SOC for Cybersecurity

Specialized Cybersecurity Reporting

The newest report to join the SOC family, the SOC for Cybersecurity Report is designed to show just how effectively an organization is preventing, monitoring and handling cyber security threats. It is vital to have controls in place in regards to security breaches and other events that compromise your organization. The AICPA has recognized the need for cybersecurity risk management reporting framework that will help organizations highlight the crucial information regarding the effectiveness of their cybersecurity controls and their risk management efforts as a whole. Obtaining a SOC for Cybersecurity is an investment worth making as it will display to everyone from your internal staff to your investors and business partners that mitigating cyber security breaches of all types is a top priority for your operation.

What’s in a Cybersecurity Risk Management Report?

As it is explained by the AICPA,  the cybersecurity risk management examination report includes the following three key components:

1.)         Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.

2.)          Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.

3.)         Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

 

Contact the Holbrook & Manter team today to learn more about the SOC for Cybersecurity Report and how it could benefit your organization.