在过去几年中,数据泄露的潜在危险和频率呈指数级增长. 根据 身份盗窃资源中心, the number of recorded data breaches in 2021 is up more than 68% compared to 2020 and 23% over the previous all-time high set in 2017.

为什么这种趋势会持续增长? 虽然有各种各样的因素, 毫无疑问,造成这种局面的一个挑战是网络素养. 有各种框架和方法用于跨组织的网络风险管理, 但它们不一定都使用通用语言,让公司能够进行衡量, 评估和沟通风险管理项目的整体有效性. 进一步, 直到最近, there has been no mechanism for an organization to prove to business leaders and key stakeholders that its cybersecurity risk management practices are appropriate and sufficient. 要解决这些问题, 2017年4月,美国注册会计师协会发布了新的网络安全风险管理报告框架, 被称为 面向网络安全的SOC.

自发行以来, 这个框架已经成为各个行业讨论的热门话题, 尤其是在注册会计师和IT专业人士中, 并且已被许多组织用于评估和验证其网络安全控制状态.

金沙乐娱app下载深入研究网络安全SOC的细节之前, 值得注意的是,许多组织已经熟悉了另一个AICPA SOC报告框架和流程, SOC 2. Any introduction of 面向网络安全的SOC should start with an explanation of the differences between a SOC 2 and a 面向网络安全的SOC.

SOC 2和网络安全SOC的主要区别

网络安全SOC确实与SOC 2报告重叠, 但它们都有不同的目的, 所以了解和理解每一个都很重要. 以下是这些检查报告的主要不同之处:

报告的范围和预期读者

面向网络安全的SOC addresses an entity’s cybersecurity risk management program (typically at the enterprise level) and is intended for stakeholders interested in an assurance that an entity’s risk management program is designed and operated effectively.

A SOC 2报告 is for organizations that provide one or more IT-related services to customers (as a service provider) and is intended to provide those customers with information on the relevant controls at the service organization that is associated with the service.

用于评估的控制基线

在网络安全SOC中评估实体的基准是 描述标准, which is a set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.

在SOC 2报告中评估服务组织的基准是一个或多个 信托服务标准, a set of control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems utilized in the services provided.

An organization pursuing a 面向网络安全的SOC may utilize the 信托服务标准 when designing or assessing its control requirements. 然而,必须满足描述标准,并在管理层的描述中加以处理. A company may also utilize other security frameworks outside of the AICPA’s Trust Service Criteria as the basis for its cybersecurity risk management program, 如NIST 800-53或ISO 27001/2.

报表用户 & 目的

每个报表的预期用户是完全不同的,因为报表服务于不同的目的和受众.

SOC 2

SOC 2报告s are restricted use reports intended for people with sufficient knowledge and understanding of the service organization and its system. Often this includes customers who desire assurance that the platform they are using is operated by a set of sufficiently functioning 安全控制. 作为一般规则,SOC 2报告只能与服务组织的客户共享.

面向网络安全的SOC

面向网络安全的SOC报告是通用报告, 报告的目标通常是由公司管理层决定的. These reports are meant for a broader audience than SOC 2报告s and typically are delivered to those who might be impacted by or interested in an entity’s cybersecurity risk management program. 利益相关方希望确认公司在网络安全方面的努力已经充分降低了网络安全风险. 这类人包括经理、分析师、投资者,甚至客户. 网络安全SOC报告可以与组织内部或外部的任何人共享, 由该组织决定.

子服务组织的处理

A “subservice” organization is a third-party that is providing one or more capabilities to the entity being assessed that fall within the control scope and/or evaluation criteria for the particular assessment. 像这样, 该第三方的服务可能对正在评估的环境产生重大影响.

SOC 2

在SOC 2报告中, 服务组织可以在报告范围内包括或剔除子服务供应商.

面向网络安全的SOC

组织负责风险管理程序中的所有控制, 这意味着,如果一个实体在其程序中利用第三方进行控制, 企业必须将第三方(及相关控制)纳入其评估范围.

控制报表中的矩阵

SOC 2

在SOC 2报告中, the full trust services criteria and list of controls mapped to these criteria are included in the report along with the CPA’s test of controls and results.

面向网络安全的SOC

在网络安全SOC中,控制矩阵将不包括在报告中. 而管理层对其网络安全计划的描述也包括在内, 以及管理层的断言和注册会计师对该描述的意见, 详细的网络安全控制措施和每个控制措施的测试结果将不包括在内. Including this type of sensitive information about an organization’s control environment could be detrimental to an organization’s security posture, 并且可以为攻击者提供利用攻击的有用信息. 因此,这些细节未列入报告.

你应该从SOC 2切换到SOC网络安全吗?

这里讨论的两种SOC报告都有市场需求, 因为它们针对不同的受众. 您最终选择哪种报告取决于您的客户和关键利益相关者的需求, 还有你的目标. 在很多情况下, 从事SOC 2业务的组织也可能投资于网络安全SOC报告, because it evaluates the organization at the entity level and provides a broader level of assurance and confidence for key stakeholders in a world that’s getting scarier each day.

A 面向网络安全的SOC typically results in an overall analysis and assessment of the cyber安全控制 posture of an organization. 这些信息通常也会在网络安全风险评估中体现出来. But there are key differences between these two types of reports that should be considered when determining which option is best for your organization.

网络安全SOC的区别是什么 & 风险评估?

网络安全已经成为几乎所有大公司越来越重要的优先事项, 医院, 金融机构, 律师事务所, 以及当今世界的零售商. 结果是, numerous risk management frameworks have been created to help ensure organizations are properly managing their cybersecurity risks. 然而, while understanding an entity’s compliance with regulations such as the HIPAA Security Rule and Payment Card Industry Data Security Standard (PCI DSS) has become common practice for many business leaders, 对于非技术利益相关者来说,适当的网络安全风险管理的想法并不那么直观, 比如董事会成员, 董事, 分析师, 和投资者.

虽然实施网络安全控制以满足合规性阈值很重要, 符合法规并不一定意味着实体是足够安全的. 事实上, “充分的网络安全”是一个主观的衡量标准,通常取决于许多因素, 包括实体的行业, 它处理的数据类型, 还有它的财务状况. 所有这些因素都可能影响执行团队愿意接受的网络安全风险. The fact that the cybersecurity risk tolerance will be different for each organization makes evaluating the organization’s cybersecurity posture difficult. 对于不是网络安全专家的商业利益相关者来说,这更加困难.

随着围绕SOC网络安全的讨论越来越多, 金沙乐娱app下载的许多客户和潜在合作伙伴都问金沙乐娱app下载,它与现在有什么不同 风险评估分析流程 这是许多实体每年都要经历的. 主要的区别在于,风险评估是对一个组织面对一组特定威胁的风险评估, whereas 面向网络安全的SOC is an independent opinion on an entity’s entire risk management program practices (which includes its risk assessment process).

风险评估可以帮助实体识别公司面临的特定网络安全风险, 通过关注控制措施的有效性,降低实现特定威胁的可能性. 风险评估不是正式的意见报告——它是威胁和补救行动的优先级列表. 面向网络安全的SOC is a comprehensive analysis that evaluates an entity’s risk assessment process and its governance activities, 以及它的整体网络安全目标, 通信, 控制过程. The 面向网络安全的SOC report culminates in an assertion made by management regarding its cybersecurity risk management program practices, 以及伴随的观点, 由拥有合格网络安全专家的注册会计师事务所出具, 这为管理层的断言增加了可信度.

您的组织能否从用于网络安全分析的SOC中受益?

因为金沙乐娱app下载信息安全公司在全国领先的地位 IT安全公司金沙乐娱app下载有机会与AICPA合作开发网络安全框架的SOC. 而网络安全分析的SOC仍然是自愿的, there have been numerous business leaders who have expressed interest in learning more about how this report can provide greater confidence to their shareholders and to the business executives who want confirmation that the time and money resources that they are committing to cybersecurity is properly addressing cybersecurity risks.

虽然风险评估是任何网络安全风险管理计划的必要组成部分, 用于网络安全分析的SOC可能会成为 “好管家” 对于许多寻求网络安全工作验证的企业来说,这是一种认可印章.

您的组织能否从用于网络安全分析的SOC中受益? 与金沙乐娱app下载的团队联系,了解更多.