Service Organization Controls (SOC) Audits
What is the difference between a SOC 1 and SOC 2 audit?
In its simplest form, a SOC 1 is a report on controls at a service organization relevant to a user entity’s internal control over financial reporting.
A SOC 2 report is related to controls at a service organization relevant to the trust services criteria: security, availability, processing integrity, confidentiality, or privacy.
Do a SOC 1 and SOC 2 audit result in a certification?
No such certification exists. Officially, service organizations can only claim that they have been examined in accordance with SOC 1 or SOC 2 attestation standards and that the corresponding Service Organization Controls (SOC) 1 report should be read for further details. SOC 1 reports are “restricted use” reports intended only for existing customers and their auditors, and not for the general public.
How long does it take to complete a SOC 1 or SOC 2 audit?
This depends on how prepared and how many resources your organization must dedicate to the project. The first time through, usually a readiness assessment is performed, and then the Type I phase, which will typically take anywhere from 4 to 6 weeks. However, in situations where an organization does not have the resources or priority assigned, it may take 8 to 10 weeks. A Type II report takes about 8 to 12 weeks to complete, although it may take a little longer during the first audit but become more efficient every year thereafter.
How much does a SOC 1 or SOC 2 cost?
Fees are based on the time required by the auditors assigned to the engagement and consider the agreed-upon level of preparation and assistance from the company’s personnel. Fees will vary based on the number of control objectives and control activities within a service organization, whether the audit is a Type I or Type II, and the number of locations included in the audit scope. During the planning phase, you will work with an I.S. Partners representative to discuss your scope.
What qualifications does I.S. Partners have to perform SOC audits?
I.S. Partners, LLC is a Certified Public Accounting firm registered with the AICPA (American Institute of Certified Public Accountants) and PCAOB (Public Company Accounting Oversight Board), and is managed by a group of highly-seasoned partners who have vast experience in performing SOC audits, FISMA, HIPAA HITECH, Sarbanes-Oxley (Section 404) management self-assessments, Model Audit Rule compliance, and other specialized information technology audits.
What is the difference between a Type I audit and a Type II audit?
A Type I audit results in a report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specific date. A Type II audit is the same as a Type I audit but with a report on the operating effectiveness of the controls throughout a specified period of time.
What is the SOC audit process? What can I expect?
We typically approach SOC audits following this streamlined process:
- Control Design
- Gaps Identified
From start to finish, our audit team will work closely with your organization to ensure an anxiety-free experience.
How is a SOC 3 report different from a SOC 2 report?
Since SOC 2 and SOC 3 reports are governed by the same AICPA standards, the work performed by the service auditor for these two reports is very similar. Both reports are designed to address the AICPA trust service controls, so the controls identified and tested by the service auditor are typically the same for both reports. The key difference in these reports is in the actual report itself.
SOC 2 reports can be either a Type I or a Type II report, while a SOC 3 report is always a Type II and does not have the option for a Type I. Additionally, SOC 2 reports are restricted use reports, intended for the use of the service organization’s management, customers, and their customers’ auditors. SOC 3 reports, on the other hand, are general use reports that can be distributed freely by the service organization. This is because SOC 3 reports contain significantly less detail in the report itself.
According to the AICPA, a SOC 3 report is, “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report.” Additionally, SOC 3 reports can be used by the service organization as an effective marketing tool demonstrating its credentials to prospective customers as well as existing clients.
NOTE: SOC 2 Type II attestation is required in order to receive a SOC 3 report.
Payment Card Information (PCI)
To whom does PCI apply?
PCI applies to ANY organization, service provider or merchant, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
What does the PCI DSS require?
The PCI DSS requires internal and external network penetration testing, as well as application-layer penetration testing, to find exploitable vulnerabilities.
At a high level, PCI DSS requires that you:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
PCI DSS requirement vary depending upon the organization’s transaction volume and the configuration of the PCI Environment. PCI may require the organization to complete an onsite assessment (Report on Compliance or ROC) by a Qualified Security Assessor (QSA) or may allow the organization to self-assess using a self-assessment questionnaire (SAQ). The organization may be required to conduct other security assessments in support of PCI Compliance such as External Penetration Testing, Internal Penetration Testing, and scanning performed by an approved scanning vendor (ASV).
What must penetration testing include?
A penetration test must include manual testing, performed by qualified individuals who can accurately emulate the activities of a malicious user attempting to compromise the cardholder environment.
Penetration testing in support of a PCI Assessment must include not only vulnerability scanning but also attempts to exploit the vulnerabilities identified. PCI may require External Penetration Testing, internal Penetration Testing, and external vulnerability scans by an approved scanning vendor (ASV). Internal penetration testing requires tests of network segmentation controls used to reduce the scope of the PCI Assessment.
What is PCI DSS?
Major credit card companies such as MasterCard, Visa, Discovery, American Express, and JCB International created the Payment Card Industry Security Standards Council (PCI SSC) to help companies globally with their security systems when transmitting, receiving, using and storing cardholder information. Get the full answer here
Are there compliance levels for PCI DSS?
Yes. Compliance levels for PCI DSS are based on the volume of credit card payment transactions that are made within a 12-month period. There are 4 merchant compliance levels defined by the Visa credit card brand.
Find out what the 4 levels of PCI DSS compliance are here.
Are there penalties for PCI non-compliance?
Yes. Based on the discretion of the credit card company, acquiring banks can be fined from $5,000 up to $100,000 per month. Banks may pass off this fine to the business or merchant as well as increase transaction fees for the business or terminate their business relationship.
What is PCI DSS v3.2.1?
PCI DSS v3.2.1 is the newest standard version that was introduced in 2018. It revised and changed several of the standard requirements that were a part of the original PCI DSS.
Read more about newest version of PCI DSS (v3.2) the here.
What is the Prioritized Approach in PCI DSS?
The Prioritized Approach provides a roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The roadmap helps to prioritize efforts to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure compliance activities and risk reduction by merchants, service providers and others.
Read more about this approach here.
What are the PCI DSS v3.2.1 standards?
There are 12 requirements for PCI DSS v3.2.1 which are listed here.
Is PCI DSS Voluntary?
No. Any business that engages in credit card transactions must follow PCI DSS requirements to safeguard cardholder information
Does PCI DSS only apply to businesses that store credit card information?
No. Any business or merchant that accepts credit card payments, transmits cardholder data, processes transactions and/or stores cardholder information falls under PCI DSS requirements.
Can my business stay PCI DSS compliant if I use a single vendor and product, or if I outsource the card processing tasks?
No single vendor or product will cover all 12 PCI DSS requirements or meet several minimal standards. Instead, you should create a comprehensive security strategy that reaches PCI compliance and then use products and vendors that further complement your network system security to provide enhanced protection.
If you decide to outsource your credit card transactions, you will still need to meet PCI DSS compliance when transmitting cardholder data to the outsourced company. You also need to ensure that the outsourcing company you use meets PCI DSS compliance.
Should I choose the HITRUST CSF over other available frameworks (NIST, ISO, etc.)?
The HITRUST CSF includes and embodies requirements from various authoritative sources such as ISO, NIST, PCI DSS, HIPAA and others, and tailors the requirements to healthcare organizations based on specific organizational, system and regulatory risk factors. The level of integration and prescription in the framework, along with the quality and rigor of the HITRUST CSF Assurance Program and supporting HITRUST products and services, makes the HITRUST CSF the easy choice for healthcare organizations.
HITRUST CSF, HIPAA and Healthcare Compliance
How often do I need an updated report?
Given the positive fulfillment of the interim review requirement, where no breach has occurred and no significant changes have developed relating to the scoped control environment, HITRUST CSF reports with Certification are valid for two years. However, at the one-year anniversary of the Certification, I.S. Partners, LLC can perform your organization’s interim review by:
- Requesting your organization to update the scoping questions
- Reviewing the updated questionnaire for any changes to the original questionnaire
- Testing at least one control/statement in each domain
Reviewing the status of any Corrective Action Plan (CAP) from the original assessment to ensure that satisfactory progress/milestones are being met
How can my organization utilize the HITRUST CSF Framework for a SOC 2 report?
HITRUST and the American Institute of Certified Public Accountants (AICPA) have joined together to map HITRUST CSF controls to the Service Organization Controls (SOC) 2 Trust Principles and Criteria, specifically the Trust Services Principles of Security, Confidentiality and Availability. I.S. Partners, LLC, as both a CPA firm and a HITRUST CSF Assessor, can perform a SOC 2 audit leveraging the HITRUST CSF framework. If an organization requires both a SOC 2 and a HITRUST CSF Certification report, the two reports can be combined into a singular report.
What are the two different types of HITRUST CSF Assessments that HITRUST offers?
- A HITRUST CSF Self-Assessment allows an organization to conduct a review and assessment of its internal control environment using the standard methodology, requirements, and tools provided under the HITRUST CSF Assurance Program. The self-assessment option removes any potential barriers for organizations that lack the resources for an onsite assessment, but nonetheless must still implement data protection controls, maintain HIPAA/HITECH compliance, and report to external parties.
2. A HITRUST Validated Assessment is conducted by a HITRUST approved CSF Assessor, such as I.S. Partners, LLC. Using the HITRUST CSF Assurance methodology, an organization’s internal controls are scored accordingly. Assessments meeting or exceeding the current HITRUST CSF Assurance scoring requirements for certification will be indicated as “HITRUST CSF Certified” on the certification report from HITRUST.
Who is HITRUST?
HITRUST is a privately held corporation in the United States that has established the HITRUST CSF to be used by organizations that create, access, store or exchange sensitive information. In collaboration with public and private healthcare technology, privacy and information security leaders, HITRUST has become the leader in safeguarding health information systems and exchanges.
What is the advantage of becoming HITRUST CSF certified?
An organization that creates, accesses, stores or exchanges Protected Health Information (“PHI”) can use its HITRUST CSF Certification to demonstrate that they meet the high standards of security prescribed within the HITRUST CSF. Many companies now accept a HITRUST Certification as evidence of compliance, thus relieving them of the obligation to audit their vendors. Companies such as Highmark, Humana, United Health Group, HCSC and Anthem now require their vendors to undergo a HITRUST CSF assessment. The HITRUST CSF incorporates all major information security-related requirements and best practices and provides scalable cyber security measures based on different risks and exposures.
Is the HITRUST CSF similar to SOC report requirements?
A SOC 2 is a reporting format, while the HITRUST CSF is a security framework. A SOC 2 examination examines the internal controls at a service organization as they relate to one or more of the Trust Services Criteria of Security, Availability, Confidentiality, Processing Integrity and Privacy. Therefore, the SOC 2 reporting model and the HITRUST security framework are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the HITRUST CSF.
What is the HITRUST CSF Certification process like?
As HITRUST CSF Assessors, I.S. Partners, LLC will perform a HITRUST CSF readiness, certification, and remediation services for healthcare organizations and their business associates to assess compliance with industry security requirements and standards and create solutions that help organizations align with the HITRUST CSF. If your company requires both a HITRUST CSF Certification and a SOC 2 report, I.S. Partners can leverage the efficiencies between both sets of requirements, thus lowering the time and expense of effective risk management.
What’s the difference between HITRUST CSF and HIPAA?
HITRUST CSF and HIPAA assessments both aim to safeguard healthcare information and Electronic Protected Health Information (“EPHI”). However, both standards offer a different approach for different organizations.
HIPAA was originally meant to be utilized for a wide range of organizations, resulting in a vague and subjective list of requirements to be HIPAA compliant. The HIPAA Security Rule allows for certain specifications to be only “addressable” while others are “required.” There is no official designation of HIPAA compliance.
HITRUST CSF assessments and certifications are organized around the specific risk of a certain organization. HITRUST CSF assessments also allow for a comprehensive approach toward information security as it considers compliance with other regulations. A HITRUST CSF assessment is an efficient and risk-based approach to information security because it draws upon existing frameworks, standards, and current regulations.