Chapter 6 – Responsibilities in the Cloud

Question 1

What are SOC reports?

Answer 1

SOC reports are part of the SSAE reporting format by the AICPA; recognized as being acceptable for regulatory purposes, specifically designed for SOX.

Question 2

What is SOC 1?

Answer 2

SOC 1 reports are for the auditing of financial reporting instruments of a corporation; there are 2 subclasses (Type 1 and Type 2).

Question 3

What is SOC 2?

Answer 3

SOC 2 report audits any controls on an organization’s security, availability, processing integrity, confidentiality, and privacy.

Question 4

What is Type 1 in SOC reports?

Answer 4

Type 1 is not useful for determining security and trust of an organization; it only reviews the design of controls, not how they are implemented, maintained, or functioned.

Question 5

What is Type 2 in SOC reports?

Answer 5

Type 2 is useful for getting a true assessment of an organization’s security posture; it is extremely detailed and usually not shared unless an NDA is signed.

Question 6

What is SOC 3?

Answer 6

SOC 3 reports are designed to be shared with the public; they serve as a ‘seal of approval’ and have no data about the security controls, only an assertion that the audit was conducted and passed.