Episode #91 - How to Prepare for Your SOC 2 Audit (Part 1)

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellish truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and loro chavez
hello and welcome to the cyber ants podcast
this is your co host
zack fuller
joined by mik ratando and loro chavez
and we are starting the first episode
i'm taking a deep dive into sock two
sock two audit
sock two readiness
so we're going to talk about all different controls
scrolls and there's a lot to unpack here
this is going to be binge worthy
cyber rants material here
so clear your calendar
make sure you get this full series
because there's going to be a lot of great information
here about how to prepare for your sock to audits
with that being said mike
you want to kick us off with the news
some interesting things this week
forthcoming sec rules will trigger tectonic shift
in how corporate boards treat cyber security
under rules force proposed in
twenty twenty two
but expected to be finalized as soon as april
twenty twenty three
publicly traded companies
that determine a cyber incident has become a material
meaning it could have significant impact on business
must disclose details to the sec
and investors within four days
that requirement would also apply
when a series of previously undisclosed
individually immaterial
cyberscarity incidents have become material
and the aggregate
i'm not sure how that's going to work out
for the industry
but it's at least as an effort
it's more to protect stockholders
i think than anything else
attackers leverage lures around new hr policies
for twenty twenty three to steal credentials
we're all getting those emails about
this is your new benefits etc
researchers on thursday
reported on multiple campaigns that have stopped
and that have
they have stopped
in which threat actors
use hr policy announcements and benefits
updates to start off
twenty twenty three
to lure victims and steal employees credentials
in a blog post
abnormal securities and intelligence groups had
they just suggest
like the threat actors use the holidays
or notable global events
to add relevant content to their attacks
they have shifted to the beginning of the year
policy changes
corporation
policy changes at corporations
most successful attacks incorporate themes that make
a target feel personally impacted by the message
these attacks also use direct and specific
requests for the employee to complete
instead of merely mentioning that employee benefits
they have updated
both of these attacks specifically
ask for swiftians
review a document
and electronically signed to acknowledge if seen
the updates
reported data breaches in us
reach near record highs
in twenty twenty two
us organizations issued eighteen hundred and two
data breach notifications
reporting the exposure of records
or personal information
back to more than four hundred million individuals
according to the identity theft resource center
the figure is just sixty breaches
shive eighteen sixty two breaches in the us
that the itrc
counted in twenty twenty one
based on the breach reports
the attributes most often exposed were victims names
social security number birthdays
current home address
driver's license
state id numbers
medical details
and bank account numbers
go to revealed that threat actors
stole customers backups
and encryption key
for some of them
go to formally
log me in is a flexible work provider
of software as a service
and a cloud based
remote work tools
for collaboration with it management
the company is warning customers
that threat actors breached
development environment in november twenty two
and stole encrypted backups
and an encryption key
the security breach
was disclosed in november twenty two
but at the time
the company was not able to determine the impact
on its customers data
now the investigation
and revealed
that threat actors were able to
access customer data
just a side note
i gotta finish the story in a second
but don't keep customer data
especially regulated data
in your dev
environment
our investigation to date
has determined
that the threat actor executed
encrypted backups
from a third party
cloud storage service
related to the following
central pro
join me amachi
and remotely anywhere
we also have evidence
that a threat actor
exhaltrated
an encryption key
for a portion
of the encrypted backups
according to the company
the attackers
were able to steal encrypted
backup data
to central and pro products
from a third party
cloud storage
for all you taylor
swift fans i know
this is gonna be
deeply important to you
ticketmaster
blames bots
and taylor swift eras
tour debacle
this week executives from ticketmaster
parent lab nation testified
and senate judiciary committee hearings
that testimony went on to say
that ticket
ticketmaster
received triple
the amount of bot traffic
that has ever experienced
with bots both attempting to purchase tickets
as well as breach
the ticket sales
servers for
access codes
while the bots
failed to penetrate
our systems
or acquire any tickets
the attack required us
to slow down
and even pause our sales
according to the company
which added that
the difference
in this instance is that
instead of bots
attempting to beat human
state tickets
they were also
attacking the system itself
you know haters got to hate right
tsa no fly lists
snafu highlights risk
of keeping sensitive data in dev environments
that's sort of a retorting theme
recent incident
where a hacker found a list of one point five million
individuals on tsa's no fly list
housed in a text file named nofly csv
sitting unprotected on an internet exposed server
has highlighted once again
the risky practice of using production data
and sensitive information in development environments
swiss hacker recently discovered the tsa list on
jenkins open source automation server
belonging to commute air
an ohio based airline company that supports
united airlines operations on regional flights
promises daily
dot the first report on the incident
the hacker said she found the no fly list
while searching for internet
exposed jenkins servers
using showdown
and notify the company of the issue
don't keep data
critical data
in your dev environment
we have to hail the tsa's sophistication
of keeping a no fly zone in a csv file
yes i know that makes
it gives me a
federal government
gives me a warm fuzzy every time
microsoft is blocking excel add ins
to stop office exploits
the fbi did pin a hundred million crypto theft
from a twenty twenty two
in a north korean threat group
it's pretty interesting story
vmware has more critical code execution bugs
and v real eyes there's a
there was a microsoft three sixty five cloud outage
i'm sure all of you saw that
apple has a zero day
that they finally patched
there's an interesting story called
lessons learned from a windows remote desktop honey pie
it's kind of interesting
and then ransomware access brokers will use google ads
to breach you network
so a lot of interesting things going on
but nothing quite as interesting as laurel was cornered
laurel mike
thank you so much for the news
and welcome to my small corner of the cyber
security internet space
today i want to talk to everybody about taming
your technologies
yes they do need to be tamed
much like a wild tiger
especially if you've got a windows machine
not that mac or apple has been any better
about the background applications
that are happening today on our modern computers
we try to go out and do our daily activities
but i think it's good to keep in mind that
these computing devices need to be managed by humans
so first things first
wireless and bluetooth are
you know radio beaconing technologies
that are operating all the time
whether you're using them or not
so if you're plugged in
if you have your
if you're still
you know like mike
and you're on a desktop from nineteen eighty seven
you've probably got a giant cable
plugged in the back of it
that you can unplug
and be resting assured at night
that your computer is not plugged into
the internet of things
however like you would drive home
pull into your garage
leave the garage door open
and walk in to have a cup of coffee
and the disbelief that the roads have somehow
disappeared since you've pulled into your driveway
the same is in effect with these technologies
so if you're not using wireless
it's a good idea to just turn it off
even if you're done with your activities for the day
at the end of the day
when you're done doing your work or your school
just go right up there
and turn off your airport utility
and make sure that that wireless
network is now disabled
that'll keep your computer from doing well
whatever it might be doing in the middle of the night
just like closing your garage door
will make sure that your car stays in the garage
and doesn't
go running down the street and get groceries for you
maybe in the new gen tesla is that
that might be a thing
but bluetooth is the same thing
if you're not using your bluetooth devices
go and turn that off
if you've got bluetooth mice
or you're using other utilities
it might be harder to do that
but just remember that those activities are happening
in the background
which brings me to the most
heinous of all crimes
of technology
misbehavior
that most humans do
and that is keeping
a multitude of tabs opened up in your web browser
so i want to talk about that for a minute
if you don't know that
if you don't realize of
like some of my close family and friends don't realize
when i go to use their phone
or ask to borrow their phone
because i'm not gonna search up illicit material
on my silent sector phone
i would never do that
but i will borrow your phone
and i will certainly chastise you
for having five hundred thousand web pages still open
from last year
so if you're not familiar with this feature
in your mobile devices
and this doesn't matter if you're on a tablet
or a phone um
you wanna go in there
and make sure you got those closed
so if you're using an apple device
it's pretty easy
you're gonna use safari
and if you open up safari
you look down
on the bottom right
you'll see two small
you'll see a small
blue ice icon
and what it is
is two small
squares they
they're called pages
um so that the squares on top of each other
is supposed to
be a relic icon
from a time where we still
killed trees
and put things on paper
anyways if you click that icon
of the two squares
you'll open up your tabs page
and you'll see
the detriment that you've done to your phone
if you're wondering why it's not checking email
or i can slow
this could be why
so on your apple devices
click the two squares
close all of your tabs please
now if you happen to be using a droid phone um
the icon i believe
looks like a poo icon
i'm joking i'm joking
in all fairness
i can't help you with droids
if you have a droid
you need to throw it in the trash
and go buy an apple device
okay i'm still joking
i understand that
many of you work for companies who just
can't afford to shell out the money for an apple device
so here you are
stuck on a samsung phone
if you happen to be stuck on a galaxy
or anything other than
an apple device
you're probably
using google
or a similar browser
on that device
it's a little different
but you'll see similar
in the bottom corner
you'll have the same
two squares
strangely enough
they're trying to copy it
looks similar to apple
i wonder why
um you'll click that
but then you'll get
a different um
you'll get a different menu
you'll see some three dots
at the top of your screen
click on those three dots
and that'll tell you
that you can close
all of your tabs
instantaneously
so be mindful
that these things
don't go away
just because
you pull your car in the garage
doesn't mean
the streets
no longer there anymore
and people can't come up
and spray paint your garage door
so make sure that
with these devices
you're managing those things
you're taming them
you're disabling your signals
when you're not using them
and you're managing
all of the extra web pages
that you've opened up
and it's probably
a good idea
because if mom finds out
that you are looking for a place to live
and she expects
you to stay in the basement
until you're forty
you're gonna be in trouble
and you might
not be getting any pizza this week
or mountain dew
so keep that in mind i
i'm excited to be talking about sock too
because you need two socks when you go outside right
zach you can't just wear one sock
the other foot feels strange
in your shoe
well there's point but there
there is a sock one and a sock three as well
so it depends
to each their own
where do you put the third sock
that's what i want to know
is this a use your imagination on that one
but we will
we will unveil all of this
our new series here on sock to readiness
which is a critical
set of information for a lot of organizations out there
especially if you're sas company
you're serving large enterprise customers
guess what they're probably going to be asking you for
if they haven't already
that's right
the sock two
and probably a sock two type two
so we'll talk about all that stuff here shortly
after a quick commercial break
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling books
cyber rants
on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs
for bidmarket and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
this is silence sector com
and contact us today
all right we are back with cyber ants podcast
we are kicking off our sock ii readiness series
and the way we're going to do that
is go through the control set
for the security trust services criteria
now soc two audits have multiple types of criteria
which you can be audited against
but for the purposes of this theories
we are going to focus on the security
trust services criteria
all of your soc
two audits are going to have this as the basis
they may add availability
and confidentiality or privacy
all of that can be added later on
but our recommendation
if this is your first talk to audit
you're preparing for the first time
start with the security trust services criteria
you can always add others down the road
so we're going to focus on that
and talk through
the various controls
what they mean
how to implement them and so on
with that being said
mike is there anything i've missed
or anything you'd like to say
before we dive into the individual controls themselves
yeah there's two key things that need to be
you need to keep in mind about the sock too
it is not a one hundred percent technical review
this is the aicp
which is an accounting organization
so they're asking about your business as a whole
it's not just technology
and that's one of the biggest mistakes
that a lot of people make
or misunderstandings that they have
is you know
we go to set up a sock to prep
and all we have is tech people
and it's like what
you can't answer half those questions
so keep that in mind
it's for the whole company
their accountants
they want to know things
that it people don't care about two
all auditors are different
so what sounds like
is going to do
is give you an overview
of what we did with a subsidiary of ours
called keystone audit
when we were doing sock to audits
the type of things that we would ask for
the prep that we would recommend um
which works in about
eighty five to ninety percent of audits
but every auditor is different
so it's no guarantee
that you know
what we say
is gonna be a hundred percent
what they're gonna ask for
um so that and
as with all auditors
there's varying very differing degrees of technology
technology savvy in the auditors
i had one sock to auditor once asked me
ask me about software
and i said have you ever installed software
and he said no
so you are dealing with those people
they're also not infallible
or are they batman or darth vader
so with that zach
i'd like to add that we are actually speaking here
with a recovering sock to auditor mike britondo
so he is he has been through the battles
he has seen these things
luckily he does have a technical background
and certainly not all auditors are
are equal in their knowledge
but mike and laurel
both have done a tremendous amount of work with many
many many companies
and in not only preparing for soc two audits
but actually auditing as well
so we can speak to both sides of the equation
so our goal through all this is to give you an unbiased
straightforward
opinion on all of these controls
what auditors are looking for or should be looking for
what you're likely to come up against
and how to put those things in place
right that's ultimately what it's about
getting those controls set up in your organization
and mike like you said
i think a lot of people are going to be surprised
through these first bukoso principles
and that are the requirements that
wow this isn't just it and technology
so yeah it's designed for bigger companies too
it's not you know
that's the thing is we've had to tailor it
because we've done sock tv prep
for companies that are seven people
and you'll see
there's a lot of things in here that are like
do not pertain
you don't even have the staff
for some of the stuff they're asking for so yeah
does that mean it's
not possible for him to get a sock to audit
though not at all
you can still do it
but where it sass about your board of directors
it could be mom and dad you know
so there you go
yeah lauro anything to add
before we dive into the individual controls
no just listeners
be mindful that mike is a recovering
sock to type two auditor
and he does have ptsd from these
these trials
but i haven't started drinking yet
so that's good
that's good
because it's nine in the morning but hey
yeah but it's still sock too
that's okay sock too
i'll grab that
yeah any time you're dealing with sock too
it's okay to have a glass of scotch
or something else in your hand
exactly don't be surprised if through this series
there's a little bit of anger
rage that comes out
it's natural
and it's okay to feel that way as well
while you're listening so
we're all in this together
so well let's dive in to sock two
and let's look at this too
also from what really counts
which is the sock two type two approach
right we're not just talking about checking a block
but actually putting controls in place
that are going to last
that are going to be ongoing for the organization
if you've never
you're not familiar with stock
to think of it like this
sock two type one is a point and time assessment
do the controls exist
are they there
and sock two type two is not only do they exist
but are they functioning over a set period of time
three six nine or twelve months
typically are the
the types of audit intervals you might see out there
so that being said
mike why don't you kick us off
and let's start digging in here
all right so for koso principle one
the control environment they want
the entity demonstrates a commitment to integrity
and ethical values
um most it people are like okay how do i
how do i do that what
what system is that
that's not what registry can
windows is that exactly
ids no um so what they're saying is
set the tone at the top
the board of directors and management at all levels
demonstrate through their directives
actions behaviors
the importance of integrity and ethical values to
support the functioning of systems of internal control
what they're really looking for is a code of business
conduct right
this is gonna go back to your employee handbook
this is gonna be
you know we at
at you know
widgets incorporated
do not allow stealing pornography
you know verbal abuse bullying
blah blah blah
at our company
we don't steal
we don't lie
you know that kind of thing
so unless you use windows
yeah there you go
and then what you want is a code of conduct
acknowledgement
which is that the user has read this
signed it and said
i understand it
this cuts from two edges a
you want this for your company
because you want to be an ethically integral
you know ethical company with integrity
you also want to have
be able to cover yourself in case some employee
does something stupid and violates that
that causes damage to the company
you've got a throat to choke or someone to soup
one of the additional ones in this is
evaluates adherence to standards of contact
but as processes are in place
to evaluate the performance of individuals and teams
against entities
expected standards of conduct
what they're really looking forward to
a policy governing the requirements
of background checks for employees
an example of employee background check
so you're gonna need to engage your hr department
for this first one
and there's just no way around it so yeah
disc disciplinary actions in there too
i believe like we're
yeah you know
if you have a
like a disciplinary sheet where
you know you give
you know second and third chances
or you have a
you know a continual improvement plan or something like
like equivalent for employees
yeah and they have to treat everybody equally
and it's you know
we've dealt with some small companies
and it's like
well the employees i like it
three weeks of vacation
the employees
i don't like it
two weeks of vacation
well you can't do that so
make sure they know the beatings will continue until
moralem grooves
exactly thank you
may i have another
coastal principle one
dot two is that the board
or actually
principle two is that the board of directors
demonstrates independence from management
and exercises oversight
of the development and performance of internal control
you may be sitting there going
i got twelve people in my company
i don't have a board of directors
how what do i do
well you work for your corporate documents
like how you're structured
what you're looking at
and generally
you can substitute board of directors
for senior management or stakeholders
or business development
but whoever you designate
who is the decision makers in the company
it may just be one person
it may be four people
but you need to identify those
um someone else want to take one
or you want me to keep going
no that's good
i guess just to talk more about that
you know as far as principle to it it
it also is going to include
you know not only
you know not only looking at at that
that independence of of review
but also making sure that you have the right expertise
to do the job right
so this goes back
like if you've
if you're you know
if you're widgets and whatever
and you've got one developer and
you know that's a
that's a big deal you
you need skills for maybe an oracle database
or skills for
you know some sort of a cloud
cloud based solution
are gonna do
you have to be
have a process to evaluate what you need
from a technical perspective
and be able to articulate that as a business risk
like hey we don't have the expertise for sql
and we're gonna need to move our application to this
because it's going to increase
you know capability and
and speed and all of that sort of thing
yeah which leads us to cc one
dot three dot two
which is under coastal principle three
which is job descriptions for all your positions
and that's you know
one of those things that you want to be aware of
is that you need to have a firm description as it
as it pertains to security
but also your critical production data yeah
so and then there's you know
management establishes with board oversight structures
reporting lines
that's basically an org chart
real simple
cc one dot four
the entity demonstrates commitment to attract
develop and retain competent individuals
in alignment with objectives
so this goes back to laurel
you're talking about the employee evaluation policy
you want an example of an employee evaluation
employee evaluation schedule
now one key thing to remember is
unless it occurs during the audit
it's not admissible as evidence
so if you're doing a twelve month audit
you're gonna have some of the most likely
hopefully your companies growing
can have some of this happened
if you're doing a three month thought
and you don't hire anybody
during that three month period
you don't have any evidence to provide
other than the policy
and then you also determine your risk there
we are some companies that we deal with
that don't do background checks for criminal activity
they only do it for employment or you know
other things
but you know
you're determining what risk you're willing to accept
but when you don't do it for the criminal peace
you get like
we had one of our clients who didn't do a background
check on their cfo
who turned out to be a felon using an a list
so you know
things happen so
yeah definitely cfo and not the cio right
yeah yeah yeah
or the ceo or any other
oh oh i'm joking of course
you know dealing with all the money
you had all the financial oversight
that's a pretty
pretty bad move
oh oh i could smell the facetiousness
you you put it on real thick there
exactly you appreciate it
put it on spread it on
just money just money
but you know this whole first section really
mike is like the hr department and everything
that a fully function hr department should be doing
even if it's one person
or a half of a person that's doing another job
like this is it foe
it's still got to be there right
oh yeah yeah
and then that's again that's the
you know misnomer
and that's the first meeting you have and everybody
you know you got four technical people on the call
and it's like
well i don't know
i don't know
i don't know
well the other thing is
that you're dealing with some smaller companies
and smaller companies out there
if you are audience um
i'm sorry emerging companies not smaller
got to be politically correct
anyway
you don't have
you haven't thought through a lot of this stuff
and so you know because it doesn't make you money
it's not the fire that you're putting out right now
but if you want to talk to
you have to think about it
you have to prep for it
nc demonstrates a commitment to attract
develop and maintain competent individuals
in line with objectives
also pertains to your service providers
so you're going to want a service provider evaluation
policy which is a vendor management policy either one
retaining and developing individuals
includes employee training policy
and that's not just security training
that's investing in
it's not a requirement to do so
but it is highly recommended
in their career growth
you know a couple grand for a class here and there
now the big thing we learned from ed vasco
a couple weeks ago was that well
these companies were escent to invest in their talent
because they invest in their talent
and then eighteen months later
they'd jump for a higher salary
so the goal here is to retain your critical employees
so yeah you can't have an opinion that they're gonna
you train them and they're gonna leave
that doesn't matter
you still have to have a plan of progression
and an insurance they continue their skill set
well i think we've seen through our careers
you can't be fatalistic about this
have you treat your people right
they're not gonna leave for extra time
grand i absolutely i don't so
create that working environment
this is aside from the stock to
but create that working environment
or people want to come to
work where they like their job
where they like the people
if you treat your people like garbage and
but pay for their training guess what
they're gone
so yeah thanks for the beating
i'll take the training and leave
yeah i've done that once or twice in my career
so
yeah i think we were
we were both
we were both escapee prisoners
got beat leaving
yeah yeah leaving previous locations
so yeah we know
we know all about the big sticks and
and no love
somebody get these guys a certification course
on a foosball table quick
yes exactly
our beers at four o'clock
margarita machine and ping pong
by the way a total aside
have you seen some of the google
TikTok videos of people
this was my job
and now they're unemployed
and it's like yeah
i go to the kitchen
i grab gourmet food out of the refrigerator
i go to the masseuse
i do this and it's like
unbelievable
big tech stuff
i wonder why they're unemployed now
what happened
yeah maybe they
well it takes
it takes too long to get to your desk
you know once
you got a walk across the campus and get your coffee
and they have to walk
all the way to the other side to get the massage
and then you know
the day got stuck on and i couldn't turn it off
and you know
it's just one of those things
yeah yeah you know i need to take a break
i get to do push ups and then get back to work
when i get more push ups
walk around my office break up a cat fight yep
anyway
so that's one of the critical things
you're going to want to know about
the background checks
you're going to want to have documentation
how you're doing your third parties
customer principle five
the only holds individuals
individuals accountable for their internal control
responsibilities instead of objectives
this is where you're gonna start looking at kpis
you can only start looking at your employees
performance
you're gonna start doing those employment reviews
and those sort of things are gonna be important
as you go forward
so section one really is your hr department
and it's all about your management
and reporting structures and
all that kind of fun stuff
that we all love to deal with
what's what's kpi's mike for
for the listeners that might not be familiar with that
you keep performance indicators so
yeah and these are just
these are just the items that
that you can use
and i guess
there's a bunch of different guidelines on how to
how to generate this for your employees
but they're essentially different
and indicators of performance or failure
that they maintain
i remember i used to want to always be a three
like you never wanted to be a five
because once you got the five
you had to always stay a five
so it's a three
you know what i mean
play the game
yeah there's that one manager that says
you want to stay off lists
you not that you want to be on the good list
you want to be on the bad list
you just want to stay in the middle somewhere
and then nobody has ever asked you for anything
you just want to manage that
your directory structure
and nothing else
yep and have your lunch from eleven to eleven thirty
yeah i want to add something to about
a lot of people see hold
holds individuals accountable right
accountability is not a bad thing
it's not the same
a lot of people put accountability and punishment
and make them synonymous
and it's really not that at all
accountability is commitment to our goals
to our objectives
here it's talking about in terms of internal controls
but overall
you should frame it as an organization that
hey it's a good thing
because we're committing to our goals
we're committing to what we're gonna get done
so we can drive forward as a company
as in our own careers
all these things
so don't think
don't think of it
this is the same as punishment
they're two very different things
but unfortunately
often confused in the business environment
exactly exactly
now we're going to have a little technical stuff here
starting in section two dot one
the mc obtains and generates
and uses relevant quality information
to support the functioning of internal controls
so basically you're gonna set you
this is where you're gonna have your pen test
your security policies
your external and internal vulnerability scans
focus on your information security policy
network security policy
data security policy
change management policy
instant management policy
all these things are critical
to showing that you are using relevant
quality information and will
market the functioning of your internal controls
so this is where we're gonna start
bringing in technical teams again
a lot of companies don't have all of this stuff
but it's important
and one caveat and
and i think we're gonna talk about
pen test in a couple weeks too
is that i don't care who you get the pen test from
if you have something out there
get a pen test
you have an application
web app sas whatever
get a pen test
don't paste
i'll leave it at that
anyway to that to
is the entity internally communicates information
including objectives and responsibilities
for internal control
necessary to support
the functioning of internal controls
this is policy governing
distribution
acknowledgement of policies
it's your instant management policy
but most importantly
it's your board of director meeting minutes
or it's your your
your senior management meeting minutes
which is are they discussing security issues at their
at their meetings
at least quarterly
annually by
annually whenever
security needs to be top of mind for these people
because that's where you get your budget from
to do your you know
to protect the company
the lack of a better word so
we're also going to want to see a customer in
third party policy
customer and third party policy acknowledgement
this is where we're going to want nda and an msi
and most it people
to have no idea where those are and how to do it
customer and third party policy acknowledgement
security awareness policy procedures
so the nda's the third party policies
you're gonna talk to
whoever's in charge of your purchasing
or whoever's in charge of
you know procurement or hardware or whatever
and those are the meaning of your critical people
for this part of the sock too
so you can see we're bringing in multiple teams so
make it a party get everybody involved
have fun with it yeah
yeah so the nc communicates with external parties
regarding matters
affecting functioning of internal controls
this is ct two dot three
koso principle fifteen
and this is going back
there's a lot of redundancy in stock to you by the way
as with most audits
this is where we're going to want
the instant management plan
the incident reporting plan
the board of director reading meeting minutes
you're going to want example of third party contracts
you're going to want your privacy policy
all these policies are going to required
some of that will may require you to engage
your legal department
so those are all critical pieces
of the first two sections of sock tube yeah
risk registry items if you have them too if you
risk registries yeah
and then there's a big whole section on risk coming up
actually that's the next one
that's cc three that one
so i was getting ahead of myself
sorry you were
did we want to keep going or we
i was gonna say this is a good natural stopping point
since we're coming up on time
we'll start off with three
cc three next time by the way
koso is committee of sponsoring organizations
ai cpa speak
don't ask me
i'm not a cpa
but if you were wondering what we're talking about
it's just basically how they're laid out by the aicpa
so they have the control categories
and the control numbers
and then they have the coso principles
that those associate with which tie back into
aicpa's auditing principles and whatnot
so just wanted to throw that in there
with that being said
any final words of wisdom
stock to related or just
just life purpose related
before we jump off here
i will make one comment as a sock to auditor
former sock to auditor thank god
the heck it's becoming a big deal
but unfortunately it's been diluted
the audit has for a lot of companies
there's a lot of turn and burn where they will
you pay the fee
they're going to create everything for you
and give you a sock to audit certification
so be really careful in what firm you're dealing with
because there's some fly by night once
that are out there so
that's it i mean
take this stuff seriously
but i mean i don't know i mean
i look at the stock to water versus the pci on it and
you know honestly
i think stock to water is a joke
so that's my own opinion
yeah it's kind of
it kind of lacks in some of the
technical sophistication required by other
by other you know frameworks
and you know
again i think
you know mike led with this earlier about
your auditors are all gonna be different
and some of them are not gonna be technical
so you have to
you kind of have to know
you have to kind of understand
and get a feel for the type of otter you have
great example
i had and i'll make this quick
but i had an otter
to come out here to the country where i live
and you got a little loss
because it's hard to find my place
so saw him standing out there
you know by one of the fences
looking into one of the pastures
and so i kind of went up
was like hey
are you teddy goes yeah
and i was like okay good
well you know
you just missed the house
and he goes it's okay
goes hey i have a question for you
how come that cow doesn't have any horns
so i looked
over to see what he was looking at
and i thought okay well
and i thought well
you know there's a
there's several different reasons why
cows don't have horn
some of them are not born with them
i was like but really
long story short
the reason that that cow doesn't have a horn
is because that's a horse
so keep in mind your audience
is going to be varying from the auditor perspective
and it's okay to disagree with them
and to drive them back into a line of reality
exactly was that a gentle
was that a gentle way to say
to say that mike
okay yeah that's a good way of saying it
like i said at the top it
they're not batman
they're not darth vader
they may then
i know they're not deadpool either
you know none of the above huh no
well they're just like anything that there's
you know they're not all equal
some are great and some have strong backgrounds
others not so much
so that if you need help
trying to figure out a auditing firm or what's what
there's there is certainly a company that
that every day
and jamie's blood
but that said
i mean i think the sock too
yeah there's
we from the inside perspective
we see it's limitations
we see that
yeah it's kind of a become
you know almost a check the block activity
for a lot of organizations and
and some of the auditing firms out there
but what it comes down to is an asset to drive revenue
especially for tech companies
serving mid market or larger enterprises
really that's what it's about
getting that stamp of approval
keep in mind
you don't just do one sock two audit
you do this every single year right
once that audit is expired
it's basically nolan void
so these your customers
if they're not already asking for it already
are going to want a up to date audit every year
and the one that holds the most weight
is the stock two
type two over a twelve month period
now there are all the different trust services criteria
but we never really see those requests
a lot of companies that we work with and we support
will go on to add additional truss service criteria
but a lot of them will just stick with the security
pfc indefinitely
and that seems to work just fine for them
so that's been the observation
as we do this quite a bit
and see a lot of different companies and scenarios here
so just wanted to share that with you
so if you're thinking
hey we got to do everything all at once
not the case
get your sock to type to
if you don't have
have to do a type one
if you're not in a hard set
time crunch
to get some sort of report
just do a sock too
it's going to hold more weight
nobody really cares about the sock
two type one after the first year right
so that's not going to be something you get
in the tempo of doing every year
it doesn't really
doesn't really
have the esteem that the type jude has from these
from these larger enterprises
so that's that's all i have
anything else before we jump off here no
you said it's a forever machine right
once you open it
it's it's open
can't believe this cat
yeah just like this
compliance and hippo compliance
and all other compliance
you need to keep doing it
you can't just stop
so well well
outstanding
thanks for listening to the cyber rants podcast
hope you enjoyed this episode
be sure you rate it
you share it
you reach out
through linkedin
you can go to cyberrants podcast com where
whatever it is
there's lots of ways to get a hold of us
but let us know what you want to hear about
on future episodes
but for the next few episodes
we are going to talk about sock two
we're gonna take some breaks in there
depending on the progress we make
we'll talk about pen testing
so we'll kind of do those in parallel
and really get the information out about these core
objectives and these core requirements
that people are having
that create a lot of confusion
for organizations going through it for the first time
so we're here to help you with that
hope you enjoyed it
and we'll see you on the next episode
pick up your copy
of the cyber ants book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast