOC 2
Also known asStatement on Standards for Attestation Engagements (SSAE), formerly known as a  SAS 70 report  
Types of Reports   

Type 1

Type 1 SSAE 16 assessments determine whether security controls are designed to meet control objectives and if the controls were in place at a point in timeType 1 reports assess the service organization's control environment and the suitability of the control design 
Type 2Type 2 SSAE 16 assessments are the same as a Type 1 except the controls report covers a period of time – e.g six months or a year rather than a point in timeType 2 reports does the same as a Type 1 report in addition to evaluating the effectiveness of the controls 
Intended Users of the ReportsAuditors, management of the service organization and management of the service organization’s users

Parties knowledgeable about the service provided by the service organization and evaluating the effectiveness of internal controls

 Often requires signing of an NDA

Anyone
Professional Standard Used

SSAE 16: Reporting on Controls at a Service Organization

Attestation Standards Section 101: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

Same as SOC2; uses Trust Services Principles

 

Useful Resources

  • Adopting Cloud Services at NC State: Guidelines and Considerations (North Carolina State University Office of Information Technology)
  • Security Considerations for Cloud Computing: A resource developed by the Higher Education Information Security Council that outlines things to think about when considering the application of cloud computing at institutions of higher education.
  • 2015 State of Vulnerability Risk ManagementPreparing the IT Organization for the Cloud: A June 2015 report from NopSec that discusses "key security vulnerability issues historically and by industry, analyzes cross-industry remediation developments and highlights the effect social media has on the risk associated with security vulnerabilities."2015 ECAR working group paper series discussing cloud-based services.
  • "The Failure of the Security Industry": An article from the April 2015 CSO Magazine by Alex Stamos (CISO, Yahoo), who shares his opinions on the current state of security products and some helpful tips in managing vendor/supplier relations.
  • "Outsourcing, Procurement, and Cybersecurity": An article from April 2015 that encourages organizations to verify that vendors or suppliers provide assurance of data protection requirements and security controls. 
  • "Silver Lining": An August 2014 article from The Economist dealing with current and future trends of cloud computing and the effects the market is playing on the suppliers and their cloud computing offerings.
  • Cloud Strategy For Higher Education: Building a Common Solution: A November 2014 ECAR publication discussing higher education IT being "in the midst of an exciting transformation. The economies of scale, resiliency, flexibility, and agility provided by cloud computing are rendering the construction and maintenance of on-premises data centers obsolete. We believe that over the next decade, the availability and advantage of new technology models will result in a substantial decrease in the use of on-premises data centers. In this document, we outline a 'cloud first' strategy for higher education IT that moves from a traditional data center model to one centered on the public cloud and cloud-based services."
  • 7 Things You Should Know About Cloud Storage and Collaboration: A 2014 resource found in The 7 Things You Should Know About... series from the EDUCAUSE Learning Initiative (ELI) which provides concise information on emerging learning technologies. As the abstract states, "Higher education has seen a move from consumer-level adoption of cloud services to enterprise deployment of full-scale cloud storage and collaboration platforms. Enterprise services can now offer the convenience of cloud storage and collaboration services with single sign-on through the university’s identity management system, integration with other campus services, and contractual assurances of privacy, security, and uptime. The deployment of enterprise cloud storage and collaboration services has introduced new opportunities for how academic assignments are conceived, completed, and submitted. This technology provides the opportunity for students, faculty, and researchers to bring their work wherever they go, access it instantly, and collaborate with colleagues in a private and secure digital environment."

...

Panel
bgColor#ADD8E6

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

...

Anchor
Standards
Standards

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 15: Supplier Relationships
ISO/IEC TR 14516:2002

800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-30 Rev. 1: Guide for Conducting Risk Assessments
800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems
800-39: Managing Information Security Risk: Organization, Mission, and Information System View
800-53 A Rev. 1: Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

DS2
AI5.2
AI5.3
PO4.15

Req 6.4
Req 6.6
Req 8.3
Req A.1

ID.AM-6
PR.AT-3

45 CFR 160.103
45 CFR 164.504
45 CFR 164.532

Supplier Relationships of page

...