SOC Compliance For Cloud Physical Security Guide
SOC compliance is becoming increasingly important for physical security providers as they move to the cloud. The compliance is often marketed as SOC 2 Compliant or Certified but how much does this compliance say about the provider's actual security?
In this report, we answer the following:
- What are the differences between the different types of compliance (e.g., 1, 2, 3)?
- What SOC compliance implies or signals about a company having (or not) cybersecurity vulnerabilities? Does it ensure that there are no backdoors or company abuse of data?
- What does a SOC compliance audit consist of? What does it not cover?
- What are the qualifications for a SOC Auditor?
- Can companies fail a SOC Audit?
- How much do SOC compliance audits cost?
- Does SOC compliance provide any guarantees or legal protection from exploits?
- What, if any, central directory or verification exists for SOC?
- Do SOC Reports Expire?
- What is missing from SOC compliance that IPVM recommends buyers consider?
- What physical security companies claim to be SOC 2 compliant?
Executive *******
***** ************* ** * ******* ******* as **** ***** *** ****** ******* systems *** ****** ** *** *****, there *** ******* *********** *** ************** for ***** ******* ** ****** ** (e.g., **** ** *** **). **** creates * ********* *** ***** ********* dozens ** ***** ******* *********, ****** to ******** ***** ********* *** **** or **** *********** ** *************.
*** **** ** ******* * ********* for ***** *********. *******, ***** *** main **** (*.*., *********** *** ********* cloud ******, ******* ******** ** *** US, ***.) *** **** (*.*., *** dictated ** ****/***********, *** ***** ***********, pay-to-play **********, ***.) ** *** ******** and ********* *********** ** *** ****** in ******** ******* *******.
AICPA / ***
*** ****** *** ****** *** ************ Controls *** ** * ******** ********* developed ** *********** ********* *** ********* ****** *********** (AICPA). ***** ** ** *** ******* required, ***** ********* ***** ****** **, including ***** *** ***** ****** *********.
*** ***** ** * **-***** ************ with ******* ***** ******* ** *** US, ***** ***** **** *** ** primarily * ********* **** ** **-***** cloud ******* *********.
Cloud ********* ** *** **** ** ** *** *********
***** ** ** ******** **********, *** does *** *** ** *** ***** of ********** ******* * ******* ** be *** *********.
*******, ** ** ****** *** ********** customers, ********* ******* *********** ***, ** ******* *** ****** a ***** *******'* *** ********** ******* due ** ***** ******** *** ********* liability **** ****** **** **** ********. While *** (** ***** ***** ********** standards) ** *** ***** **** * company ** ******, ** ** * commonly ******** ****** **** *** ** actively ******* ****** **.
SOC ********** ** ******** *****
*** ******* ** *** ********** ** to ***** *** ************* ** ******** and ********* ****** * ***** ******* provider.
*******, **** *********/*** ***** ******* ***** service ********* ** ** *** ********* before ******** **** ************ ** *********. Because ** ****, *** ***** ********* can ** * *********** ******* *** cloud *********.
****, ******** * ******** **** **** SOC ********** ** * **** ****** help ***** ******* ********* ******** *** mitigate ********* ***** ********** **** *********** security.
SOC ****** ******** *** **********
* *** ***** ******** * *******'* business ******** *** ********** ** ***** whether **** *** ******** *** ********* effectively ***** ********* ******* ************* **** practices.
*** ********** ** ******** ** *"***** ******** ********"; ********, ************, ******* Integrity, ***************, *** *******.
***********, *** ********** ******** ********* ********, documentation, *** *********, ********** **********, *** performing ***** ** *** ************* ** controls **** *** ******** ************ ******* to:
- **** ****** ********:**** **********, **** **********, ******** ********, etc.
- ******** ****** ********** *********:****** ****** ******* **********, ****** *************, adequate ** *******, ***.
- ******** ******** *** ******** ******** ****:******** ********* *** ******** ************, ****** and ******** **********, ******** ********** ********, etc.
- ****** ********** *********:*** ********* ** ********* *** ********** vendors, ******** **********, ********* ** ****** performance, ***.
- **** ********** *** ******* *********:**** **********, ******** ** ********* ****, compliance **** ******* ***********, ***.
SOC **** *** ********* ****** *************
***** *** ********** *** ****** *** provide ******* *** ******* ***** * cloud ******* ********'* ******** *** **********, there *** **** ****** ** **** not *******:
- ****** ********** ** *** ******* ******* of ***** ****** ********* *********** *** hosted **********.
- ********** ** ***** ******* ******.
- ********* *** ******* ** ************* *************** and *********.
- ********** ** ******* ***** ** ****.
- ***** ********** ** **** ** * cyber ******.
- * ******* ********** ** ******** *********, such ** ********** ******, ********* ********-******, or ******* **************.
*******, ***** *** ******** *** ********* cybersecurity *********** ******* *** ************* ********, they *** *** ******** ** ******* SOC **********.
*** *******, ******** *** *** ******** to ***** *** *** ********** ** vulnerable ******* ********* **** * ****** or ***** ******* *** ******* ** using.
*******, ***** *** ********* ****** ******** update/change **********, ******** ** *** **** at ***** ****** ****** **** ******. Software ******* *** ******* ** * sample ** *******, ******** **% ** 15% ** ******* ******** *** *** changes, *** ** ** **% ** samples *** ********. ***** **** *** catch ******** ******** ********** ******, ** is *** *********** **** *********** ************.
Companies ****** **** *** ******
* *********** ****** ** *** ****** is **** **** *** *** ****/****. SOC ****** ******* * ****** **** describes ******* *** ******** *** ******** designed (** *** **** ** * Type * ******) ** **** ******** designed *** ********* *********** (** *** case ** * **** * ******).
*** ******* *** *** ****/**** ******* they **** *** ** ****** *** effectiveness ** ******** ****** * ******** context *** ******* ************* ********.
*******, ******* * ******* ****** ****, and *** * *** * ********** is *** ******** ******, **** *** hide ******** ***** *******.
SOC ***** **** ****** ******
*** **** ** * *** ***** can **** ********* ** ******* *******, including *** ********** ** *** ******* and ******** ***** *******, *** **** of *** ************, *** ***** ** the *****, *** ***** ******* *******:
- *** *: $**,*** ** $**,*** ** more.
- *** *: $**,*** *** *********** ********* $100,000 *** ***** *************.
- *** *: $*,*** ** $**,***.
- *** *** *************: $**,*** ** $**,***.
- *** *** ****** *****: $**,*** ** $50,000.
SOC ****** ** ****
*** ****** *** **** ** ********* by ** ********** **** ********** ****** ********** (***)******* ** * ******** *** **** (an ********** **** **** ** ***** one *** (** ****) *** ** licensed ** ***** *****).
*** ***, ** *******, ****** ******* the ********* ********* *********, ********, *** certification ** ***** *** ***** ***********. However, **** *** ***** ** ********, the ****** ** ****** ******** ** the ***** ******* *******, ***** ** responsible *** ************ *** ******** **.
Not ***** *********** / *** ********** *****
***** *** ******** ****** ** *********** and **** ** ************ **** *** organization **** *****, **** *** **** paid * *** ** *** ******* they *** ********, *********** ****** *** cloud ******* ******** *** ******** ** the *******.
***** ** ********* *** *** ******* to ******** *** ******* ** ** lenient ** *** *******, ***** ** less ****** ** **********-***** ****** (*.*., IRS ***, *****, ***.).
SOC ***** ****** ***** ** ********** *******
******* * ************ ********** **** *** define ** *** ** *** ****/****, SOC ****** ******** ******* ************ *** recommendations *** *********** ** *** *******. An *********** *** * **** * certified ******* **** **** **** ***** report ******** ***** **** ***** ** the ********** *******'* ********** ** ******** towards ******* ** *** ******.
*******, ** ** ***** *********, *** report ******** *** ***** ******* ********'* management *** *** ***** **** ** independent ******* ** *** *******'* ******** processes.
Not * *************
* *** ***** **** *** ****** in * *************, *******, ** ******* in ** "*********** ******," ***** ** the *******'* ******* ** *** ****** and ************* ** *** ******** ***** the *******'* ******** *** **:
- ***********: *** ******* ************'* ******** **** suitably ******** *** ********* *********** ** all ******** ******** ***** ** *** specified ********.
- *********:***** **** ******* *********** ** ********** identified ** *** ******* **** ****** the ************* ** ****** ** *** controls. *******, *** ******* ******* ** still ********, ********** **** *** ******** were ******** ******** *** ******** ***********, except *** *** ******** *********** ** exceptions ******.
- *******:**** ** *** **** ******** ******* an ******* *** *****. ** ********* that *** ******** **** *** ******** designed ** *** *** ******* *********** to ******* *** ******** ******* **********.
- **********:*** ******* *** ** ****** ** express ** ******* *** ** *********** limitations ** ************ ** *** ***** scope ** *********** ******** ** *** service ************. * ********** ** ******* indicates **** *** ******* ***** *** form ** ******* ** *** ************* of *** ********.
3 ********* ***** ** *** **********
***** *** ***** *********** *** ********** levels (*, *, *** *). *** 2 ********** ** **** ******** ******** by ***** ***** ************ *********. ****, SOC * *** *** * **** Type * *** **** * ********** variants.
**** * ********** ******** ***** * - * ****** ** ********, *********** analyzing *** **** * ******* ******* to ****** *** ******* *** ******** of *** ************. **** ** ******* performed ** *********** *** **** *.
**** * ******** ***** * - 12 ****** ** ******** ******* ** includes *** **** * ******** ** the ******* **** ***** **** ********** if *** ****'* ********* *** ********** are ***** ******** *** *** ***** where **** *** ***.
*** ***** ** * **** * audit ** **** ******* **** * Type * ***** ******* * **** 2 ********** ** ********* **** * much ****** ****** ** ****, ***** aims ** *********** *** *********** *** ongoing ************* ** ********.
SOC * - ********* ********* *********
*** *** ********* *** ********** ** ***** physical ******** ********* ** *** * focuses ** ******** *** ******* *****' financial **********, *** *******, *****, ********** companies, *** ********** *****.
*** * ***** ******* *** ********* not ****** ********.
SOC * - ***** ******* *********
*** ********* ******* ** * ******** ******** unit ** ******* ****** *** *******, assessing *** ******** *** ******** ********.
*** * **** ** **** ********** that **** ** ************ ****** ** the ******** ****'* ******** ****** (*.*., codebase, ********, ***.) ** ******** **** (e.g., **** ********, ***** **********, ***.).
*** * ***** ******* *** ********* not ****** ********.
SOC * - ******* *** *** * *** ***** ******* *********
*** * ******* *** ********** ******** of *** * ******* **** ******* a ******* ******** ** * ******* organization's ******** *** *** ****** ********.
*** ****** ******** * ******* ******** of *** ******* ************'* ********, ***** used ** *********** ********** *** **** practices ******* ********** *** ******** ******* procedures.
New ******* **** - ************* *** ****** ******
*** ***** **** ******** *** *** complementary **** ** *** ******** *** Cybersecurity *** ****** ******.
*** *** *************
***** *** * ******** ******* ** a *******'* ******** ******** **** ** service,*** *** ************* ** **** *******, ******** ** ********** *** ************* of ** ****** ************'* ******** ** detect, ******* **, *** ******** ************* threats *** *********.
*******, *** *** ************* **** *** follow *** **** ******** ******** ** SOC *, *** * ******* *** adopt ********** ************* ********** ** * guideline, *** *******, *** *****, **** Cybersecurity *********, ***.
*** *** ****** ****** - ******** Manufacturers *** ************
*** *** ****** ******** ******** ** ******** ***** ****** a *******'* ****** *****; **** ***** apply ** ***** ** ****** ************* producing ***** *** ******** *** ******** software ***********.
*** ****** ******** *** ********* *** procedures ** * ******* ** ***** its ******* ** **** ******** *******, deliver ******** ** * ****** *******, adhere ** ***** *** ******* ****, and ******* ******** ************ ********.
SOC ****** ******** ********
** ******* *** **** * ***** commonly ***** ******* ** - ** months ** ********, ***** **** * is ******** ***** ** ******. ********* do *** **** ** ******** **** 1 ********** ** ** ** **** 2 *********.
*** ******* ******** ** ********* ** months **** *** **** ** *****, however, ***** ** ** ********* ********** but **** *** ********** ***** ***** 12 ******.
No *** ********** ************ *********
***** **** *** ******** * **** of *** **********, *** ******* *** 1 *** *** * ******* *** not ******** ****** *** ***** ******* Non-Disclosure ********** ** ******, ** ** difficult ** ********* *** ******* ** a *******'* *** ******.
Additional ************* ***************
******* **** ***** ******* ********* ****** regularly ******* *** *** *** ******** by *** ******:
- ******* ******** *** ********* ******** *** all ********* ** ****** **** *** well ******** ***** ******** ********, **********, and **** *********. **** ******** ***** is **** ******** ****** ********** ** in ******** ** * ************* ********.
- ******* *********** ******* *** ************* *********** to ******** *** ******* *** ****** and ************** **********.
- ********** ****** ****, ******** ******, *** access ******** ** ****** *** ********* or ************ **********.
*******, ** * ******* **** *** regularly ******* *****, **** *** ****** to *** ******* **** ** ***** organization's ******** *** ********** *** *** compliance, ** **** ***** ** ****** during * *** *****. *******, **** also **** ****** ** *** ******** of *** *** *******, ***** *** result ** * ********* ** ******** report ** * ******.
SOC ** ***/*** *****
***/*** ******* * ******* *********** ******** ********, mainly **** ** *** **, **** an ******** ** ************ *** *********** an ********* *********** ******** ********** ******. A ********** *** ***** ***** ******* in * ************* **** ******* ***** for * *****, ****** *** **********.
SOC ** *******
******* (****** *********** ***** ********)** * ******* ********* ******** *** the ********** ********. ******* ** ***, it ****** *********** ********, *******, **********, and **** **********. *******, * ********** audit ******** ************* **** ******* ***** for * *****, ****** *** **********.
SOC ********* ***** *********
** ********** * **** ** ******** used ***** ***** ************ ********* **** report *** * **********.
*** * **** * (***** ** to ******** ***** ****** **********)
*** * **** *
- *********** * *** ********* ***** ******* for **** * **********.
***** ****** ** *** ******* *** type ** ** *********** ***** ** found ** ***** *******, **** ******* out ** *******:
- *******: ******* ** *** * **** 2 **********. ******* ******** ** ****** on ****** *** ********, ***** ** SOC * *********.
- *******: ********** **** *************, ******** *** 2 **** * ** ****.
- *******: ** ********.
** *** **** ** ***********, ** have *** ******** ********* **** ***. We **** ****** **** ********.
****** ******* ******* *** ********* *** SOC2 ***** *** *** ** *** process ** ********** *** **** **** for ************* ***** ****** ****** ** Q4. ******** ******* ** *** ********* cloud ********* *** ***** **** **** are **** ********** ** **** **** of *********** *******. **** ** ******* our "****** ** ***********" **** ** independent ******* *** ********** ******* ** carries **** ******. **** ********* **** your ******* *** ********** ****** *** procedures ** *****, *** ******* ****** that *** *** ********* ***** ********** and ******** **** ** *** ******** of *** ********.
******: **** ******* *** **** ***** to *** *** **********:**** ***/**/** *** ******* *******
"**** ********* **** **** ******* *** documented ****** *** ********** ** *****, PEN ******* ****** **** *** *** following ***** ********** *** ******** **** to *** ******** ** *** ********"
**** ** ** ******** **** ********** vendors ** ** ******** ** ******* large ***********.
** ****'* ********* *** **** **** about ** **** *** ****** **** but *** **** **'* *****, ** has **** ******* ** **** *** over * **** *** ******** ********** notification **** ****** **** ******* ******.
** ***** ******** *** ********* *** concluded *** ** **** ******** * non-qualified ******* **** ** **********. ****** update *** ******* ** ******* *** SOC * **** * **** ********* to ** **.
***** ***.
******** ** **** *** * **** 2
******** ***** *** *********** ******** ***********: SOC * **** *
** **** **** *** *****
**** ** * ***** ******** ** a ***** **** ** (*******) ****** up **** *****.