NDNB offers industry leading SOC 2 compliance audit reports for today’s growing managed security services industry, providing fixed-fees along with all essential tools and resources for documentation for ensuring an efficient audit process from beginning to end.
NDNB. North America’s SOC 2 Managed Security Services Experts
4 Things to Know for SOC 2 Auditing Success for Security Services Providers
As for the managed security services, it’s important to gain a strong understanding of important SOC 2 auditing issues, thus take note of the following, provided by NDNB:
1. Assess the SOC 1 vs. SOC 2 Political Landscape: Many managed security services providers are undertaking annual SOC 1 SSAE 18 audits, and while NDNB is not stating that to be the incorrect audit, we find SOC 2 compliance to be a much better fit, and for some obvious reasons. First and foremost, SOC 2 audits are ideally situated for technology-oriented businesses – data centers and managed services providers – as the relevant Trust Services Criteria (TSC) provides prescriptive Common Criteria testing that’s highly applicable to such businesses.
Second, the SOC 2 framework represents a natural evolution of today’s service organizations – businesses that required inspection, testing, and validation of their internal control environment, which is heavily dependent upon information technology. SOC 1 SSAE 18 has its rightful place – more for companies that exhibit a true nexus to the concept known as Internal Controls over Financial Reporting (ICFR).
2. Learn about SOC 2 and the Trust Services Criteria (TSC): Going with SOC 2 – great – then it’s time to learn about the AICPA Service Organization Control (SOC) framework – particularly about SOC 2 – and the Trust Services Criteria (TSC). As for the TSC’s – there are five of them, which are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Remember, that each TSC has their own set of “Common Criteria” – minimum baselines controls for ensuring compliance with the respective TSC – and to no surprise – a large part of compliance with the SOC 2 standard is heavily weighted towards having comprehensive information security policies and procedures in place, and other essential documents.
3. Documentation is Critical for SOC 2 compliance for Managed Security Services: As just stated above, the need for documentation cannot be underscored enough, as processes and procedures are a large part of SOC 2 compliance. As to what types of documentation, consider the following: Access Rights, Change Management, Security and Patch Management, Data and System Backup, Incident Response, Usage Policies, Business Continuity and Disaster Recovery Planning (BCDRP), and more. The ability to develop comprehensive, in-depth, and factual policies and procedures is a big part of SOC 2 compliance for managed security services entities.
4. Remediate: It’s important to note that almost every business deciding to embark upon SOC 2 compliance in the managed security services arena will have some form of remediation to undertake. From missing documentation to weak internal controls for system access and monitoring – just to name a select few examples – remediation is part of the SOC 2 process, so keep this in mind.
It’s also another reason why managed security services providers should go through an initial SOC 2 readiness assessment for identifying gaps and weaknesses prior to the actual audit.
Fixed-Fees. Superior Service. Nationwide Coverage