Statement on Standards for Attestation Engagements (SSAE-18)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> In this lesson, we're going to talk about
00:00
the Statement on Standards for Attestation Engagements,
00:00
the SSAE 18,
00:00
one of those common auditing
00:00
frameworks that you're going to
00:00
see presented by Cloud providers.
00:00
In this lesson, we want to describe
00:00
what the SSAE 18 and SOC reports cover,
00:00
we want to compare and contrast the different
00:00
types of SOC reports,
00:00
and we also want to talk about
00:00
how SOC reports can be used to
00:00
identify risk and relevant controls
00:00
when using a Cloud vendor.
00:00
The SSAE 18 was put out by
00:00
the American Institute of Certified
00:00
Public Accountants, the AICPA.
00:00
It represents both accountants
00:00
and auditing professionals in United States,
00:00
and sets out best practices for
00:00
reporting financial information from
00:00
an accounting perspective as well
00:00
as auditing accounting practices.
00:00
The SSAE 18 is the most current
00:00
>> AICPA auditing standard,
00:00
>> and there are really three different types
00:00
of audit reports that they produce: SOC 1,
00:00
SOC 2, and SOC 3.
00:00
A SOC 1 report is focused on
00:00
the financial controls of an organization,
00:00
and it's used to validate
00:00
>> that they have effective controls
00:00
>> when it comes to how financial information
00:00
>> is reported and maintained.
00:00
>> The SOC 2 focuses far
00:00
more on information security related controls.
00:00
A SOC 2 report can have
00:00
different control families or control criteria.
00:00
They can cover security, availability,
00:00
processing, integrity, confidentiality, or privacy.
00:00
A given report,
00:00
and this is a very important thing
00:00
if you're reading a SOC report,
00:00
is to look at what controls the report actually covers.
00:00
All these reports from a SOC 2 perspective will
00:00
cover the main body of controls related to security.
00:00
However, if you're an organization
00:00
>> that really relies on the availability
00:00
>> of your solution from the Cloud provider,
00:00
>> you want to make sure that this report may also
00:00
covers the availability controls;
00:00
or if you're an organization that handles
00:00
very sensitive data and you
00:00
>> are very focused on privacy,
00:00
>> you can look and see whether
00:00
the report covers with privacy controls.
00:00
Don't assume that every provider SOC report is
00:00
going to cover all of the necessary controls.
00:00
The third type of report is a SOC 3.
00:00
The SOC 3 really just is more,
00:00
in my opinion, are like a marketing document.
00:00
It lays out a very high
00:00
level description of the organization,
00:00
and its controls and
00:00
concludes a statement that the auditors
00:00
that was evaluated for effectiveness by a third party.
00:00
The reason that SOC 3 exist
00:00
is that the SOC 2 really provides
00:00
very granular detail on the controls that
00:00
an organization has and their effectiveness.
00:00
This report is very sensitive,
00:00
because everyone rides prevent a threat actor with
00:00
a very robust understanding of
00:00
the defense-in-depth strategy of an organization.
00:00
That's why SOC 2s aren't usually given out
00:00
until an organization signs an NDA.
00:00
Now, in my personal experience,
00:00
I've reviewed a lot of SOC 2 reports
00:00
and I rarely see SOC 3s.
00:00
Most organizations don't even want to see a SOC 3,
00:00
it's really used in the sales process sometimes.
00:00
When evaluating a vendor,
00:00
I want to see the SOC 2 to make sure, one,
00:00
that the product in question is in scope of the report,
00:00
that the auditor's opinion
00:00
>> in the report is unqualified.
00:00
>> There the auditor, if there are limitations
00:00
>> on how they were able to audit or really
00:00
>> provide assurance that the controls effectiveness,
00:00
they may provide a qualified opinion.
00:00
Another important aspect of all of
00:00
the SOC 1 and SOC 2 report is
00:00
that there's a significant Type 1 report
00:00
and a Type 2 report.
00:00
Type 1 reports are points in time.
00:00
The auditor simply went in and
00:00
saw that a control was in place.
00:00
They can't opine as to whether
00:00
or not the control is effective,
00:00
because they're only looking at
00:00
a short period of time.
00:00
>> A Type 2 report looks at the effectiveness
00:00
>> of controls over a period of time.
00:00
I think that the minimum report
00:00
should be for a Type 2 is about six months,
00:00
and then many SOC 2 Type 2 reports are 12 months.
00:00
It used to be considered
00:00
unusual for an organization
00:00
to have only six month report,
00:00
maybe that reflected the organization
00:00
was very new and it was in a rush
00:00
>> to get out the report.
00:00
>> However, now many of the large companies,
00:00
they release their reports on
00:00
a six-month cadence in order to demonstrate
00:00
that they are continually evaluating
00:00
their controls and providing no lags,
00:00
or their customers don't have to wait
00:00
>> a whole 12 months to get a look at
00:00
>> their controls and a third-party evaluation
00:00
>> of their effectiveness.
00:00
>> Quiz question, which SOC reports reflects
00:00
a vendor security control
00:00
evaluated over at least a six-month period?
00:00
SOC 1 Type 2, SOC 2 Type 1,
00:00
or SOC 2 Type 2.
00:00
If you said SOC 2 Type 2, you're correct.
00:00
The SOC 1 focuses on financial reporting controls,
00:00
and Type 2 indicates that it's over
00:00
a period of at least six months.
00:00
SOC 2 Type 1 is a point in time report,
00:00
but it does look at the
00:00
security controls that a vendor has.
00:00
SOC 2 Type 2 are looking at the security controls over
00:00
an extended period of time
00:00
to discuss their effectiveness.
00:00
In summary, we talked about the origins of
00:00
the SSAE 18 and SOC reports,
00:00
we talked about three different types of reports,
00:00
and then we talked about how you can use these reports
00:00
>> to evaluate the Cloud providers maturity
00:00
>> and ensure that the controls that they have
00:00
>> adequately cover all of your specific security
00:00
>> and business requirements.
00:00
>> See you in the next lesson.
Up Next