CISSP CISA CISM CCSP SOC 1,2,3 Report Questions

00:13:15
https://www.youtube.com/watch?v=VPRdYcmwCAQ

Resumen

TLDRDans cette présentation, Prab, consultant en sécurité chez Aspirants Technology, discute des types de rapports SOC (System and Organization Control), une norme essentielle pour évaluer les services de sécurité et de contrôle dans les entreprises, en particulier les fournisseurs de services cloud. Il explique la différence entre SOC 1, axé sur les déclarations financières, et SOC 2, qui concerne les contrôles de sécurité informatique et l'intégrité des services. SOC 3, quant à lui, est un rapport de haut niveau destiné à un public large. Prab donne également des conseils pour choisir le bon type de rapport SOC pour différents contextes, que ce soit pour l'évaluation de fournisseurs de sécurité, des contrôles d'intégrité ou pour l'assurance de conformité avec des réglementations spécifiques. En résumé, pour les contrôles de sécurité, un rapport SOC 2 est recommandé; pour des évaluations financières, un rapport SOC 1 est pertinent.

Para llevar

  • 🔍 SOC se réfère au contrôle des services et des organisations.
  • 📊 SOC 1 est centré sur les états financiers.
  • 🔒 SOC 2 évalue la sécurité informatique et l'intégrité des données.
  • 🌐 SOC 3 est un rapport de niveau élevé destiné au public.
  • 🕒 Type 1 évalue la conception des contrôles à un moment donné.
  • ⏳ Type 2 examine l'efficacité des contrôles sur le temps.
  • 💼 Les décisions d'investissement se basent souvent sur des rapports SOC.
  • 🛡️ Les rapports SOC aident à assurer la sécurité dans les services cloud.
  • 📁 L'audit SOC 2 est souvent requis pour les fournisseurs IT.
  • 🚀 Les rapports SOC supportent la confiance dans la conformité.

Cronología

  • 00:00:00 - 00:05:00

    Dans cette session, Prab, consultant en sécurité, aborde le concept des rapports SOC (Service and Organization Control). Il présente différentes options de rapports, telles que SOC 1, SOC 2 et SOC 3, en expliquant leurs finalités. SOC 1 est principalement lié aux états financiers, SOC 2 au contrôle des systèmes et à la sécurité, et SOC 3 offre un aperçu général pour le public. Prab conseille d'opter pour SOC 2 Type 2 pour évaluer l'efficacité des contrôles sur une période, surtout dans le contexte de fournisseurs de services de sécurité.

  • 00:05:00 - 00:13:15

    Prab discute des critères de confiance des rapports SOC 2, tels que la confidentialité, la sécurité et la protection de la vie privée. Il clarifie que SOC 1 est lié aux déclarations financières, tandis que SOC 2 évalue les contrôles informatiques. Il explique que SOC 3 est publié pour présenter un aperçu de la conformité. Pour les entreprises souhaitant évaluer la sécurité informatique et la continuité des activités, SOC 2 est recommandé. SOC 1 est préférable pour examiner les états financiers. Les différences entre Type 1 et Type 2 sont discutées : Type 1 évalue le design des contrôles à un moment donné et Type 2 leur efficacité sur une période.

Mapa mental

Mind Map

Preguntas frecuentes

  • Quel rapport SOC est axé sur l'efficacité des contrôles sur une période donnée ?

    Le rapport SOC 2 Type 2 se concentre sur l'efficacité des contrôles sur une période donnée.

  • Quel type de rapport SOC est principalement utilisé pour les contrôles financiers ?

    Le rapport SOC 1 est utilisé pour les contrôles financiers.

  • Quel rapport SOC offrirait le plus d'informations sur la sécurité et la continuité d'un fournisseur de cloud ?

    Le rapport SOC 2 serait le plus pertinent pour évaluer la sécurité et la continuité d'un fournisseur de cloud.

  • Quels sont les critères de confiance du SOC 2 ?

    Les critères de confiance du SOC 2 incluent la sécurité, la confidentialité, l'intégrité, mais pas l'authenticité.

  • Quel rapport SOC peut être publié sur un site web pour un aperçu public ?

    Le rapport SOC 3 peut être publié sur un site web car il fournit un aperçu général pour le public.

  • Quelle est la différence entre un audit SOC Type 1 et Type 2 ?

    Le Type 1 porte sur la conception des contrôles à un moment spécifique, tandis que le Type 2 évalue l'efficacité des contrôles sur une période.

  • Quel rapport SOC est pertinent pour une vérification relative à un centre de données ?

    Un rapport SOC 2 est pertinent pour une vérification axée sur les centres de données.

  • Quel rapport vérifierait la tenue des comptes financiers d'une entreprise ?

    Le rapport SOC 1 s'applique à la vérification des comptes financiers.

Ver más resúmenes de vídeos

Obtén acceso instantáneo a resúmenes gratuitos de vídeos de YouTube gracias a la IA.
Subtítulos
en
Desplazamiento automático:
  • 00:00:01
    [Music]
  • 00:00:06
    hi team
  • 00:00:07
    welcome to my session on coffee with
  • 00:00:10
    prab
  • 00:00:11
    and this is my second session after
  • 00:00:13
    threat modeling
  • 00:00:14
    and in this session we're going to
  • 00:00:16
    discuss about sock
  • 00:00:17
    type not security operation center this
  • 00:00:20
    is all about service and organization
  • 00:00:22
    control and system and organization
  • 00:00:24
    control
  • 00:00:25
    this topic is quite testable in cssp
  • 00:00:28
    ccsp
  • 00:00:28
    sisa csm say risk i received a lot of
  • 00:00:32
    feedback regarding
  • 00:00:33
    could you please make some videos on
  • 00:00:34
    this particular topic so i thought
  • 00:00:36
    let me craft around 10 questions which
  • 00:00:39
    give you visibility about this entire
  • 00:00:41
    concept
  • 00:00:42
    my name is prabhnayar and for more
  • 00:00:44
    information you can refer my linkedin
  • 00:00:46
    profile
  • 00:00:47
    so let's start with the first coffee
  • 00:00:49
    shop
  • 00:00:52
    prab is a security consultant working
  • 00:00:54
    for asperance technology
  • 00:00:56
    they were planning to finalize one
  • 00:00:58
    managed security service provider
  • 00:01:01
    for their new business while reviewing
  • 00:01:05
    shock reports of service provider here
  • 00:01:08
    the keyword here is service provider
  • 00:01:10
    and security service provider which
  • 00:01:13
    report would you most likely to
  • 00:01:15
    see okay so question is talking about
  • 00:01:19
    a business the question has a keyword
  • 00:01:21
    called security service provider the
  • 00:01:23
    question has a keyword called service
  • 00:01:24
    provider
  • 00:01:25
    so option a sock to type 2
  • 00:01:28
    option b sock 3 option c
  • 00:01:32
    sock 1 type 2 and option d sock 2 type 1
  • 00:01:35
    now if i go by the sock one it is
  • 00:01:37
    basically covered the financial
  • 00:01:39
    statement but in the question we are not
  • 00:01:40
    talking about anything led to the
  • 00:01:42
    financial statement
  • 00:01:43
    they want to review the stock report of
  • 00:01:45
    the service provider
  • 00:01:46
    and they are planning for a security
  • 00:01:48
    services stock one mostly cover about
  • 00:01:50
    the financial statement
  • 00:01:52
    stock 2 type 1 can be the option so let
  • 00:01:54
    me park
  • 00:01:55
    stock 3 is just a high level report will
  • 00:01:57
    not build any kind of a confidence so
  • 00:01:59
    that is removed
  • 00:02:00
    b and c removed so we left with stock 2
  • 00:02:04
    type 2 and type 1 type 2 is basically
  • 00:02:06
    talk about the effectiveness of a
  • 00:02:07
    control
  • 00:02:08
    if you ask me as an auditor if you ask
  • 00:02:10
    me as a security consultant
  • 00:02:12
    i will definitely go for the type 2
  • 00:02:13
    report because type 1 is talking about
  • 00:02:16
    the design of control
  • 00:02:17
    so answer is yes the answer is
  • 00:02:20
    type 2 shock to type 2 report
  • 00:02:24
    now let's discuss another question
  • 00:02:28
    so question is prab is a security
  • 00:02:32
    consultant
  • 00:02:32
    working for aspirants technology they
  • 00:02:35
    were planning
  • 00:02:36
    to finalized managed security service
  • 00:02:38
    for the new business same thing again
  • 00:02:40
    which are the following shock report
  • 00:02:42
    should a prob
  • 00:02:43
    request if they require a period of time
  • 00:02:47
    report comprising a security
  • 00:02:50
    and integrity of a particular system so
  • 00:02:54
    three keywords are there period of time
  • 00:02:56
    security integrity automatically stock2
  • 00:02:58
    is there but let me check the options
  • 00:03:01
    sock 2 type 2 sock 1 type 1
  • 00:03:05
    sock 2 type 1 or sock 1 type 2
  • 00:03:09
    so we automatically park stock 1 type
  • 00:03:12
    1 and stock 1 type 2 because these are
  • 00:03:15
    talking about the financial controls so
  • 00:03:17
    we're left with stock to type and stock
  • 00:03:18
    to type 2.
  • 00:03:20
    they're talking about the period of time
  • 00:03:22
    now there's a small
  • 00:03:23
    advice a small suggestion small tip when
  • 00:03:25
    we say type 1
  • 00:03:27
    or when we say type 2 okay sock 1 has a
  • 00:03:30
    type 1 type 2 sock 2 has a type 1 and
  • 00:03:32
    type 2
  • 00:03:33
    so thin line difference is that type 1
  • 00:03:36
    talk about the design of a control
  • 00:03:38
    which is point in time point
  • 00:03:42
    in time okay where is the sock 2 type 2
  • 00:03:45
    or stock 1 type 2
  • 00:03:47
    talk about the effectiveness of a
  • 00:03:48
    control of a period of time
  • 00:03:51
    so wherever in the exam talking about
  • 00:03:53
    period of time
  • 00:03:54
    close your eyes and select the answer
  • 00:03:57
    type 2 report so here
  • 00:03:59
    we are talking about the period of time
  • 00:04:00
    report which introducing introducing the
  • 00:04:02
    security and integrity
  • 00:04:05
    not financial statement that is why i'm
  • 00:04:07
    going with the shock to
  • 00:04:08
    type 2. uh if the question talking about
  • 00:04:10
    financial statement financial control
  • 00:04:12
    then in that case
  • 00:04:13
    we can go with the stock one type two
  • 00:04:18
    third question prab is a financial
  • 00:04:20
    investor
  • 00:04:21
    working with the aspirants technology
  • 00:04:23
    investment company that makes an
  • 00:04:25
    acquisition investment
  • 00:04:26
    as a financial investor when evaluating
  • 00:04:29
    the stock report
  • 00:04:30
    for managed security provider because
  • 00:04:33
    they are planning for the investment in
  • 00:04:35
    the company so here in this scenario
  • 00:04:36
    we're talking about me
  • 00:04:37
    as a pro i'm a financial investor i wish
  • 00:04:40
    to invest in one company
  • 00:04:42
    so which report would prop most likely
  • 00:04:45
    to examine so as an investor which
  • 00:04:46
    report i will be examine definitely for
  • 00:04:48
    me stock 2 doesn't matter because i am
  • 00:04:50
    planning for an investment and from the
  • 00:04:51
    investment point of view i will look for
  • 00:04:53
    the financial statement
  • 00:04:55
    so let me check the options stock 3
  • 00:04:57
    definitely no because it's talk about
  • 00:04:58
    the high level details
  • 00:05:00
    it doesn't give me any kind of a
  • 00:05:01
    confidence it is a publix report which
  • 00:05:03
    is published on a website
  • 00:05:04
    stock 2 talk about the it sock 2 type
  • 00:05:07
    and again talk about the it
  • 00:05:09
    which report will be more interesting
  • 00:05:10
    for me is the sock one because stockman
  • 00:05:12
    talk about the financial statement
  • 00:05:14
    so answer is basically sock one
  • 00:05:19
    next what is a thin line difference
  • 00:05:22
    between the type 1
  • 00:05:23
    and type 2 sock reports type 1 is
  • 00:05:26
    control effectiveness
  • 00:05:28
    type 2 talk about control design
  • 00:05:31
    actually type 1 is control design type 1
  • 00:05:33
    only use in a stock one which is not
  • 00:05:35
    true
  • 00:05:37
    type 1 is control design type 2 control
  • 00:05:39
    effectiveness makes sense
  • 00:05:42
    type 1 only use in a sock 2 and type 2
  • 00:05:46
    use in a stock one that is also not true
  • 00:05:49
    so answer is basically type 1 is control
  • 00:05:52
    design
  • 00:05:53
    and type 2 is control effectiveness if
  • 00:05:55
    you ask me as an auditor if you ask me
  • 00:05:57
    as a customer
  • 00:05:58
    i will definitely interested in the sock
  • 00:06:00
    one type 2 or sock 2 type 2 because that
  • 00:06:02
    talk about the control effectiveness
  • 00:06:04
    i want to give an example of type 1 and
  • 00:06:06
    type 2.
  • 00:06:07
    we have a we need to have a 8 character
  • 00:06:09
    password policy
  • 00:06:10
    we have seen in the documents they are
  • 00:06:12
    following that is a type 1 audit
  • 00:06:14
    but we are trying to create a user with
  • 00:06:16
    a lesson 8 character password to see the
  • 00:06:17
    effectiveness that is called as a type 2
  • 00:06:20
    sock 2. so this is how we can able to
  • 00:06:23
    see the control effectiveness
  • 00:06:24
    that is where the answer is c for
  • 00:06:27
    charlie
  • 00:06:29
    which stock report can be published on
  • 00:06:30
    our website here the keyword is
  • 00:06:32
    website so it mean it is accessible to
  • 00:06:35
    everyone
  • 00:06:35
    to gain trust so on a high level we can
  • 00:06:37
    go with the answer stock 3
  • 00:06:39
    because sock 1 type 1 sock 1 type 2 and
  • 00:06:42
    stock 1 they are very detailed report we
  • 00:06:44
    can't publish on a website as a finance
  • 00:06:46
    statement the report that we publish on
  • 00:06:48
    a website to just give a high level
  • 00:06:49
    overview about vr compliance with the
  • 00:06:51
    sock
  • 00:06:51
    that is called as a sock 3. same like
  • 00:06:53
    when you visit any facility and you can
  • 00:06:55
    see
  • 00:06:55
    the organization is iso 27001 certified
  • 00:06:59
    next prep is a security consultant
  • 00:07:02
    working for aspirants technology
  • 00:07:04
    his company planning to sign a contract
  • 00:07:06
    with the cloud provider
  • 00:07:07
    and want to ensure its business
  • 00:07:09
    continuity planning it means talking
  • 00:07:11
    about i.t
  • 00:07:11
    and information security measures are
  • 00:07:14
    reasonable so what type of audit
  • 00:07:17
    might you request to meet the goal nissa
  • 00:07:19
    is specific to middle east nist
  • 00:07:21
    us standard stock one is financial
  • 00:07:23
    statement so we left with sock 2.
  • 00:07:25
    the answer is a sock 2. because question
  • 00:07:29
    has a keyword called information
  • 00:07:30
    security
  • 00:07:31
    business continuity planning and the
  • 00:07:32
    question talking about audit because you
  • 00:07:34
    need to sign a contract with the cloud
  • 00:07:35
    provider
  • 00:07:37
    so my company want to planning to sign a
  • 00:07:39
    contract with the cloud provider so i
  • 00:07:40
    will be more interested in
  • 00:07:42
    looking there sock to report because i'm
  • 00:07:44
    going to host my data on the cloud
  • 00:07:47
    which audit report will be useful to
  • 00:07:49
    check how well the company keep up the
  • 00:07:51
    books of account it's used in a finance
  • 00:07:53
    so nist again talking about the it
  • 00:07:55
    shock 3 is basically high level report
  • 00:07:57
    which talk about how much we are
  • 00:07:58
    compliance with the stock
  • 00:08:00
    stock two talk about the id controls how
  • 00:08:03
    effective is it controls so we left with
  • 00:08:05
    stock one the answer is
  • 00:08:06
    sock one because it talk about the
  • 00:08:08
    accuracy of a finance statement because
  • 00:08:10
    book of account
  • 00:08:11
    map with the financial statements
  • 00:08:15
    second question which of the following
  • 00:08:16
    is not one of the trusted criteria of
  • 00:08:19
    the salk two
  • 00:08:20
    we have a five trusted criteria so let
  • 00:08:22
    me check privacy
  • 00:08:24
    it is there confidentiality it is their
  • 00:08:26
    security it is there
  • 00:08:28
    we don't have which is called as
  • 00:08:29
    authenticity answer is
  • 00:08:31
    authenticity we have a five trusted
  • 00:08:33
    principles under the sock but
  • 00:08:35
    authenticity is not one of the trusted
  • 00:08:38
    principles
  • 00:08:40
    next question which report specified
  • 00:08:44
    date and assure the description of a
  • 00:08:47
    system is fairly presented or in
  • 00:08:48
    accordance with the description criteria
  • 00:08:51
    and that controls are suitably designed
  • 00:08:53
    as on as
  • 00:08:54
    of the specific specified date keyword
  • 00:08:56
    here is specified date
  • 00:08:58
    walk through of the controls and test of
  • 00:09:00
    one is performed but there is no
  • 00:09:02
    detailed testing it means effectiveness
  • 00:09:04
    will not be there
  • 00:09:06
    so sock one is a financial statement but
  • 00:09:08
    the here the question talking about
  • 00:09:10
    specified date so sock one
  • 00:09:15
    need to have a category type in type two
  • 00:09:16
    so d is removed
  • 00:09:19
    stock three type one makes sense
  • 00:09:23
    sock 2 type 1 but 3 there is no type 1
  • 00:09:27
    and type 2 right so stock 1 removed
  • 00:09:29
    type 1 remove so we're left with type 2
  • 00:09:31
    type to talk about the effectiveness of
  • 00:09:33
    our control but they are saying that no
  • 00:09:34
    detailed testing has been done we just
  • 00:09:36
    have a walkthrough of the control
  • 00:09:37
    if any question talking about the
  • 00:09:38
    walkthrough of the control only
  • 00:09:40
    it means that it will be talking about
  • 00:09:42
    the design of a control
  • 00:09:44
    okay because it is mentioned as a design
  • 00:09:47
    as a specified data
  • 00:09:48
    so design specified date no detailed
  • 00:09:52
    testing
  • 00:09:52
    answer is sock one type one because
  • 00:09:55
    question is not talking about anything i
  • 00:09:57
    t this is talking about high level the
  • 00:09:59
    description criteria which can be
  • 00:10:01
    stocked towards
  • 00:10:02
    one that's why the answer is a
  • 00:10:06
    prab is a security consultant working
  • 00:10:08
    for aspirin technology he conclude one
  • 00:10:10
    audit recently with the service auditor
  • 00:10:12
    for his company
  • 00:10:14
    so aspirants primarily dealing with the
  • 00:10:16
    data center like me my
  • 00:10:18
    organization dealing with the data
  • 00:10:19
    center co-location software services
  • 00:10:21
    and i'm working as a security consultant
  • 00:10:23
    consultant in the same organization
  • 00:10:24
    we recently complete the audit okay so
  • 00:10:26
    auditor has to produce
  • 00:10:28
    the detailed report that include the
  • 00:10:29
    description of a test keyword here is
  • 00:10:31
    description of a test
  • 00:10:32
    performed between past tense the opinion
  • 00:10:34
    will again cover the fairness of the
  • 00:10:36
    description presentation
  • 00:10:38
    whether controls are suitably designed
  • 00:10:40
    and
  • 00:10:41
    if controls are operated effectively
  • 00:10:44
    over the reporting period keywords are
  • 00:10:47
    this
  • 00:10:47
    so what is the report he's referring
  • 00:10:49
    here so i'm working as a security
  • 00:10:50
    consult for aspirants
  • 00:10:52
    okay we have facing an audit where we
  • 00:10:55
    are expecting about the effectiveness of
  • 00:10:56
    our control from the auditor in the
  • 00:10:58
    reports
  • 00:10:59
    so stockman will not be the answer
  • 00:11:00
    because keywords are their data center
  • 00:11:03
    co location so it is more from it point
  • 00:11:05
    of views we are complaining or we are
  • 00:11:07
    going for the stock
  • 00:11:08
    two audits because we have a customer
  • 00:11:10
    from that category only
  • 00:11:11
    tomorrow you as a customer wish to host
  • 00:11:13
    your data on my cloud
  • 00:11:14
    so you're expecting some same level of
  • 00:11:16
    controls because
  • 00:11:18
    you're not bothered about my financial
  • 00:11:19
    statement you're bothered about how we
  • 00:11:20
    maintain your data security
  • 00:11:22
    so it's not covered under stock one type
  • 00:11:24
    one that is removed
  • 00:11:30
    so that is removed stock three does not
  • 00:11:33
    have a type one
  • 00:11:36
    stock one type two no so answer is sock
  • 00:11:39
    to
  • 00:11:39
    type two okay so any question in the
  • 00:11:43
    exam talking about a cloud
  • 00:11:45
    okay and you as a customer you're
  • 00:11:46
    looking for data security control
  • 00:11:48
    answer is shock to you looking for the
  • 00:11:50
    long term stability
  • 00:11:51
    you're looking for to ensure their
  • 00:11:53
    employees should able to pay their
  • 00:11:54
    salaries because you're going to host
  • 00:11:56
    your solution on the cloud
  • 00:11:57
    then from a financial stability point of
  • 00:11:59
    view answer will be shock one
  • 00:12:01
    so type 1 is a design of a control which
  • 00:12:04
    evaluate the report on the design of a
  • 00:12:06
    control
  • 00:12:07
    which is point in time and so stockman
  • 00:12:09
    type 2 or type 2 report
  • 00:12:11
    is basically talk about the
  • 00:12:12
    effectiveness of a control over the
  • 00:12:14
    period of
  • 00:12:15
    time so there is an exam summary we have
  • 00:12:17
    if the question talking about meeting
  • 00:12:19
    the compliance requirement
  • 00:12:23
    if the question talking about meeting a
  • 00:12:24
    compliance requirement which is a u.s
  • 00:12:26
    specific requirement
  • 00:12:27
    then we will have to obtain the stock
  • 00:12:29
    one report if the question has a keyword
  • 00:12:30
    called financial statement
  • 00:12:32
    if the question talking about trust
  • 00:12:33
    services data center software cloud
  • 00:12:36
    service provider then in that case we
  • 00:12:38
    can ask for the stock to report
  • 00:12:40
    generally available on the public
  • 00:12:41
    website which is accessible to everyone
  • 00:12:43
    then stock 3 report if the question
  • 00:12:45
    talking about the financial custodial
  • 00:12:47
    services payroll the answer is basically
  • 00:12:49
    it's awkward report now stock one report
  • 00:12:52
    talk about the financial statement shock
  • 00:12:55
    to talk about the information technology
  • 00:12:58
    stock through is basically just talk
  • 00:12:59
    about the high level how much via
  • 00:13:01
    compliance
  • 00:13:02
    stock ones ought to have a type and type
  • 00:13:04
    to report type one talking about
  • 00:13:06
    designer for control type to talk about
  • 00:13:08
    the effectiveness of the control
  • 00:13:09
    so this is all from my site my name is
  • 00:13:12
    prabhnaya you can follow me on insta and
  • 00:13:14
    linkedin
Etiquetas
  • SOC
  • sécurité informatique
  • Audit
  • contrôles financiers
  • services cloud
  • continuité des affaires
  • certification
  • efficacité des contrôles