During SOC 1 Type 2 examinations, which analyze both the design and operating effectiveness of your controls, deviations from the stated control process must be disclosed within the service auditor’s testing results, often referred to as testing “exceptions” or “deviations” as they are exceptions from the stated control activity. The identification of at least one testing exception is a common occurrence, whether it is due to an outage, failure to document a manual process, or a simple oversight. There are a few questions, however, that you can ask both your auditors and yourselves to help manage the exceptions.

Formerly known as Service Organization Controls (SOC) reports, what are now known as System and Organization Controls reports help companies establish trust and confidence in their services or products, including their delivery and business processes and their controls.

HITRUST, or the Health Insurance Trust Alliance, is a security organization and the creator of the Common Security Framework (CSF), "a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health, and financial information." Also, HITRUST developed a standard security report that addresses risk and compliance issues and helps compare security issues for an organization with others across the industry.

When the Romans perfected aqueducts, those channels that transported fresh water from the source to established cities and towns became the backbone of those areas. Though the Romans were excellent civil engineers, the creation and implementation of aqueducts still required a lot of planning—projects could consist of different elements like pipes, tunnels, canals, and bridges, as well as combinations of these.

Can I have disaster recovery controls within my SOC 1 test of controls matrix?

Is there a SOC certification similar to an ISO 27001 certification?

Although undergoing a SOC 2 examination is not a mandatory security framework and as such, is not a legal or regulatory requirement for every business, it is often considered a necessity for companies. This is especially true for organizations that regularly store customer data and handle sensitive information.

Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.