Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSTRT, ISSA Fellow, has been involved with IT for over 20 years, more than half in information security. Moving from a security admin to a global security architect, he has been working for the last few of years as an IT security consultant working with clients to implement information security management systems as well as performing security risk assessments, gap analysis, and developing policies and procedures. His research interests include IT/Security frameworks and compliance, the Internet of Things, and mobile device security.
An Introduction to the “SOC for Cybersecurity” Report
Most may be familiar with SOC 2 reports, which is “System and Organization Controls” (was “Service Organization Controls”, and not Security Operations Center), and is an audit report about security, availability, and the like, usually done for data centers. There also exist SOC 1 and SOC 3 reports. SOC2 reports are done by accountants, based on standards set down by the AICPA. Well, the AICPA has pushed further into cybersecurity, providing advisory and assurance services, and has released a new Cybersecurity Risk Program, covered in a new Guide for reporting on an organization’s cyber risk program, which some are calling “SOC for Cybersecurity”.
What is this new “SOC for Cybersecurity” and what impact will it have on us, good or bad? How qualified are CPAs to be assessing a cybersecurity program vs cybersecurity professionals?
We will take an overall look at this program from the AICPA, the components and criteria that make it up and examine what the program does. At the end, participants will have a better understanding of it and see if this is something that would be a value to their organizations.