A comprehensive examination of SOC for Cybersecurity

August 30, 2017 Article 4 min read
Authors:
Krystle Beseler Sarah Pavelek
The AICPA released the SOC for Cybersecurity examination to provide organizations the opportunity to communicate their process for managing cybersecurity threats with a comprehensive risk management program. Our experts discuss how it stacks up to the SOC suite.

SOC for cybersecurityIn May 2017, a ransomware attack infiltrated the UK’s National Health Services (NHS) network.This attack caused delays in medical procedures and chaos within the affected facilities.The attack, labeled WannaCry, was widespread within the NHS network and could havebeen prevented with proper security updates had they been installed in a timely manner.Global cyberattacks such as WannaCry are becoming increasingly more common. As a result,organizations as well as their vendors, business partners, and other stakeholders are makingcybersecurity risk management a top priority. In response, the American Institute of CertifiedPublic Accountants (AICPA) released the new SOC for Cybersecurity examination to provideorganizations the opportunity to communicate their process for managing cybersecurity threatswith a comprehensive risk management program.

What is SOC for Cybersecurity?

SOC for Cybersecurity is an independent third-party assessment of an organization’scybersecurity risk management program. SOC for Cybersecurity introduces a set of benchmarksto standardize reporting on the description and effectiveness of an organization’s cybersecurityrisk management program.

SOC for Cybersecurity introduces a set of benchmarks to standardize reporting on the description and effectiveness of an organization’s cybersecurity risk management program.

The organization’s cybersecurity program is a set of policies,processes, and controls to achieve the cybersecurity objectives that protect against the criminalor unauthorized access or attack using electronic data. The framework has been designed tobe specific to the organization’s industry and applicable standards and can follow frameworkssuch as National Institute of Standards and Technology (NIST), Payment Card Industry DataSecurity Standards (PCI DSS), International Standardization Organization and InternationalElectrotechnical Commission (ISO/IEC), or Control Objectives for Information and RelatedTechnologies (COBIT). The framework standardizes the manner by which organizations defineand communicate their cybersecurity objectives and risk management controls designed tomitigate risks.

Use of the assessment

The independent third party can perform a gap analysis to prepare an organization for theexamination or move directly to the performance of a SOC for Cybersecurity examination.

Gap analysis

Independent third parties can use the new set of benchmarks to perform a gap analysis toidentify vulnerabilities within an organization’s cybersecurity risk management program. Thegap analysis can identify controls, policies, and procedures that are not designed to adequatelyaddress risks, as well as, identify risks that are not yet addressed in the cybersecurity riskmanagement program. The organization can design controls and implement remediation ofidentified weaknesses within their risk management program based on the results of the gapanalysis.

SOC for Cybersecurity Examination

Independent third parties examine the design and operating effectiveness of internal controlsin relation to the organization-wide risk management program and how those controls addressthe organization’s cybersecurity and business objectives. A report is issued by the independentthird party with an opinion on the design and operating effectiveness of the controls within thecybersecurity risk management program. The report is available for general use upon issuance.

Description criteria

In order to perform an examination on the design and operating effectiveness of thecybersecurity risk management program, the organization’s management is required to
document and provide an assertion to the description of the cybersecurity managementprogram. The description should be developed according to the guiding principles identified bythe AICPA’s Assurance Services Executive Committee (ASEC) within the description criteria. Thedescription criteria is designed to help organizations define the cybersecurity objectives andthe internal controls that make up the cybersecurity risk management program.

Several key aspects of the cybersecurity risk management program should be defined relevantto users of the report to assist with their understanding of the organization’s cybersecurity riskmanagement program.

The description criteria provides guidance of the relevant information for each of themain topics to be included below:

  1. Nature of the business and its operations
  2. Cybersecurity risk management program objectives
  3. Factors that have significant effect on inherent cybersecurity risk
  4. Cybersecurity risk governance structure
  5. Cybersecurity risk assessment process
  6. Cybersecurity communications and quality of cybersecurity information
  7. Cybersecurity risk management program monitoring
  8. Cybersecurity control activities
  9. Security event prevention management
  10. Security event detection and security incident response management
  11. Processing capacity management
  12. System availability management
  13. Confidential information management

By defining and documenting the above topics, organizations can provide vendors, businesspartners, management, and stakeholders with a reasonable understanding of the cybersecurityrisk management program in place. Users of the report can gain an understanding of thebusiness operations, challenging threats and vulnerabilities, control activities to address thosethreats, and procedures for responding if an event or incident occurs.

How it compares to the SOC suite

SOC for cyber

The new edition to the SOC Suite of reports allows for an industry agnostic examination forgeneral use. A SOC for Cybersecurity report defines the cybersecurity objectives and the riskmanagement program in place at an organization to meet those objectives. With the steadyincrease of cybersecurity attacks on small, medium, and large businesses, it is clear thoseaffiliated with organizations need to know what is being done to protect against cyber attacks.Understanding the cybersecurity objectives and its supporting risk management programprovides reasonable assurance and some peace of mind for business partners, vendors,customers, investors, regulators, and internal management. Most importantly, the SOC forCybersecurity allows for an independent third party to assess and issue an opinion. The opinionwould reinforce management’s description and showcase whether it is operating effectively.

Related Services:

Cybersecurity Cybersecurity Enterprise Risk Management Risk Management Technology Consulting

Related Industries:

Financial Services Franchise Manufacturing Professional Services Professional Services Retail Technology Companies

Related Thinking

Business professionals in a conference room discussing FFIEC CAT sunset
December 16, 2024

FFIEC CAT sunset: Considerations for choosing a new cybersecurity framework

Article 6 min read
Business professional checking the multifactor authentication code on their cell phone.
November 1, 2024

Preparing for the inevitable: Navigating third-party tech failures

Article 7 min read
Parent sitting on the floor with their child and learning about how school districts can proactively manage cyber risk to protect student data.
October 30, 2024

Cybersecurity essentials for K-12 schools: Protecting students and data

Article 6 min read