Overview
Joe Ciancimino, Director of Attest Services at IS Partners, joined James Treuting and Clayton Paplaczyk from cybersecurity firm Lumifi in a webinar to shed light on a common point of confusion in the cybersecurity world: the difference between SOC (System and Organization Controls) and SOC (Security Operations Center).
A Snapshot of SOC Audits
Ciancimino kicked things off by defining what SOC audits are, the different types — SOC 1 and SOC 2 — and their distinct objectives.
SOC 1 audits focus on controls relevant to a companies financial reporting, while SOC 2 audits evaluate controls related to security, availability, processing integrity, confidentiality and privacy using a dedicated AICPA framework.
While both SOC 1 and SOC 2 audits assess security controls, they differ in scope and purpose. SOC (System and Organization Controls) audits are performed by CPA firms like IS Partners to evaluate the internal controls of service organizations.
“SOC 1 engagements typically cover 50% business controls and 50% IT general controls,” explained Ciancimino. “SOC 2 engagements, on the other hand, are performed on a pre-dedicated framework from the AICPA to cover controls related to security, availability, processing integrity, confidentiality, and privacy.”
The type of SOC audit pursued depends on the service provided and customer requirements. Ciancimino gave the example of a claims processing company needing a SOC 1 audit to assure a health insurer that claims will be input, adjudicated and reconciled correctly. The same company may need a SOC 2 audit to demonstrate they will protect the personal data shared by the insurer.
SOC audits are not just about compliance; they are about assurance, about providing confidence to your clients that their data is handled securely
SOC audits can be further classified as Type 1 or Type 2 based on the level of assurance provided. Type 1 audits assess the suitability of control design at a point in time, while Type 2 audits test the operating effectiveness of controls over a period of time, usually 6-12 months. Type 2 audits are more rigorous and often the end goal for service organizations.
“In a Type 1 assessment, we would request just one recent example of a background check completed for a new hire,” noted Ciancimino. “In a Type 2 assessment, we would randomly sample new hires over the audit period and select the employees we need to see background checks for.”
The Duality of SOC: Audit and Operations
James Treuting, regional director at Lumify, and Clayton Paplaczyk, VP of infrastructure, then took over to explain how Lumifi’s SOC (Security Operations Center) complements SOC (System and Organization Controls) audits by ensuring continuous protection of their clients’ digital assets through real-time threat monitoring and response. Many clients, especially those with small IT teams, seek out Lumifi’s help after going through a SOC audit and realizing they lack the internal expertise and resources to maintain a strong security posture.
Our goal is helping organizations with smaller, security-centric IT teams by giving them the knowledge and information to immediately investigate and remediate threats. We provide that information at both a high level and a very deep level.
Through their Security Operations Center (SOC) and Managed Network Detection and Response (MNDR) services, Lumifi provides the expertise and security operations center tools to monitor client environments, including endpoint detection and response (EDR), security information and event management (SIEM), and network detection and response (NDR).
- EDR serves as a next-gen antivirus, identifying anomalous activity on endpoints.
- SIEM provides correlation by ingesting logs from multiple sources.
- NDR enables packet-level visibility into east-west traffic.
By combining these telemetry sources in its 24/7 SOC (Security Operations Center), Lumifi is able to swiftly detect, investigate and contain threats for its clients. The company also holds a SOC 2 Type 2 certification of its own, validating the security of its services.
“Majority of the time, when we’re speaking to organizations just starting their cybersecurity maturity roadmap, [EDR] is where we’ll be starting,” said Treuting. “It really gives you the best bang for your buck, gives us great visibility, and also gives us that action-taken capability.”
Technology and Assurance – A Complementary Relationship
Both Ciancimino and the Lumify team highlighted the symbiotic relationship between SOC audits and the operational technology managed within SOCs (Security Operations Centers). This relationship emphasizes the dual layers of security—operational and evaluative—that organizations must navigate to ensure their data is protected
For instance, while SOC audits provide a framework and periodic assurance through detailed reports, managed security operations centers offer ongoing monitoring and immediate threat response capabilities, which are vital for day-to-day security management.
Ciancimino clarified that while having a SOC (Security Operations Center) service in place can help with the audit process, it does not replace the need for a separate SOC audit conducted by a certified public accounting firm.
“Chances are, even though Lumifi may be working through your alerting, you may be providing the EDR services. Lumifi’s SOC 2 doesn’t include some of the processes and procedures in place at your company,” Ciancimino explained. “And that’s ultimately what the SOC 2 report is for. It’s for you.”
With the increasing reliance on outsourced service providers, SOC audits have become a business necessity in many industries. Understanding the differences between SOC 1 vs SOC 2 and Type 1 vs Type 2 reports is critical for both service organizations and user entities. As Lumifi’s services demonstrate, partnering with cybersecurity experts can provide the knowledge and capabilities needed to achieve SOC compliance.
As Lumifi’s services demonstrate, partnering with cybersecurity experts can provide the knowledge and capabilities needed to achieve SOC compliance.
Forward-Thinking Security Practices
Looking to the future, the integration of SOC audits and SOCs (Security Operations Centers) is likely to deepen, driven by the increasing sophistication of cyber threats and evolving regulatory requirements across global markets.
Companies that use SOC audits for compliance and security operations center services for security are better equipped to protect their data and sustain their business operations.
Q & A Session
The webinar concluded with a Q&A session, addressing topics such as the cost of SOC audits, the inclusion of penetration testing in SOC services, and protection against social engineering attacks. The questions below were asked by guests during the webinar.
Acknowledgments
Special thanks to James Treuting and Clayton Paplaczyk at Lumifi and our Director of Attest Services, Joe Ciancimino, for shedding light on these (often confusing) acronyms and taking the time to ensure that businesses are well-informed and prepared to tackle the cybersecurity and compliance challenges ahead.
Clayton is the Director of Solutions Architecture and IT at Lumifi,
focused on managing security and sales engineering efforts. With a
Bachelor’s Degree in Software Engineering and a Master’s Degree in
Cybersecurity, Clayton has over twelve years of collective Engineering,
Software Development and IT Infrastructure experience. In addition, he
holds multiple certifications in Risk Assessment and System
Administration.
View More
Joe is a Director in the IS Partners SOC practice. He is a Certified
Information Systems Auditor (CISA) and Certified in Risk and Information
Systems Controls (CRISC) practitioner and a member of the ISACA
Philadelphia Chapter. Joe has been performing IT audit and attestation
services for the last 6 years and continues to assist clients in
performing a variety of engagements. These include System & Organization
Controls (SOC) Reports (SOC 1/SOC 2), Information Technology and
Information Systems Audits, IT General Controls / IT Application Controls
Testing, ISO/IEC 27001:2013 Internal Audit/Compliance, Internal Audits on
a outsourced/co-sourced basis
View More
About Lumify & IS Partners
Lumifi, a leader in Managed Detection and Response (MDR) services, was founded by cybersecurity experts committed to innovation.
Their vision integrates AI assistance into MDR solutions, enhancing the capabilities of security teams. This strategic partnership between human expertise and AI ensures faster threat detection and more efficient incident response.Lumifi’s user-friendly and adaptable services empower organizations to proactively defend against emerging threats. With a focus on continuous improvement, Lumifi’s product roadmap outlines their dedication to evolving MDR services.
By embracing innovation, Lumifi positions itself as a partner in navigating the dynamic cybersecurity landscape. Their AI-enhanced MDR services offer cost-effective solutions tailored to the unique needs of each organization.
With Lumifi, organizations can allocate resources efficiently, strengthening their cybersecurity posture and staying ahead of emerging threats.
IS Partners provides end-to-end compliance and risk advisory solutions
including SOC, PCI DSS, HITRUST and more using a streamlined audit
solution model.
By integrating with automated software, I.S
Partners is able to deliver a quicker, more efficient process while…
