00:00:01
[Music]
00:00:06
hi team
00:00:07
welcome to my session on coffee with
00:00:10
prab
00:00:11
and this is my second session after
00:00:13
threat modeling
00:00:14
and in this session we're going to
00:00:16
discuss about sock
00:00:17
type not security operation center this
00:00:20
is all about service and organization
00:00:22
control and system and organization
00:00:24
control
00:00:25
this topic is quite testable in cssp
00:00:28
ccsp
00:00:28
sisa csm say risk i received a lot of
00:00:32
feedback regarding
00:00:33
could you please make some videos on
00:00:34
this particular topic so i thought
00:00:36
let me craft around 10 questions which
00:00:39
give you visibility about this entire
00:00:41
concept
00:00:42
my name is prabhnayar and for more
00:00:44
information you can refer my linkedin
00:00:46
profile
00:00:47
so let's start with the first coffee
00:00:49
shop
00:00:52
prab is a security consultant working
00:00:54
for asperance technology
00:00:56
they were planning to finalize one
00:00:58
managed security service provider
00:01:01
for their new business while reviewing
00:01:05
shock reports of service provider here
00:01:08
the keyword here is service provider
00:01:10
and security service provider which
00:01:13
report would you most likely to
00:01:15
see okay so question is talking about
00:01:19
a business the question has a keyword
00:01:21
called security service provider the
00:01:23
question has a keyword called service
00:01:24
provider
00:01:25
so option a sock to type 2
00:01:28
option b sock 3 option c
00:01:32
sock 1 type 2 and option d sock 2 type 1
00:01:35
now if i go by the sock one it is
00:01:37
basically covered the financial
00:01:39
statement but in the question we are not
00:01:40
talking about anything led to the
00:01:42
financial statement
00:01:43
they want to review the stock report of
00:01:45
the service provider
00:01:46
and they are planning for a security
00:01:48
services stock one mostly cover about
00:01:50
the financial statement
00:01:52
stock 2 type 1 can be the option so let
00:01:54
me park
00:01:55
stock 3 is just a high level report will
00:01:57
not build any kind of a confidence so
00:01:59
that is removed
00:02:00
b and c removed so we left with stock 2
00:02:04
type 2 and type 1 type 2 is basically
00:02:06
talk about the effectiveness of a
00:02:07
control
00:02:08
if you ask me as an auditor if you ask
00:02:10
me as a security consultant
00:02:12
i will definitely go for the type 2
00:02:13
report because type 1 is talking about
00:02:16
the design of control
00:02:17
so answer is yes the answer is
00:02:20
type 2 shock to type 2 report
00:02:24
now let's discuss another question
00:02:28
so question is prab is a security
00:02:32
consultant
00:02:32
working for aspirants technology they
00:02:35
were planning
00:02:36
to finalized managed security service
00:02:38
for the new business same thing again
00:02:40
which are the following shock report
00:02:42
should a prob
00:02:43
request if they require a period of time
00:02:47
report comprising a security
00:02:50
and integrity of a particular system so
00:02:54
three keywords are there period of time
00:02:56
security integrity automatically stock2
00:02:58
is there but let me check the options
00:03:01
sock 2 type 2 sock 1 type 1
00:03:05
sock 2 type 1 or sock 1 type 2
00:03:09
so we automatically park stock 1 type
00:03:12
1 and stock 1 type 2 because these are
00:03:15
talking about the financial controls so
00:03:17
we're left with stock to type and stock
00:03:18
to type 2.
00:03:20
they're talking about the period of time
00:03:22
now there's a small
00:03:23
advice a small suggestion small tip when
00:03:25
we say type 1
00:03:27
or when we say type 2 okay sock 1 has a
00:03:30
type 1 type 2 sock 2 has a type 1 and
00:03:32
type 2
00:03:33
so thin line difference is that type 1
00:03:36
talk about the design of a control
00:03:38
which is point in time point
00:03:42
in time okay where is the sock 2 type 2
00:03:45
or stock 1 type 2
00:03:47
talk about the effectiveness of a
00:03:48
control of a period of time
00:03:51
so wherever in the exam talking about
00:03:53
period of time
00:03:54
close your eyes and select the answer
00:03:57
type 2 report so here
00:03:59
we are talking about the period of time
00:04:00
report which introducing introducing the
00:04:02
security and integrity
00:04:05
not financial statement that is why i'm
00:04:07
going with the shock to
00:04:08
type 2. uh if the question talking about
00:04:10
financial statement financial control
00:04:12
then in that case
00:04:13
we can go with the stock one type two
00:04:18
third question prab is a financial
00:04:20
investor
00:04:21
working with the aspirants technology
00:04:23
investment company that makes an
00:04:25
acquisition investment
00:04:26
as a financial investor when evaluating
00:04:29
the stock report
00:04:30
for managed security provider because
00:04:33
they are planning for the investment in
00:04:35
the company so here in this scenario
00:04:36
we're talking about me
00:04:37
as a pro i'm a financial investor i wish
00:04:40
to invest in one company
00:04:42
so which report would prop most likely
00:04:45
to examine so as an investor which
00:04:46
report i will be examine definitely for
00:04:48
me stock 2 doesn't matter because i am
00:04:50
planning for an investment and from the
00:04:51
investment point of view i will look for
00:04:53
the financial statement
00:04:55
so let me check the options stock 3
00:04:57
definitely no because it's talk about
00:04:58
the high level details
00:05:00
it doesn't give me any kind of a
00:05:01
confidence it is a publix report which
00:05:03
is published on a website
00:05:04
stock 2 talk about the it sock 2 type
00:05:07
and again talk about the it
00:05:09
which report will be more interesting
00:05:10
for me is the sock one because stockman
00:05:12
talk about the financial statement
00:05:14
so answer is basically sock one
00:05:19
next what is a thin line difference
00:05:22
between the type 1
00:05:23
and type 2 sock reports type 1 is
00:05:26
control effectiveness
00:05:28
type 2 talk about control design
00:05:31
actually type 1 is control design type 1
00:05:33
only use in a stock one which is not
00:05:35
true
00:05:37
type 1 is control design type 2 control
00:05:39
effectiveness makes sense
00:05:42
type 1 only use in a sock 2 and type 2
00:05:46
use in a stock one that is also not true
00:05:49
so answer is basically type 1 is control
00:05:52
design
00:05:53
and type 2 is control effectiveness if
00:05:55
you ask me as an auditor if you ask me
00:05:57
as a customer
00:05:58
i will definitely interested in the sock
00:06:00
one type 2 or sock 2 type 2 because that
00:06:02
talk about the control effectiveness
00:06:04
i want to give an example of type 1 and
00:06:06
type 2.
00:06:07
we have a we need to have a 8 character
00:06:09
password policy
00:06:10
we have seen in the documents they are
00:06:12
following that is a type 1 audit
00:06:14
but we are trying to create a user with
00:06:16
a lesson 8 character password to see the
00:06:17
effectiveness that is called as a type 2
00:06:20
sock 2. so this is how we can able to
00:06:23
see the control effectiveness
00:06:24
that is where the answer is c for
00:06:27
charlie
00:06:29
which stock report can be published on
00:06:30
our website here the keyword is
00:06:32
website so it mean it is accessible to
00:06:35
everyone
00:06:35
to gain trust so on a high level we can
00:06:37
go with the answer stock 3
00:06:39
because sock 1 type 1 sock 1 type 2 and
00:06:42
stock 1 they are very detailed report we
00:06:44
can't publish on a website as a finance
00:06:46
statement the report that we publish on
00:06:48
a website to just give a high level
00:06:49
overview about vr compliance with the
00:06:51
sock
00:06:51
that is called as a sock 3. same like
00:06:53
when you visit any facility and you can
00:06:55
see
00:06:55
the organization is iso 27001 certified
00:06:59
next prep is a security consultant
00:07:02
working for aspirants technology
00:07:04
his company planning to sign a contract
00:07:06
with the cloud provider
00:07:07
and want to ensure its business
00:07:09
continuity planning it means talking
00:07:11
about i.t
00:07:11
and information security measures are
00:07:14
reasonable so what type of audit
00:07:17
might you request to meet the goal nissa
00:07:19
is specific to middle east nist
00:07:21
us standard stock one is financial
00:07:23
statement so we left with sock 2.
00:07:25
the answer is a sock 2. because question
00:07:29
has a keyword called information
00:07:30
security
00:07:31
business continuity planning and the
00:07:32
question talking about audit because you
00:07:34
need to sign a contract with the cloud
00:07:35
provider
00:07:37
so my company want to planning to sign a
00:07:39
contract with the cloud provider so i
00:07:40
will be more interested in
00:07:42
looking there sock to report because i'm
00:07:44
going to host my data on the cloud
00:07:47
which audit report will be useful to
00:07:49
check how well the company keep up the
00:07:51
books of account it's used in a finance
00:07:53
so nist again talking about the it
00:07:55
shock 3 is basically high level report
00:07:57
which talk about how much we are
00:07:58
compliance with the stock
00:08:00
stock two talk about the id controls how
00:08:03
effective is it controls so we left with
00:08:05
stock one the answer is
00:08:06
sock one because it talk about the
00:08:08
accuracy of a finance statement because
00:08:10
book of account
00:08:11
map with the financial statements
00:08:15
second question which of the following
00:08:16
is not one of the trusted criteria of
00:08:19
the salk two
00:08:20
we have a five trusted criteria so let
00:08:22
me check privacy
00:08:24
it is there confidentiality it is their
00:08:26
security it is there
00:08:28
we don't have which is called as
00:08:29
authenticity answer is
00:08:31
authenticity we have a five trusted
00:08:33
principles under the sock but
00:08:35
authenticity is not one of the trusted
00:08:38
principles
00:08:40
next question which report specified
00:08:44
date and assure the description of a
00:08:47
system is fairly presented or in
00:08:48
accordance with the description criteria
00:08:51
and that controls are suitably designed
00:08:53
as on as
00:08:54
of the specific specified date keyword
00:08:56
here is specified date
00:08:58
walk through of the controls and test of
00:09:00
one is performed but there is no
00:09:02
detailed testing it means effectiveness
00:09:04
will not be there
00:09:06
so sock one is a financial statement but
00:09:08
the here the question talking about
00:09:10
specified date so sock one
00:09:15
need to have a category type in type two
00:09:16
so d is removed
00:09:19
stock three type one makes sense
00:09:23
sock 2 type 1 but 3 there is no type 1
00:09:27
and type 2 right so stock 1 removed
00:09:29
type 1 remove so we're left with type 2
00:09:31
type to talk about the effectiveness of
00:09:33
our control but they are saying that no
00:09:34
detailed testing has been done we just
00:09:36
have a walkthrough of the control
00:09:37
if any question talking about the
00:09:38
walkthrough of the control only
00:09:40
it means that it will be talking about
00:09:42
the design of a control
00:09:44
okay because it is mentioned as a design
00:09:47
as a specified data
00:09:48
so design specified date no detailed
00:09:52
testing
00:09:52
answer is sock one type one because
00:09:55
question is not talking about anything i
00:09:57
t this is talking about high level the
00:09:59
description criteria which can be
00:10:01
stocked towards
00:10:02
one that's why the answer is a
00:10:06
prab is a security consultant working
00:10:08
for aspirin technology he conclude one
00:10:10
audit recently with the service auditor
00:10:12
for his company
00:10:14
so aspirants primarily dealing with the
00:10:16
data center like me my
00:10:18
organization dealing with the data
00:10:19
center co-location software services
00:10:21
and i'm working as a security consultant
00:10:23
consultant in the same organization
00:10:24
we recently complete the audit okay so
00:10:26
auditor has to produce
00:10:28
the detailed report that include the
00:10:29
description of a test keyword here is
00:10:31
description of a test
00:10:32
performed between past tense the opinion
00:10:34
will again cover the fairness of the
00:10:36
description presentation
00:10:38
whether controls are suitably designed
00:10:40
and
00:10:41
if controls are operated effectively
00:10:44
over the reporting period keywords are
00:10:47
this
00:10:47
so what is the report he's referring
00:10:49
here so i'm working as a security
00:10:50
consult for aspirants
00:10:52
okay we have facing an audit where we
00:10:55
are expecting about the effectiveness of
00:10:56
our control from the auditor in the
00:10:58
reports
00:10:59
so stockman will not be the answer
00:11:00
because keywords are their data center
00:11:03
co location so it is more from it point
00:11:05
of views we are complaining or we are
00:11:07
going for the stock
00:11:08
two audits because we have a customer
00:11:10
from that category only
00:11:11
tomorrow you as a customer wish to host
00:11:13
your data on my cloud
00:11:14
so you're expecting some same level of
00:11:16
controls because
00:11:18
you're not bothered about my financial
00:11:19
statement you're bothered about how we
00:11:20
maintain your data security
00:11:22
so it's not covered under stock one type
00:11:24
one that is removed
00:11:30
so that is removed stock three does not
00:11:33
have a type one
00:11:36
stock one type two no so answer is sock
00:11:39
to
00:11:39
type two okay so any question in the
00:11:43
exam talking about a cloud
00:11:45
okay and you as a customer you're
00:11:46
looking for data security control
00:11:48
answer is shock to you looking for the
00:11:50
long term stability
00:11:51
you're looking for to ensure their
00:11:53
employees should able to pay their
00:11:54
salaries because you're going to host
00:11:56
your solution on the cloud
00:11:57
then from a financial stability point of
00:11:59
view answer will be shock one
00:12:01
so type 1 is a design of a control which
00:12:04
evaluate the report on the design of a
00:12:06
control
00:12:07
which is point in time and so stockman
00:12:09
type 2 or type 2 report
00:12:11
is basically talk about the
00:12:12
effectiveness of a control over the
00:12:14
period of
00:12:15
time so there is an exam summary we have
00:12:17
if the question talking about meeting
00:12:19
the compliance requirement
00:12:23
if the question talking about meeting a
00:12:24
compliance requirement which is a u.s
00:12:26
specific requirement
00:12:27
then we will have to obtain the stock
00:12:29
one report if the question has a keyword
00:12:30
called financial statement
00:12:32
if the question talking about trust
00:12:33
services data center software cloud
00:12:36
service provider then in that case we
00:12:38
can ask for the stock to report
00:12:40
generally available on the public
00:12:41
website which is accessible to everyone
00:12:43
then stock 3 report if the question
00:12:45
talking about the financial custodial
00:12:47
services payroll the answer is basically
00:12:49
it's awkward report now stock one report
00:12:52
talk about the financial statement shock
00:12:55
to talk about the information technology
00:12:58
stock through is basically just talk
00:12:59
about the high level how much via
00:13:01
compliance
00:13:02
stock ones ought to have a type and type
00:13:04
to report type one talking about
00:13:06
designer for control type to talk about
00:13:08
the effectiveness of the control
00:13:09
so this is all from my site my name is
00:13:12
prabhnaya you can follow me on insta and
00:13:14
linkedin
