“We’ll just shoot you the SOC 2.”
I wish it were that easy.
Many data centers and call centers use the AICPA SOC 2 audits (formerly SAS-70) to provide assurance of their processes and controls. An independent CPA reviews policy and operations to measure controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. If you are not familiar with it, the report provides an overview of the services in scope and then describes the controls expected to be in place and the observation by the auditor. While the attestation process is tightly defined [pdf], the controls themselves are not prescribed specifically as they are in the PCI DSS.
In this time of increased scrutiny of third party security, organizations are receiving an avalanche of requests. It is beneficial for service providers to have an official audit that can respond to as many of these partner requests as possible. As a QSA, having a solid audit to use as evidence may mean avoiding travel to multiple regions to visit professional outsourcing facilities (who, in my experience, take physical security seriously and rarely have a severe deficiencies). However, when I review these reports, I almost always need a little more information. There seems to be disconnect between the audit department requirements proposed and the promises made in the service level agreements to their customers regarding PCI compliance. While some other frameworks or standards might need a large amount of new controls and observations (*cough* FedRAMP), PCI requirements can usually be met by small changes to the language used in the controls.
A few quick examples:
- Instead of letting the QSA assume that everything is inside the physical perimeter, add a control that verifies that no network connections or telecommunications lines are available from outside the controlled access area.
- Instead of just reviewing whether there is a visitors log, observe that there is a visitor’s log that contains the visitor’s name, firm, and onsite personnel authorizing physical access.
- Instead of reviewing whether logs are kept for all access, observe whether logs are kept for all access for 90 days.
Mapping the applicable PCI DSS Requirement 9 controls (as well as wireless detection if applicable) into the SOC Audit will streamline the process and minimize additional requests from the QSA. And then it can be that easy.