Audit and Assurance

Expand all | Collapse all

SOC Audit Program

  • 1.  SOC Audit Program

    Posted 26 Mar, 2020 14:10
    Does anyone have any audit programs to share in regards to reviewing a 3rd party security operations center that you currently do business with? Ensuring the process is set up correctly, correct alarms, alerting, testing, etc.

    Dustin Ketterling
    IT Audit Manager

  • 2.  RE: SOC Audit Program

    Posted 27 Mar, 2020 03:42
    @Dustin Ketterling

    Sharing some guidelines below

    ​​1.Do you have signed contracts with all third party providers? Do the contracts have confidentiality clauses?
    2.Do you share client data with any third party vendors? If so, what secure means of exchanging information between each office and any third party does your firm rely upon?
    3.Are license checks conducted on all third party vendors to confirm that they have valid, current licenses (if a license is required for the services performed)? Are the third party vendors required to provide updated license information on an ongoing basis?
    4.Are the third party vendors insurance coverage current and in accordance with client requirements?
    5.Has there been an SSAE 18 completed in the last 12 months?
    6.Were there any significant findings?
    7.Have the last quarterly scans passed?
    8.DRP/BCP of third party policy and testing?
    9.Records management
    10.Logical access and information security
    11.Password management
    12.Encryption management
    13.Data back-up etc.

    Vikram Raghuveer
    Manager-IT and internal audits

  • 3.  RE: SOC Audit Program

    Posted 17 Apr, 2020 13:46
    Adding to Vikram's list:

     - Make sure their DRP/BCP has RPO/RPA and RTO/RTA that your company finds acceptable
     - Ensure you have a process to track their physical and logical access to your buildings, networks, applications, APIs, etc. and that you have a process to modify or terminate that access timely, as needed.

    The main first step I would do (and you may have already done this) is ensure you understand your company's standards, requirements, and needs for this organization. Vikram has great suggestions for things to consider but just because you have a contract with a confidentiality clause doesn't mean that it is acceptable to your legal team. Just because they have password management, encryption, data back-up, etc. does not mean it meets your organization's standards for risk. If you are a DoD contractor in the US, require SOX compliance, have compliance requirements for a parent company, or other requirements this center is being used to meet, design your audit to include tests that will provide management with assurance those requirements are being met or exceeded.

    Jake Davis
    IT Controls Analyst

  • 4.  RE: SOC Audit Program

    Posted 18 Apr, 2020 03:32
    I may include data/information privacy and data protection as well in the list

    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.

  • 5.  RE: SOC Audit Program

    Posted 18 Apr, 2020 09:29

    Excellent points but I would think on these lines as to what data I am having in cloud -  privacy, transactional data, employee data, GDPR etc.,  and then governance silos
    for each data type. I would like to add the following:

    1.Security incidents, if occurred how is the client informed - sla
    2.What type of SOC audit are we aiming to do? 1, 2
    3. What controls around at encryption at rest and in motion?

    I would want to object to client sharing of data, point 2 raised by Raghuveer - no sharing of data my assumption this data is private.

    Thanks and regards,

    Suresh "Sam" Chhabria, MCOM, MBB, TQM, SOX, VCA, CISA
    Technology Auditor
    Governance Advisor