In response to the need of service providers to accredit the security level to their customers, in 2011 the American Institute of Certified Public Accountants (AICPA) created the Service Organization Controls (SOC) framework, which replaced the old SAS 70. Its objective is to help IT service providers to build trust in their processes and in the security assessment controls that they apply.
SOC encompasses three report types, which we referred to in a previous post. The reports are written by independent and external auditors, and their objective is the certification of the quality and effectiveness of the selected and applied controls.
Regardless of its effectiveness as an evaluation mechanism, the SOC 2 Type II report is not easy to read by someone unaffiliated to the service. That is because it requires a thorough knowledge of its internal operation, and always requires an in-depth reading to understand the audited control environment. We should bear in mind that the real customer interest is not to understand how the service works, but rather its functionality is the expected, and that the service is delivered with guaranteed sufficient security measures. In this line, LEET Security's rating methodology, having the same goal of service security evaluation and rating, provides a greater ease of understanding by the customers compared to the SOC 2 report, thanks to the security measures rating in 5-levels.
Reflecting on both control frameworks we identify the following differences:
Since both the AICPA and LEET Security aim for the same goal, and although the approaches are different, both are perfectly complementary with each other.
The contribution that the security rating methodology developed by LEET provides to service providers can be summarized in the following aspects:
• To have a control framework based on best practices and international control standards (ISO 27002, IA-942, PCI DSS, ENS, NIST 800/53) that will serve as the basis for the SOC 2 report development.
• To take advantage of the SOC 2 report audit based on the LEET controls to achieve its rating. In this way, the provider gets two recognized accreditations with the same audit.
• To use the SOC 2 report in response to other regulatory compliances whose controls are included in the LEET methodology
• The LEET rating follow-up and renewal process reinforces the SOC 2 report security level accreditation over time (in fact, it removes bridge letters need since LEET Security guarantees the level security is still in effect, and therefore no additional process is required).
Definitely, service provider can make the audit process effort much more efficient by using its results for different purposes. On the one hand, he/she obtains guarantee of compliance with regulation, and thanks to the LEET rating, he/she has a control methodology and achieves a security rating easily understood by all customers.
On the other hand, the client can simplify the process of understanding the service provider control environment, and reduces the administrative burden of bridge letter management.
For these reasons, we can conclude that SOC2 and LEET Security rating are the perfect couple.
Demand it as a user! Accredit it as a service provider!
All you need is LEET.
Suscribe our newsletter by clicking here
You can follow us on twitter.com/leet_security