Service organization control (SOC) reports have become a staple of the technology environment as organizations shift processes and systems to third parties and place reliance on outside entities to provide services critical to their mission. This became abundantly visible during the on-going pandemic as companies scrambled to implement solutions, processes, and connectivity to support workforce moving from generally a centralized on-prem approach to an edge driven cloud centric workforce model. With the reliance on these additional third parties, the drumbeat for those tasked with ensuring the stability and internal control of applications, processes, and technologies associated with this edge driven model relied on third party SOC reports to confirm sufficient control over these third parties. As the reliance on these SOC reports continues to increase, obtaining the SOC report moved from the only step to the first step often requested by an internal or external auditor in validating internal controls were in place. Understanding, interpreting, and using the SOC report effectively to address information technology, security, or processing risk became an expectation.
Come dialogue with the Portland ISACA chapter and Carlos Villalba, as they open up the topic of interpreting and using a SOC report effectively to understand the extent of reliance you can obtain from these reports based on what they do and don’t tell you. This will be an engaging session for any organization using or producing a SOC report or for those questioning how to interpret what is included in the report or more importantly, what is not!
Carlos is Vice President of Professional Services at Avertium, which focuses on building cybersecurity solutions at scale without complexity. Carlos is responsible for overseeing and delivering professional services across the company’s strategic assessment and advisory services channel and within the governance and compliance solutions area. Prior to Avertium, Carlos was VP for Terra Verde Security Services which was acquired by Avertium. Carlos has also been a professor at Syracuse University focusing on information studies teaching database management and open source application deployment. Carlos is an active international ISACA member and regularly presents to various ISACA organizations on information security and assessment topics.