...
Anchor | ||||
---|---|---|---|---|
|
SOC 1 Reports | SOC 2 Reports | SOC 3 Reports | |
---|---|---|---|
Purpose | Evaluate a Service Organization’s controls over financial reporting | Evaluate a Service Organization’s controls that affect the confidentiality, integrity, availability and privacy of users’ data | Same as a SOC 2 |
Also known as | Statement on Standards for Attestation Engagements (SSAE), formerly known as a SAS 70 report | ||
Types of Reports | |||
Type 1 | Type 1 SSAE 16 assessments determine whether security controls are designed to meet control objectives and if the controls were in place at a point in time | Type 1 reports assess the service organization's control environment and the suitability of the control design | |
Type 2 | Type 2 SSAE 16 assessments are the same as a Type 1 except the controls report covers a period of time – e.g six months or a year rather than a point in time | Type 2 reports does the same as a Type 1 report in addition to evaluating the effectiveness of the controls | |
Intended Users of the Reports | Auditors, management of the service organization and management of the service organization’s users | Parties knowledgeable about the service provided by the service organization and evaluating the effectiveness of internal controls Often requires signing of an NDA | Anyone |
Professional Standard Used | SSAE 16: Reporting on Controls at a Service Organization | Attestation Standards Section 101: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy | Same as SOC2; uses Trust Services Principles |
Useful Resources
- Adopting Cloud Services at NC State: Guidelines and Considerations (North Carolina State University Office of Information Technology)
- Security Considerations for Cloud Computing: A resource developed by the Higher Education Information Security Council that outlines things to think about when considering the application of cloud computing at institutions of higher education.
- 2015 State of Vulnerability Risk ManagementPreparing the IT Organization for the Cloud: A June 2015 report from NopSec that discusses "key security vulnerability issues historically and by industry, analyzes cross-industry remediation developments and highlights the effect social media has on the risk associated with security vulnerabilities."2015 ECAR working group paper series discussing cloud-based services.
- "The Failure of the Security Industry": An article from the April 2015 CSO Magazine by Alex Stamos (CISO, Yahoo), who shares his opinions on the current state of security products and some helpful tips in managing vendor/supplier relations.
- "Outsourcing, Procurement, and Cybersecurity": An article from April 2015 that encourages organizations to verify that vendors or suppliers provide assurance of data protection requirements and security controls.
- "Silver Lining": An August 2014 article from The Economist dealing with current and future trends of cloud computing and the effects the market is playing on the suppliers and their cloud computing offerings.
- Cloud Strategy For Higher Education: Building a Common Solution: A November 2014 ECAR publication discussing higher education IT being "in the midst of an exciting transformation. The economies of scale, resiliency, flexibility, and agility provided by cloud computing are rendering the construction and maintenance of on-premises data centers obsolete. We believe that over the next decade, the availability and advantage of new technology models will result in a substantial decrease in the use of on-premises data centers. In this document, we outline a 'cloud first' strategy for higher education IT that moves from a traditional data center model to one centered on the public cloud and cloud-based services."
- 7 Things You Should Know About Cloud Storage and Collaboration: A 2014 resource found in The 7 Things You Should Know About... series from the EDUCAUSE Learning Initiative (ELI) which provides concise information on emerging learning technologies. As the abstract states, "Higher education has seen a move from consumer-level adoption of cloud services to enterprise deployment of full-scale cloud storage and collaboration platforms. Enterprise services can now offer the convenience of cloud storage and collaboration services with single sign-on through the university’s identity management system, integration with other campus services, and contractual assurances of privacy, security, and uptime. The deployment of enterprise cloud storage and collaboration services has introduced new opportunities for how academic assignments are conceived, completed, and submitted. This technology provides the opportunity for students, faculty, and researchers to bring their work wherever they go, access it instantly, and collaborate with colleagues in a private and secure digital environment."
...
Panel | ||
---|---|---|
| ||
EDUCAUSE Resources
Initiatives, Collaborations, & Other Resources |
...
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-53: Recommended Security Controls for Federal Information | DS2 | Req 6.4 | ID.AM-6 | 45 CFR 160.103 |
Supplier Relationships of page
...