网络安全SOC确实与SOC 2报告重叠, 但它们都有不同的目的, 所以了解和理解每一个都很重要. 以下是这些检查报告的主要不同之处:
报告的范围和预期读者
面向网络安全的SOC addresses an entity’s cybersecurity risk management program (typically at the enterprise level) and is intended for stakeholders interested in an assurance that an entity’s risk management program is designed and operated effectively.
A SOC 2报告 is for organizations that provide one or more IT-related services to customers (as a service provider) and is intended to provide those customers with information on the relevant controls at the service organization that is associated with the service.
用于评估的控制基线
在网络安全SOC中评估实体的基准是 描述标准, which is a set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.
在SOC 2报告中评估服务组织的基准是一个或多个 信托服务标准, a set of control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems utilized in the services provided.
An organization pursuing a 面向网络安全的SOC may utilize the 信托服务标准 when designing or assessing its control requirements. 然而,必须满足描述标准,并在管理层的描述中加以处理. A company may also utilize other security frameworks outside of the AICPA’s Trust Service Criteria as the basis for its cybersecurity risk management program, 如NIST 800-53或ISO 27001/2.
报表用户 & 目的
每个报表的预期用户是完全不同的,因为报表服务于不同的目的和受众.
SOC 2
SOC 2报告s are restricted use reports intended for people with sufficient knowledge and understanding of the service organization and its system. Often this includes customers who desire assurance that the platform they are using is operated by a set of sufficiently functioning 安全控制. 作为一般规则,SOC 2报告只能与服务组织的客户共享.
面向网络安全的SOC
面向网络安全的SOC报告是通用报告, 报告的目标通常是由公司管理层决定的. These reports are meant for a broader audience than SOC 2报告s and typically are delivered to those who might be impacted by or interested in an entity’s cybersecurity risk management program. 利益相关方希望确认公司在网络安全方面的努力已经充分降低了网络安全风险. 这类人包括经理、分析师、投资者,甚至客户. 网络安全SOC报告可以与组织内部或外部的任何人共享, 由该组织决定.
子服务组织的处理
A “subservice” organization is a third-party that is providing one or more capabilities to the entity being assessed that fall within the control scope and/or evaluation criteria for the particular assessment. 像这样, 该第三方的服务可能对正在评估的环境产生重大影响.
SOC 2
在SOC 2报告中, 服务组织可以在报告范围内包括或剔除子服务供应商.
面向网络安全的SOC
组织负责风险管理程序中的所有控制, 这意味着,如果一个实体在其程序中利用第三方进行控制, 企业必须将第三方(及相关控制)纳入其评估范围.
控制报表中的矩阵
SOC 2
在SOC 2报告中, the full trust services criteria and list of controls mapped to these criteria are included in the report along with the CPA’s test of controls and results.
面向网络安全的SOC
在网络安全SOC中,控制矩阵将不包括在报告中. 而管理层对其网络安全计划的描述也包括在内, 以及管理层的断言和注册会计师对该描述的意见, 详细的网络安全控制措施和每个控制措施的测试结果将不包括在内. Including this type of sensitive information about an organization’s control environment could be detrimental to an organization’s security posture, 并且可以为攻击者提供利用攻击的有用信息. 因此,这些细节未列入报告.