You are working for a US-based public company and evaluating cloud solutions that hos the ERP system involving financial reporting by referring to the website of one of the most well-known cloud services providers for more information. As a website guest visitor, which of the following is the best SOC report available that informs your evaluation? (Wentz QOTD)
A. SOC 1
B. SOC 2 Type 1
C. SOC 2 Type 2
D. SOC 3
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. SOC 3.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
SOC 3 refers to the System and Organization Controls for Service Organizations: Trust Services Criteria for General Use Report. SOC3 reports can be freely distributed.
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed.
Source: AICPA
SOC 1 and SOC2 reports are available to the management of the service organization (e.g., Amazon), user entities (customers), and user auditors. They can not be freely distributed.
Reference
- System and Organization Controls: SOC Suite of Services
- AWS SOC Reports: AWS Artifact
- Azure Audit Reports
- Microsoft Azure Compliance Offerings
您正在一家美國上市公司工作,並通過參考最知名的雲服務提供商之一的網站了解更多信息,來評估包含財務報告的 ERP 系統的雲解決方案。 作為網站訪問者,以下哪一項是可用於評估的最佳 SOC 報告? (Wentz QOTD)
A. SOC 1
B. SOC 2 Type 1
C. SOC 2 Type 2
D. SOC 3