AN INTRODUCTION TO THE “SOC FOR CYBERSECURITY” REPORT presented at bsidestampa 2018

by Michael Brown,

Summary : Most may be familiar with SOC 2 reports, which is “System and Organization Controls” (was “Service Organization Controls”, and not Security Operations Center), and is an audit report about security, availability, and the like, usually done for data centers. There also exist SOC 1 and SOC 3 reports. SOC2 reports are done by accountants, based on standards set down by the AICPA. Well, the AICPA has pushed further into cybersecurity, providing advisory and assurance services, and has released a new Cybersecurity Risk Program, covered in a new Guide for reporting on an organization’s cyber risk program, which some are calling “SOC for Cybersecurity”. What is this new “SOC for Cybersecurity” and what impact will it have on us, good or bad? How qualified are CPAs to be assessing a cybersecurity program vs cybersecurity professionals? We will take an overall look at this program from the AICPA, the components and criteria that make it up and examine what the program does. At the end, participants will have a better understanding of it and see if this is something that would be a value to their organizations.