Episode #92 - How to Prepare for Your SOC 2 Audit (Part 2)

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and loro chavez
hello and welcome to the cyber ants podcast
this is your co host
zack fuller
joined by laro chavez and mike ratando
and we are diving into our second episode in the series
about sock to readiness
sock to preparation
so we're going to go through the next coso principles
the next controls required by sock to
here shortly
but first we'll kick it off
in the usual fashion with mr
mike ortondo and news
a new t mobile breach
affects thirty seven million accounts
t mobile disclosure breach
affecting tens of millions of customer accounts
its second major
major data exposure in his many years
in the following with the ftc or federal regulators
t mobile said an investigation term that a bad actor
was obtaining data through a single api
without authorization
and harvested subscriber data
tied to approximately
thirty seven million current customer accounts
t mobile's investigation is still ongoing
but the motions activity appears to be fully contained
at this time
and there's currently no evidence that a bad actor
was able to breach or compromise our systems
and or our network
this is good news
ftc hits firm with one point five million dollar fine
in health data sharing case
the first enforcement enforcement action
under fourteen year old
ftc health data breach notification roll
the ftc has
for the first time in course
it's almost
fourteen year old old data breach notification roll
commission on wednesday
smack good rx
attella health and discount
prescription drug provider
with a one point five million
dollar civil penalty
for failing to disclose to consumers
that has shared their data with advertisers
including facebook and google
the ftc says good
our extra year
shared sensitive
personal health information with third party companies
contrary to its privacy promises
and also failed to report the unauthorized disclosures
as required by the ftc's health breach notification
does anybody know if facebook's hippa qualified
i don't know
us europe europe
hall sees hive ransomware servers
and lack and leak sites
we hack the hackers
according to them
a couple stories on this
us and international law enforcement authorities
have taken action against the hive ransomware group
including the seizure of us based servers
and the shutdown of at least two of the group
dark net sites
on one twenty six
two of the group
sites on the dark web
used to communicate with and extorted victims
and leaked data for non paying businesses
was replaced with a notice indicating
in both english and russian
the site has been seized
in the international law enforcement operation
including u s
department of justice fbi
secret service
germany and other european countries
fbi used a search warrant to cease to us
based hive servers
on january eleventh this year
disclosed the agents
had actually infiltrated the ransomware group's network
six months earlier
claiming part of the time
stealing over a thousand decryptors
that they then have quietly passed along
to over three hundred victims
and businesses
over thirty thousand internet
exposed qnaps
kunap naz host
impacted by cve
twenty twenty two
twenty seven
five nine six
january thirty
taiwanese vendor
kunap released qts and q uts
firmware updates
to address a critical vulnerability
track to cbe
twenty twenty two
dash two seven
five nine six
it has a cbs
at a score of nine point eight
that affects the qnap
nas devices
run my remote
attacker can exploit the vulnerability
to inject bush's code
into the nas devices
the flaw is easily
easy to exploit
without using interaction
or privileges
on the vulnerable device
a vulnerability has been reported
in qts five out of one
and new uts
hero h five o one
if exploited
this vulner
vulnerability
allows remote attackers to inject malicious code
reads the advisor
by the taiwanese vendor
they have fixed this vulnerability
new parallax
pos malware
evolves to target nfc
enabled credit cards
the third actors
behind the sophisticated point of sale malware
parallax have
have improved
its capabilities
to block contactless payment transactions
researchers from kaspersky
discovered three new versions of the pos
malware design to target
credit cards
using an effect
nfc technology
a frequent question
asked about this
was whether parallax
was able to capture data
coming from nfc
enable credit cards
during a recent incident
response for a
customer hit by parallax
we were unable to uncut
we were able
to uncover three
new versions
people blocking
the account
the contactless payment transactions
which became very popular
during the pandemic
it's a module of malware
i swear i believe
it actually
is the most advanced pos threat
they have seen so far
the malware
adopt a unique cryptographic scheme
doing real time patching
in target software
forcing protocol downgrades
manipulating cryptograms
doing ghost transactions
and performing credit card fraud
even on smart cards
using chip and pin technologies
malicious code
is able to disable
the contactless payment feature
to force the user
to insert the card
into the pin pad
none of that
sounds very good to me
so going back to
the right is
kaspersky right
yep russian
yeah all cash
it is yes sir
discussions
he's discovered
in vulnerability
severity ratings
this is a pretty interesting one
a new study this week
is sure to raise
more questions
for enterprise security teams
on the wisdom
of relying on
vulnerability scores
in the nvd alone
to make past
prioritization
citizens analysis
by bone check
of a hundred
twenty thousand
cvs with cvs
seven cvss v
three scores
associated with them
shows almost
twenty five thousand
or some twenty percent
had two severity
spores one score
was from nist
which maintains the nvd
and the other
from the vendor
of the product
with the bug
in many cases
these two spores differed
making it hard
for security
engineers to know
which one to trust
approximately fifty
six percent
or fourteen thousand
of the vulnerabilities
with two severity scores
had conflicting scores
meaning the one
assigned by nist
and the score
from the vendor
did not match
where a vendor might
have assessed
a particular
vulnerability
to be of a moderate severity
nist might have assessed
it as severe
so that's not good
that's why we at science
i recommend
you actually
check out the
vulnerabilities
before you start
patching and
pulling your hair out
we start to receive
a twenty seven
thousand dollar
bounty for two fa
bypassing bug
in facebook
and instagram
it's an interesting story
just a headline
why see so should
care about brain
impersonation scam sites
check that out
there is a story
which is interesting
to everybody
scouting cyber
insurance premium
growth may slow
that would be good news
for a whole
lot of people
and then cisco fixes bugs
allowing backdoor
persistence
between reboots
so with that
i think we'll
wander over to
laurel's corner
where we can
learn about
cybersecurity
and being good
people laurel
thank you mike
it's always
it's always nice
to be introduced
into my corner
and while we're here
why don't we all sit
criss cross applesauce
and talk about
something that's
on the tip of
everybody's tongue lately
chat gpt so
what is it well
there are enough videos
out there to explain
in detail so
i'll just tell you that
unlike your buddy
phil's crypto
investment consulting company
it's actually
a meaningful
and useful tool
that can help
you in everyday life with
believe it or not
everyday stuff
so it doesn't matter
if you're a cook
cleaner developer
or a new manager of
said crypto
consulting company
you know phil's place
you're probably gonna find
more than a few good uses
for this tool
so what is it
then well again
there's a lot of videos
that'll go into detail
on this but
think of it as
siri or cortana
with a larger data brain
here's the catch
you can't speak to it yet
with your voice
yeah you got to
actually type
on the keyboard
which might eliminate
some of you
who think that
typing is an
infantile practice
left over from the boomer
techverse any case
you may want to boot up
papa's old penny
on with a ps
two mouse and
keyboard cable
dial up the old
icn and strap
on your best
corded headset
because chat gbt
is definitely something
you're gonna want
to check out
now because
it has over
five hundred
billion data sets
including programming
languages like c
sharp python
rust even php
and powershell
and you boomers
will be pleased to know
that it does support
cobalt fortran
and pearl so
you can pull out
the old ibm
three sixty
you told everyone
you got as a
retirement gear
from that job
you worked at
that one time
and jack it
into chat gpt
through openai
now enough with the
techie jargon
what if i need
a good pot roast
recipe to bring
to the potluck
you know the one
that i told everybody
that i'd bring
a pot roast
or something
to but really
i only know
how to cook
vienna sausage
out of the can
that reheated
with the barbecue sauce
or maybe some fried
spam sticks
if you're into that
sort of thing
so i'm always a fan
of checking
out chad gbt's
options for
a tasty pot roast
that might feed
four to twelve
people well
with that said
remember that
this tool is
free right now
you can sign up
for it at openai
and it will
give you all
kinds of cool
experiences
to not only
laugh about
from some of the
things that
you'll get responses
for but also
hopefully to
help you with
everyday life
so when you call
your nephew
and you're asking about
how to configure
the iphone to stop
the caller ids
from showing up
and he's not answering
because this is
the fortieth time
this week chad gpt
believe it or not
can actually
help you with said
problems so
with that i
unfortunately
we need to step
out of my corner
and back into
the multiverse
that is sock too
isn't that right zach
that is right
and don't forget
while you're
playing with chat
gpt if your
job is to protect
your company
there is still
ransomware out there
there still
are all kinds
of nefarious
activities going on
so make sure
that make sure
that you're
still doing
your day to day
duties because
it could be
something you get
sucked into
am i right well
i will say this
i've actually used
its ability
to understand programming languages like javascript
to write new test alerts for dahom crossite scripting
i've also used it to help me with like
basic things like injecting source images into like
api using curl
so believe it or not
i've actually been using it to solve
problems that i have
as part of the penthusing work that we do
and some of the research work that we do
in trying to help with some of the core languages
that i'm not so good at
chad gptl accelerates at that
so from a developer perspective
if you need to write a caliber i frame or something
or you're trying to figure out
why these arguments aren't taking
or what escape characters are going to work
chad gpt is super helpful for that
so i don't want to distract everybody
you know from their day jobs of protecting yield
good country
but i would like to introduce
you know ways that chad gpd can help accelerate and
and assist us in our in our daily tasks
not quite what's up to yet though
almost well
and then the flip side of that though
is that we did
there were a couple new stories a week or two ago about
they're using it to write malware
with the same thing that laura was doing to
you know work on penthouse or whatever
they're using the same thing to
right polymorphic malware so it will
it will write payloads
i've i can confirm that
i've developed had chat gpt about me
several working payloads in powershell and also in rust
it'll do python
it's actually even done some pretty clever
fishing emails for me
without the jailbreak that people are talking about
that you need to get it to do it
i didn't have the jailbreak at all
i just asked it to write me a fishing email
and it said sure
so it's pretty capable
and yes like all things
the sword yield firearm you know
the bad guys are going to use it for what they will too
so that's kind of why i wanted to spread the news
is that we can get a grip in a funny way
but we need to also leverage the new tool
that's obviously being weaponized against us
to be used to counter that weaponization
and to help us be more prepared
for the changes that are coming
and then also to help us with our daily jobs
and with pot roast recipes
yep definitely
and that's no joke
i i've got like
i've got like four recipes
just you know try
i was just you know curious
you know out of you know
getting bored looking at code
i was like what else can it do
pretty pretty clever tool
so it will you given beer recipes
not that i didn't put whiskey or anything in there
but that's on the list to do
well definitely arm yourself with that tool
because you know
the cybercriminals are as well
not that ai's anything new
i think it's just getting more and more
publicly available
and the amount of data that it's aggregating is
just amazing
so blows my mind
but really really cool stuff
so stay on top of that
but thank you loro
for sharing
we are going to dive deep into sock two
we promised a binge worthy series
so you can just
go ahead and cancel your netflix subscription
because this is it right here
sock to audit
so it doesn't get more fun than this
we're gonna dive in after a quick commercial break
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling books
cyber rants on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs
for bidmarket and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
visit silent sector com and contact us today
and we're back
stock two audits
so we are talking again
so if you missed the first episode of this
we are specifically focused on the security
trust services criteria
there are multiple criteria
from which you can be audited against
but security is the core
that's the foundational one
so we're going to focus on that
because that's where most people start
and that's where the requests are
so we're going to go through that
we went through cc one and two
we're gonna go on to cc three
the risk assessment portion
and see how far we get
and then we'll pick it up again on the next episode
so who wants to kick us off on cc three
dot one dot one
koso principle six
and start diving into risk tolerance
and other fun things
zach's making us do this
we were more interested in chat gbt
just want to throw that out there thank you
we can ask chat gbt
it doesn't answer things
it doesn't really do well in those types of arguments
but yeah it's
this will be transcribed
show this will be transcribed though
and it'll go into chat gpt and then it will do well
it will it will
well the mic
the new microsoft and the new google
will pick it up automatically
and won't rely on the data set push
like what what happens with gbt anyways
let's stay away from that
topic the sock to is
you know like you said
cancel your netflix accounts
this is the new horror drama
comedy of twenty twenty three
you know depending on your environment
it is definitely a horror environment
you know if you're gonna run the fire drill of oh crap
we're getting audited now
we gotta get everything together and we don't know how
then yeah it will be a horror
as we've seen
so yep if you missed episode one
key point before mike jumps in
just to remember
that this encompasses the whole business
not just it
and i know mike hit on that
and our first episode of the series
but yeah can't harp on that enough
like this is gonna transcend your it department
you're gonna have the finance guys hr legal
the whole business component is going to be audited
in this series of control
and every auditor is going to be different
so keep that in mind as well
the entity specifies objectives with sufficient clarity
to enable the identification
assessment of risk relating to objectives
long long story short
they want an internal risk assessment
or an external assessment
either a third party or an internal
preferably a third party
that's cc three
dot one dot one
let's talk about that for a second because
that risk assessment you know
i think some of the it people are thinking that
you know that's a pen test or something else it's
but that's not that's not
that's not what that is at all
right yeah i know
it's the business risk assessment
so it's the entity as a whole
and it is a big part of that
but there are other risks right
there's financial there's economic there's
you know environmental
there's you know
you can drive yourself nuts
you can go to this website and take a look and see
and i'll show you all the different variables
but yes it is an actual risk assessment
yeah real like a real
in depth incomplete
i'll say that
complete risk assessment
that would include things like building design
in some cases
like if you bought that cheap land in new orleans
after the flood that one time
i might add to
i think it's important to point out
it complies with externally established frameworks
so it's not a risk assessment against just the soc
two controls
you gotta have a nist or an iso
or a cis or some framework
i think we harp about that once in a while
throughout this podcast
but there's nothing to the madness right
so don't just make it up as you go
the risk assessment should not just be on a proprietary
oh this is what
you know such and such company thinks you should have
that's not how it's gonna work
damn no not at all
and then some of the frameworks
good point zach
and some of the frameworks
you're gonna have to add places for
the business review and the financial review
impact review
that you'll have to do there and
the finance and legal will help
we'll have to help in
in assisting there because they're the
they're gonna be the keys to the kingdom
with that knowledge
yeah i remember always
aicpa is the american something
cpa you know certified public accountants
i don't know what the i stands for but it's
it's an accounting certification so
yeah that's why we don't know what the eye is
because we don't
we don't care
that's not what we do
we leave that to accountants
i think it's association of international cpas
i think is really what i think it stands for
if you're a fan and accountant reach out
american institute of certified public accounts
it's the incident
gentlemen gentlemen
institution
goodness institute
sounds so from so
so you know
formal risk cc three
that one that to talks about
this is where we talk about the whole business
includes operations and financial performance goals
the organization reflects the desired level
of operations and financial performance for the entity
within operational objectives
so you're looking at you know
your legal firms and your
you know your goal sets and your kpis and what your
what your factors are for success as a company and
and you know
are you setting goals
are you trying to grow
you know and so any
any artifacts that you come up with
will benefit you there
so yeah and then just remember
some of the key components of the risk assessment
are going to be
you know whether
you know you'll have to document
whether you're accepting the risk
deferring the risk to somebody else
trying to mitigate the risk
or if you're trying to resolve that risk
so there's going to be some of the items
that they're going to look for
even in the financial risk spaces
so make sure that you consider those things
you need to prove that you comply with applicable
accounting standards
you know do you have whatever
that is something
ask your cs
ask your cfo
you'll know
we have non financial reporting objectives
that need to be discussed
um with externally established frameworks
that's management
establishes objectives
consistent with laws and regulations
or standards and frameworks
of recognized external organizations
so if you're dealing with regulated data
like hipaa data
or something of that nature
that you have to show that you are actually
hipaa compliant as well
we talk about internal reporting objectives
this is just some additional information for this
that they may be asking for on its kpis
okay and that's key performance indicators
go so principle seven
the entity identifies risk
to the achievements of its objectives across the entity
and analyze risk
is a basis for determining how risk should be managed
so this one
we're looking for security d members
or as laura likes to talk about
the security
the security council
that's right
um no one person should be the whole security team
no you're just lonely in your corner
you are you are in your corner
lonely by yourself
coming up with things to talk about for the podcast
like chad yeah
but no it's it's
it's true though
you don't you know
you know you want to have other
you know and
not to kick up an old point
but you want to have other members of the business
that are security aware
they don't need to be making decisions really
or doing every daily tasks
but they need to be there as a sounding board
to make sure that you're not doing insane things
like you know
putting in dos
things like that
so you know
i mean it's a good idea
to always have leadership as part of the council
so i like to call it that
there you go
if you ever
if you have a round table
it's even cooler
exactly anyway
you're gonna need to be able to identify them
you're also gonna need to create a have
if you don't have either team meeting minutes
or agenda items
or at the very minimum
calendar invites
were to show that you're actually having these meetings
so remember
socte type two
you're proving you're doing these things
so you need to have evidence of some kind
that you're actually doing them
so once you
you know and if you're kicking this off
and what you should do
for a sock t
type two is
you should start out with a prep
or a you know
a lot of people do this
r two type one
as the prep
i prefer that you do a readiness assessment
and then do the sakti type ii
and take you know
a gentleman amount of time
six or twelve months
to get ready for the sakti type ii audit
which case you can start practicing these things
and getting these things together
and then you are then ready to do it
ready to do this
and you're actually
making yourself more secure in the process
as opposed to just doing it for the audit period
and the other thing is
this is a perpetual motion machine
you don't just do it once
this is every year
so keep that in mind
three dot two
dot two is to analyze external
internal and external factors
risk identification
because they're both internal and external factors
and their input
impact on the achievement objectives
that's again
gonna be your security team members your kpis
you're carrying
security team tasks
your quarterly risk assessment
that can also include pen tests
but it's not the main component
that we're looking for
now this one
i always have an issue with
three dot two dot three
which involves appropriate levels of management
and he puts into a place
effective risk assessment mechanisms
that involve appropriate levels of management
that's not what i have a problem with
a lot of assessors
are looking for your audit committees
review of the annual risk assessment
audit committee members
audit committees
responsibilities
now if you're a company of
twenty five people
i'm going on a limb here
and say you don't have an audit committee
so i don't have a security council either
but probably
maybe the security council can be
part of the audit committee
or it can be one of the same
or it can be the same
five people
that make the decisions
and review all the stuff together
and that's that's
what you have to remember
is you can't take all this literally
remember the sock
two is made for big
companies right
it's not made for
you know companies
under fifty people
so yeah certainly not
no you're not gonna have all the stuff yeah
so you can still have a cancel
you can still have notes right
to prove that you're at least you know
understanding the risk
talking about the risk that you have
i guess the risk registry
i know we kind of
i think i might have brought that up in the first video
but part of this is making sure that you have a place
that you're maintaining your risks right
because whether they're business or you know
it related or you know
financial related they
they need to be accounted for and at least kept
so that your assessor can look
and know that you've at least had something saying
you have nothing is probably not a great answer
they're gonna want something
even if there is a risk register item that says
we reviewed everything from this year
and there are no risks
at least you have a registry for things
when there are risks
that demonstrates more proactive
you know work then
then you know
not having anything at all for them
so i don't i don't know mike
how you feel about giving them
yeah no you do
and prepared ideally
you want to review risks from a security perspective
every hundred and ninety
two hundred and twenty days
but with the sock too
you define your own risk
so if you say
we're okay with reviewing this every year
then you're okay with reviewing it every year
so that's important
but you know from my perspective
you should be reviewing those every ninety to a hundred
twenty days
and there should be a close out you know
justification for not closing it out after that time
and so that
that's from a scary perspective
that's the difference between
yeah icpa and or doing
you know a third party assessment by laurel or i
or somebody else from sound sector so
involves appropriate levels of management
yeah this whole section
risk assessment
but yes yeah
if i was probably levels of management
basically you just want to make sure
that management is aware of what's going on
you know if you're
you know you're level one guy
and you see a risk
you don't want to keep it to yourself right
you need to get it up to
up to management so they know estimates
having that
having that process of communications
i think was
it was the you know
the big thing too is that
you know hey
this is the
this is the communications flow when
when risks are identified by lower team members
on how to actually get it to the risk registry
there's five of you
it's a simple thing
but if you're fifty people
you might only have one person or even a third party
that might be involved in some of the risk
you know activities
or the cyber security activities
that might find risks that
that would need
and then to get that to you
and so that you can put it on the register
so you need to probably be able to quantify that
in the form of a process flow or something
that says how that communication flows from the
the moment of risk identification
yeah definitely
you know nice little video diagram
or flow chart or something like that
three dot two dot four estimates everything is a risk
talks about how bris is analyzed with the process
you're gonna have your security monitoring examples
that's gonna be you know your ids ips
it's gonna be your logging it's gonna be
you know whatever your monitoring alerts are
and then penetration tests
three dot two dot
five is how to respond to risk
then we're going to look at your data security policy
right risk assessments
includes saying how the risk should be managed
and whether to accept
avoid reduce
or share the risk
so you look at data security policy
you're gonna look at your risk
and you look at what your risk risk appetite is like
you know what is the criteria
for you just simply accepting a risk
versus you transferring it
avoiding it
or sharing it
you know it's
you can never get rid of a hundred percent of risk
keep that in mind
you can buy insurance
but you still own the risk on that
you can go to a data center
like aws or azure or what have you
you still own the risk of that application
you know you can transfer
and we'll talk about that in six
the physical security to the data center
but you still own the risk of the application
so always keep that in mind always
i'll just read this under three two five
this is the requirement
i think it identifies and assesses
criticality of information assets
and identifies threats and vulnerabilities
the entities
risk identification and assessment process
needs to include
identifying information assets
including physical devices and systems
virtual devices
software data data flows
big big term there right
for soft due data flows
specifically
external information systems
those are your third parties
and cloud stuff
and organizational roles
assessing the criticality
of those information assets
right so you need to have
who's looking at this stuff
and then identifying the threats to the assets
from intentional
including malicious and unintentional acts
and environmental events
and identifying the vulnerabilities
of the identified assets
so all that needs to be included in this
you know risk assessment
as part of three dot two
yeah that's a lot right
i just want to kind of call that out
because it's one of the few places where you get a
you know sock
two offers a pretty concise
list of what they're looking to get
and the techies are gonna
gonna understand
and be like oh wow
we need to do more scanning
exactly wherever the case may be
yeah no that's a great point
yeah and then they do say it very well there
so that's three dot two dot six
so we're gonna move on now to three dot three
this is a big one
i think there's actually
okay there's two more sections so
yeah three three
three and four
and then we break into four for the security trek
principally
the entity considers the potential for fraud
and assessing risks to achievement of objectives
there's various types of fraud
the assessment of fraud considers fraudulent reporting
possible loss of assets
and corruption
resulting from the various ways that fraud
and misconduct can occur
this is wavy
outside of your average it risk
right you have to have
this is where your cfo is involved
this is where your
asset management team is involved
that's where you know those sort of things
this isn't your this isn't
accounting this is assets
this is all financial stuff
so yeah the potential for fraud to happens high
it's also part of the reasons why
zach only gives us a credit card with like
a fifteen hundred dollar limit
yeah you got fifteen hundred
i got five hundred
five yeah we got a lower that that's
what do you need to spend fifteen hundred dollars on
i told you i'm the tech guy
like you know
some of the new stuff is kind of pricey these days so
did you hear mike's article about the nfc hacks
make him run off that money's probably already gone
probably is
thank god it's only fifteen hundred bucks
it's a whole month's pay for me
that's right yeah that's right
um so three or three
two assesses
incentives and pressures
this is against
go back to your financial stuff
we're gonna talk about performance
and compensation evaluation programs
so this is the performance review of your employees in
you know and how they're compensated
is it fair is it too much
is it too little
you know that
that type of stuff that daughters want to see
that you're actually taking care of your people
and remember
this goes back up to principal one
where we talked about cc
one we talked about
are you hiring and attracting quality individuals
because all speaks to your frame of mind
of of people
if you just go and get the cheapest resource available
that's how you know
you wind up with some cfo
that's actually a felony felon
using their
you know fifth alias that wipes out your bank accounts
gotta be smart
yeah you do
and for i mean
and the types of fraud can happen in various places
and it even says that you know
on purpose or even via accident
um you know
something's just happened
i mean even one of my old bosses told me
he said laro
hiring you was like losing two of my best guys
but you know
nothing i did was on purpose
you know so they date
it was their job to account for
you know any of the accidental
you know items that might have occurred
so like that
in three three
it's your responsibility
to make sure that you're considering all types of fraud
that could occur in your type of business
all right three
four dot one
koso principle nine
the entity identifies and assessage changes
that could significantly impact
the system of internal control
so this is basically
testing the control that you put in place
to make sure that they do what they're supposed to do
that you've
you're protecting the right resources
you're protecting
you're getting value for the income that you spent
or the money that you spent to protect the resource
and it's functioning as expected so
but you also have to consider the changes
to the regulatory economic
and physical environment in which the entity operates
and that's something you have to keep in mind
that this is again
outside the realm of it
so this is where
you know you're gonna look for the auto committee notes
or the seniority management notes
or the board notes
or you know
the three of you sitting in a cafeteria
having a cup of coffee notes
on an afternoon
red lipstick
exactly exactly
so this is oh go ahead
no i was gonna say it's necessary
it's got to be communicated
management and
and so that
that's really the key point
is everything has to flow up
so yeah and i think a lot of the
you know i like to
in these areas
i like to point back to
just kind of base architecture for the it guys
and then it even says
assess changes in the business model
so again like mike said
this is beyond the it
so anytime the business is going to make a strategic
move to start doing something else
like you know
they're already doing a million things
and now they want to start
offering cyber security services
there should be some form of internal
assessment that identifies if that's going to impact
internal control
or impact the business in a negative manner
by going forward
both financially
and then also from a tentacle risk perspective
so keep that in mind
is it again
can't harp on that enough this
some of these items are going to transcend the it realm
and bleed over into the business and the finance area
accounting yep
yep and then again this is going to go talk about you
and want to have a security risk assessment
policy and the procedure for that
so you're gonna want to have policy and procedure
around risk for it
risk for the company
and that needs to be documented as well so
and that's the end of three now
i think we're getting pretty close to time
aren't we zach
we are we are yeah
i say we wrap it up
and that was a good overview of everything
i had one question for you guys
the people that are listening that maybe are that
twenty five person company or thirty person company
and they have a client that says hey
we need a sock too
and you know
at least started within the next twelve months
being that there is a lot of detail here
there are a lot of controls to put in place
high level recommendations any
any high level words of wisdom or advice
for those companies in that situation
smaller businesses especially
do a readiness assessment
get the readiness assessment
get an evaluation
take about eight weeks to get that evaluation done
and then spend the next twelve months doing the prep
and then start your audit
so that's my recommendation
i'll echo what mike says
you know a sock one
type one's a lot like
going and taking a test without studying
and you're gonna end up doing the type two because
you're gonna need to put all the work in to study
so you might as well skip the price on one
do the readiness assessment
and get ready for the type two
in twelve months yeah
makes now if you need one sooner than that you just
a lot of companies are like oh yeah we're gonna
we want to start it in six months
and it's like
that's not even possible with what you have you know
that's why you need to have the assessment first
and that's and that's really key
now there are three month audits out there
six months out of their nine months out
it's out there
but i still think
and just kind of a little said
take the twelve months to get ready
that's what you need
right on take the time
but also if you are already proactive in cyber security
and following a major recognized framework
you might be further ahead in the game than you think
right so maybe
maybe you already have a lot of these controls in place
and it's just a matter of mapping them over to the sock
to requirements
so it's not the end of the world
get professional support and guidance
maybe some counseling you know
but that that's
that's what we're here for
shameless plug
but um well thank you
this i was gonna say that
there's the sock to minutiae that you're gonna miss
if you're if you're really proactive with cybersecurity
that'll be great
you'll hit like sixty five percent
it's the minutia you need
like the oddest notes and the steering committee notes
and those kind of things that you haven't gone and done
the non it things so
that's what you need to focus on so
you know that will shorten your
your runway to get to starting that audit
yeah go ahead and
go ahead and get that onboarding checklist done
i know you've been thinking about it
driving your tesla
criss cross applesauce
letting autopilot take you down the five
look it's time
it's time to build that onboarding process
and checklist
make sure you got all the stuff on it
because you're gonna get asked
yeah today's the day
no day like today
get started
get going yeah
and i think the
the benefit here
for those listening
that are going through this for the first time
leadership of the organization likes to make more money
and wants to get more customers
and socto is a great marketing piece
to help you land enterprise contracts
so make sure they understand the
revenue generation component and benefits of it well
and that will help you get them to start moving towards
getting you some of the stuff you need
so that being said
well i hope you enjoyed this episode
i hope it helps you in your sauktu journey
and we will see you on the next episode
we'll talk more about sauktu
we may actually take a break for a week or so
get some other topics in
and come back and continue this
but we will get through all the soctu
controls and requirements for the security
trust services criteria
of course if you like the podcast
please rate it share it
get this information out there
help us spread the word
and help other companies get these
requirements under their belt and do great things
so thanks for listening
we'll see you on the next one
pick up your copy of the cyber ants
book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast