SOC Compliance For Cloud Physical Security Guide

bm
bashis mcw
Published Jun 19, 2023 13:57 PM

SOC compliance is becoming increasingly important for physical security providers as they move to the cloud. The compliance is often marketed as SOC 2 Compliant or Certified but how much does this compliance say about the provider's actual security?

IPVM Image

In this report, we answer the following:

  • What are the differences between the different types of compliance (e.g., 1, 2, 3)?
  • What SOC compliance implies or signals about a company having (or not) cybersecurity vulnerabilities? Does it ensure that there are no backdoors or company abuse of data?
  • What does a SOC compliance audit consist of? What does it not cover?
  • What are the qualifications for a SOC Auditor?
  • Can companies fail a SOC Audit?
  • How much do SOC compliance audits cost?
  • Does SOC compliance provide any guarantees or legal protection from exploits?
  • What, if any, central directory or verification exists for SOC?
  • Do SOC Reports Expire?
  • What is missing from SOC compliance that IPVM recommends buyers consider?
  • What physical security companies claim to be SOC 2 compliant?

Executive *******

***** ************* ** * ******* ******* as **** ***** *** ****** ******* systems *** ****** ** *** *****, there *** ******* *********** *** ************** for ***** ******* ** ****** ** (e.g., **** ** *** **). **** creates * ********* *** ***** ********* dozens ** ***** ******* *********, ****** to ******** ***** ********* *** **** or **** *********** ** *************.

*** **** ** ******* * ********* for ***** *********. *******, ***** *** main **** (*.*., *********** *** ********* cloud ******, ******* ******** ** *** US, ***.) *** **** (*.*., *** dictated ** ****/***********, *** ***** ***********, pay-to-play **********, ***.) ** *** ******** and ********* *********** ** *** ****** in ******** ******* *******.

AICPA / ***

*** ****** *** ****** *** ************ Controls *** ** * ******** ********* developed ** *********** ********* *** ********* ****** *********** (AICPA). ***** ** ** *** ******* required, ***** ********* ***** ****** **, including ***** *** ***** ****** *********.

*** ***** ** * **-***** ************ with ******* ***** ******* ** *** US, ***** ***** **** *** ** primarily * ********* **** ** **-***** cloud ******* *********.

Cloud ********* ** *** **** ** ** *** *********

***** ** ** ******** **********, *** does *** *** ** *** ***** of ********** ******* * ******* ** be *** *********.

*******, ** ** ****** *** ********** customers, ********* ******* *********** ***, ** ******* *** ****** a ***** *******'* *** ********** ******* due ** ***** ******** *** ********* liability **** ****** **** **** ********. While *** (** ***** ***** ********** standards) ** *** ***** **** * company ** ******, ** ** * commonly ******** ****** **** *** ** actively ******* ****** **.

SOC ********** ** ******** *****

*** ******* ** *** ********** ** to ***** *** ************* ** ******** and ********* ****** * ***** ******* provider.

*******, **** *********/*** ***** ******* ***** service ********* ** ** *** ********* before ******** **** ************ ** *********. Because ** ****, *** ***** ********* can ** * *********** ******* *** cloud *********.

****, ******** * ******** **** **** SOC ********** ** * **** ****** help ***** ******* ********* ******** *** mitigate ********* ***** ********** **** *********** security.

SOC ****** ******** *** **********

* *** ***** ******** * *******'* business ******** *** ********** ** ***** whether **** *** ******** *** ********* effectively ***** ********* ******* ************* **** practices.

*** ********** ** ******** ** *"***** ******** ********"; ********, ************, ******* Integrity, ***************, *** *******.

***********, *** ********** ******** ********* ********, documentation, *** *********, ********** **********, *** performing ***** ** *** ************* ** controls **** *** ******** ************ ******* to:

  • **** ****** ********:**** **********, **** **********, ******** ********, etc.
  • ******** ****** ********** *********:****** ****** ******* **********, ****** *************, adequate ** *******, ***.
  • ******** ******** *** ******** ******** ****:******** ********* *** ******** ************, ****** and ******** **********, ******** ********** ********, etc.
  • ****** ********** *********:*** ********* ** ********* *** ********** vendors, ******** **********, ********* ** ****** performance, ***.
  • **** ********** *** ******* *********:**** **********, ******** ** ********* ****, compliance **** ******* ***********, ***.

SOC **** *** ********* ****** *************

***** *** ********** *** ****** *** provide ******* *** ******* ***** * cloud ******* ********'* ******** *** **********, there *** **** ****** ** **** not *******:

  • ****** ********** ** *** ******* ******* of ***** ****** ********* *********** *** hosted **********.
  • ********** ** ***** ******* ******.
  • ********* *** ******* ** ************* *************** and *********.
  • ********** ** ******* ***** ** ****.
  • ***** ********** ** **** ** * cyber ******.
  • * ******* ********** ** ******** *********, such ** ********** ******, ********* ********-******, or ******* **************.

*******, ***** *** ******** *** ********* cybersecurity *********** ******* *** ************* ********, they *** *** ******** ** ******* SOC **********.

*** *******, ******** *** *** ******** to ***** *** *** ********** ** vulnerable ******* ********* **** * ****** or ***** ******* *** ******* ** using.

*******, ***** *** ********* ****** ******** update/change **********, ******** ** *** **** at ***** ****** ****** **** ******. Software ******* *** ******* ** * sample ** *******, ******** **% ** 15% ** ******* ******** *** *** changes, *** ** ** **% ** samples *** ********. ***** **** *** catch ******** ******** ********** ******, ** is *** *********** **** *********** ************.

Companies ****** **** *** ******

* *********** ****** ** *** ****** is **** **** *** *** ****/****. SOC ****** ******* * ****** **** describes ******* *** ******** *** ******** designed (** *** **** ** * Type * ******) ** **** ******** designed *** ********* *********** (** *** case ** * **** * ******).

*** ******* *** *** ****/**** ******* they **** *** ** ****** *** effectiveness ** ******** ****** * ******** context *** ******* ************* ********.

*******, ******* * ******* ****** ****, and *** * *** * ********** is *** ******** ******, **** *** hide ******** ***** *******.

SOC ***** **** ****** ******

*** **** ** * *** ***** can **** ********* ** ******* *******, including *** ********** ** *** ******* and ******** ***** *******, *** **** of *** ************, *** ***** ** the *****, *** ***** ******* *******:

  • *** *: $**,*** ** $**,*** ** more.
  • *** *: $**,*** *** *********** ********* $100,000 *** ***** *************.
  • *** *: $*,*** ** $**,***.
  • *** *** *************: $**,*** ** $**,***.
  • *** *** ****** *****: $**,*** ** $50,000.

SOC ****** ** ****

*** ****** *** **** ** ********* by ** ********** **** ********** ****** ********** (***)******* ** * ******** *** **** (an ********** **** **** ** ***** one *** (** ****) *** ** licensed ** ***** *****).

*** ***, ** *******, ****** ******* the ********* ********* *********, ********, *** certification ** ***** *** ***** ***********. However, **** *** ***** ** ********, the ****** ** ****** ******** ** the ***** ******* *******, ***** ** responsible *** ************ *** ******** **.

Not ***** *********** / *** ********** *****

***** *** ******** ****** ** *********** and **** ** ************ **** *** organization **** *****, **** *** **** paid * *** ** *** ******* they *** ********, *********** ****** *** cloud ******* ******** *** ******** ** the *******.

***** ** ********* *** *** ******* to ******** *** ******* ** ** lenient ** *** *******, ***** ** less ****** ** **********-***** ****** (*.*., IRS ***, *****, ***.).

SOC ***** ****** ***** ** ********** *******

******* * ************ ********** **** *** define ** *** ** *** ****/****, SOC ****** ******** ******* ************ *** recommendations *** *********** ** *** *******. An *********** *** * **** * certified ******* **** **** **** ***** report ******** ***** **** ***** ** the ********** *******'* ********** ** ******** towards ******* ** *** ******.

*******, ** ** ***** *********, *** report ******** *** ***** ******* ********'* management *** *** ***** **** ** independent ******* ** *** *******'* ******** processes.

Not * *************

* *** ***** **** *** ****** in * *************, *******, ** ******* in ** "*********** ******," ***** ** the *******'* ******* ** *** ****** and ************* ** *** ******** ***** the *******'* ******** *** **:

  • ***********: *** ******* ************'* ******** **** suitably ******** *** ********* *********** ** all ******** ******** ***** ** *** specified ********.
  • *********:***** **** ******* *********** ** ********** identified ** *** ******* **** ****** the ************* ** ****** ** *** controls. *******, *** ******* ******* ** still ********, ********** **** *** ******** were ******** ******** *** ******** ***********, except *** *** ******** *********** ** exceptions ******.
  • *******:**** ** *** **** ******** ******* an ******* *** *****. ** ********* that *** ******** **** *** ******** designed ** *** *** ******* *********** to ******* *** ******** ******* **********.
  • **********:*** ******* *** ** ****** ** express ** ******* *** ** *********** limitations ** ************ ** *** ***** scope ** *********** ******** ** *** service ************. * ********** ** ******* indicates **** *** ******* ***** *** form ** ******* ** *** ************* of *** ********.

3 ********* ***** ** *** **********

***** *** ***** *********** *** ********** levels (*, *, *** *). *** 2 ********** ** **** ******** ******** by ***** ***** ************ *********. ****, SOC * *** *** * **** Type * *** **** * ********** variants.

**** * ********** ******** ***** * - * ****** ** ********, *********** analyzing *** **** * ******* ******* to ****** *** ******* *** ******** of *** ************. **** ** ******* performed ** *********** *** **** *.

**** * ******** ***** * - 12 ****** ** ******** ******* ** includes *** **** * ******** ** the ******* **** ***** **** ********** if *** ****'* ********* *** ********** are ***** ******** *** *** ***** where **** *** ***.

*** ***** ** * **** * audit ** **** ******* **** * Type * ***** ******* * **** 2 ********** ** ********* **** * much ****** ****** ** ****, ***** aims ** *********** *** *********** *** ongoing ************* ** ********.

SOC * - ********* ********* *********

*** *** ********* *** ********** ** ***** physical ******** ********* ** *** * focuses ** ******** *** ******* *****' financial **********, *** *******, *****, ********** companies, *** ********** *****.

*** * ***** ******* *** ********* not ****** ********.

SOC * - ***** ******* *********

*** ********* ******* ** * ******** ******** unit ** ******* ****** *** *******, assessing *** ******** *** ******** ********.

*** * **** ** **** ********** that **** ** ************ ****** ** the ******** ****'* ******** ****** (*.*., codebase, ********, ***.) ** ******** **** (e.g., **** ********, ***** **********, ***.).

*** * ***** ******* *** ********* not ****** ********.

SOC * - ******* *** *** * *** ***** ******* *********

*** * ******* *** ********** ******** of *** * ******* **** ******* a ******* ******** ** * ******* organization's ******** *** *** ****** ********.

*** ****** ******** * ******* ******** of *** ******* ************'* ********, ***** used ** *********** ********** *** **** practices ******* ********** *** ******** ******* procedures.

New ******* **** - ************* *** ****** ******

*** ***** **** ******** *** *** complementary **** ** *** ******** *** Cybersecurity *** ****** ******.

*** *** *************

***** *** * ******** ******* ** a *******'* ******** ******** **** ** service,*** *** ************* ** **** *******, ******** ** ********** *** ************* of ** ****** ************'* ******** ** detect, ******* **, *** ******** ************* threats *** *********.

*******, *** *** ************* **** *** follow *** **** ******** ******** ** SOC *, *** * ******* *** adopt ********** ************* ********** ** * guideline, *** *******, *** *****, **** Cybersecurity *********, ***.

*** *** ****** ****** - ******** Manufacturers *** ************

*** *** ****** ******** ******** ** ******** ***** ****** a *******'* ****** *****; **** ***** apply ** ***** ** ****** ************* producing ***** *** ******** *** ******** software ***********.

*** ****** ******** *** ********* *** procedures ** * ******* ** ***** its ******* ** **** ******** *******, deliver ******** ** * ****** *******, adhere ** ***** *** ******* ****, and ******* ******** ************ ********.

SOC ****** ******** ********

** ******* *** **** * ***** commonly ***** ******* ** - ** months ** ********, ***** **** * is ******** ***** ** ******. ********* do *** **** ** ******** **** 1 ********** ** ** ** **** 2 *********.

*** ******* ******** ** ********* ** months **** *** **** ** *****, however, ***** ** ** ********* ********** but **** *** ********** ***** ***** 12 ******.

No *** ********** ************ *********

***** **** *** ******** * **** of *** **********, *** ******* *** 1 *** *** * ******* *** not ******** ****** *** ***** ******* Non-Disclosure ********** ** ******, ** ** difficult ** ********* *** ******* ** a *******'* *** ******.

Additional ************* ***************

******* **** ***** ******* ********* ****** regularly ******* *** *** *** ******** by *** ******:

  • ******* ******** *** ********* ******** *** all ********* ** ****** **** *** well ******** ***** ******** ********, **********, and **** *********. **** ******** ***** is **** ******** ****** ********** ** in ******** ** * ************* ********.
  • ******* *********** ******* *** ************* *********** to ******** *** ******* *** ****** and ************** **********.
  • ********** ****** ****, ******** ******, *** access ******** ** ****** *** ********* or ************ **********.

*******, ** * ******* **** *** regularly ******* *****, **** *** ****** to *** ******* **** ** ***** organization's ******** *** ********** *** *** compliance, ** **** ***** ** ****** during * *** *****. *******, **** also **** ****** ** *** ******** of *** *** *******, ***** *** result ** * ********* ** ******** report ** * ******.

SOC ** ***/*** *****

***/*** ******* * ******* *********** ******** ********, mainly **** ** *** **, **** an ******** ** ************ *** *********** an ********* *********** ******** ********** ******. A ********** *** ***** ***** ******* in * ************* **** ******* ***** for * *****, ****** *** **********.

SOC ** *******

******* (****** *********** ***** ********)** * ******* ********* ******** *** the ********** ********. ******* ** ***, it ****** *********** ********, *******, **********, and **** **********. *******, * ********** audit ******** ************* **** ******* ***** for * *****, ****** *** **********.

SOC ********* ***** *********

** ********** * **** ** ******** used ***** ***** ************ ********* **** report *** * **********.

*** * **** * (***** ** to ******** ***** ****** **********)

*** * **** *

  • *********** * *** ********* ***** ******* for **** * **********.

***** ****** ** *** ******* *** type ** ** *********** ***** ** found ** ***** *******, **** ******* out ** *******:

  • *******: ******* ** *** * **** 2 **********. ******* ******** ** ****** on ****** *** ********, ***** ** SOC * *********.
  • *******: ********** **** *************, ******** *** 2 **** * ** ****.
  • *******: ** ********.

** *** **** ** ***********, ** have *** ******** ********* **** ***. We **** ****** **** ********.

Comments (7)
Avatar
Brian Karas
Jun 20, 2023
Pelican Zero

**** ** * ***** ******** ** a ***** **** ** (*******) ****** up **** *****.

(2)
Avatar
Rick Caruthers
Jun 21, 2023
Galaxy Control Systems

****** ******* ******* *** ********* *** SOC2 ***** *** *** ** *** process ** ********** *** **** **** for ************* ***** ****** ****** ** Q4. ******** ******* ** *** ********* cloud ********* *** ***** **** **** are **** ********** ** **** **** of *********** *******. **** ** ******* our "****** ** ***********" **** ** independent ******* *** ********** ******* ** carries **** ******. **** ********* **** your ******* *** ********** ****** *** procedures ** *****, *** ******* ****** that *** *** ********* ***** ********** and ******** **** ** *** ******** of *** ********.

******: **** ******* *** **** ***** to *** *** **********:**** ***/**/** *** ******* *******

(1)
UI
Undisclosed Integrator #1
Jun 21, 2023
In reply to Rick Caruthers

"**** ********* **** **** ******* *** documented ****** *** ********** ** *****, PEN ******* ****** **** *** *** following ***** ********** *** ******** **** to *** ******** ** *** ********"

**** ** ** ******** **** ********** vendors ** ** ******** ** ******* large ***********.

Avatar
Nathan Wheeler
Jun 30, 2023

** ****'* ********* *** **** **** about ** **** *** ****** **** but *** **** **'* *****, ** has **** ******* ** **** *** over * **** *** ******** ********** notification **** ****** **** ******* ******.

******* ***** ********* *** * **********

(3)
Avatar
Jacob Hengel
Sep 15, 2023
YourSix

** ***** ******** *** ********* *** concluded *** ** **** ******** * non-qualified ******* **** ** **********. ****** update *** ******* ** ******* *** SOC * **** * **** ********* to ** **.

***** ***.

bm
bashis mcw
Sep 21, 2023
In reply to Jacob Hengel

*****, ******.

** ******* *** ******* ** ******** as *********.

(1)
Avatar
Kieran Carroll
Sep 21, 2023
ZeroEyes

******** ** **** *** * **** 2

******** ***** *** *********** ******** ***********: SOC * **** *

** **** **** *** *****