This message was posted by a user wishing to remain anonymous
The VM group at my institution currently has our internal InfoSec team review SOC reports and other applicable security documents (Pen Tests, Vulnerability Scans, SIGs, etc.) and then we track the results in Oversight Tasks in Venminder.
Unfortunately, these reviews are becoming increasingly backlogged due to more work than our people can complete. My institution chooses to run lean so added body's isn't a possibility.
We also currently have Venminder complete SOC analysis on our "critical vendors", but we are also required to have an internal review completed.
We are considering a path to bring those reviews "in-house" back to VM for completion, but currently we don't have any SOC/Security Document SME's.
My question is -
Does anyone have a template they use for review of SOC/Other Security Docs or is there some course or training that could help us to become knowledgeable enough with these reports to handle the review ourselves?