Information Security

 View Only
  • 1.  Reviewing SOC Reports

    This message was posted by a user wishing to remain anonymous
    Posted 03-04-2020 05:29 PM
    This message was posted by a user wishing to remain anonymous

    The VM group at my institution currently has our internal InfoSec team review SOC reports and other applicable security documents (Pen Tests, Vulnerability Scans, SIGs, etc.) and then we track the results in Oversight Tasks in Venminder. 

    Unfortunately, these reviews are becoming increasingly backlogged due to more work than our people can complete. My institution chooses to run lean so added body's isn't a possibility. 

    We also currently have Venminder complete SOC analysis on our "critical vendors", but we are also required to have an internal review completed. 

    We are considering a path to bring those reviews "in-house" back to VM for completion, but currently we don't have any SOC/Security Document SME's. 

    My question is - Does anyone have a template they use for review of SOC/Other Security Docs or is there some course or training that could help us to become knowledgeable enough with these reports to handle the review ourselves?


  • 2.  RE: Reviewing SOC Reports

    This message was posted by a user wishing to remain anonymous
    Posted 03-05-2020 08:02 AM
    This message was posted by a user wishing to remain anonymous

    There is lots of information on the Internet about how to read, understand and review SOC Reports.   The links below may be helpful.  There are courses out there for a fee. 

    https://https://www.berrydunn.com/uploads/1548/doc/SOC_Review_Checklist_4915954_1.pdf/uploads/1548/doc/SOC_Review_Checklist_4915954_1.pdf

    https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/ssae-no-18.pdf

    https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/how-to-properly-review-an-soc-report

    https://www.venminder.com/blog/what-to-know-about-ssae-18-for-your-vendor-management

    https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/how-to-properly-review-and-act-upon-soc-reports




  • 3.  RE: Reviewing SOC Reports

    Posted 03-05-2020 09:54 AM
    We experienced a similar situation in our institution.  Our SOC reviews were completed by InfoSec, and tracked by vendor management.  As we expanded our program to adequately review the number of reports coming in, we began experiencing backlogs.  We took a risk based approach and revised our process.  Our vendor management worked with our information security team to develop a cyber security checklist, including thresholds for acceptable responses.  Vendor management also studied up using a variety of resources (many of which are posted in another reply), to become very familiar with SOC reports and what to look for.  This approach allowed vendor management to take over the SOC report reviews for less critical vendors, while critical or material providers all still go through information security like before.  If, while completing the checklist, a response does not meet our expectations, we forward the information to information security for review and response. Our auditors and examiners have not had any concerns with this approach, and it has allowed us to keep pace with demand.

    We are also in the process of developing a checklist which is specific to SOC reports which we can implement going forward.  It is designed to guide someone who may not be familiar with SOC audits, so they can quickly understand what to look for and efficiently document any issues.  We hope it will help any future new hires or business sponsors who want or need to review those audits.


  • 4.  RE: Reviewing SOC Reports

    Posted 03-05-2020 10:14 AM
    We paired up with our IT Security Department. We sent them our high risk vendors SOC reports for review we get results back within 3 days.  If I have any concerns with any other SOCs that I review I communicate that with IT and we discuss. It has been working pretty well.