Contact Us

Penetration Testing

 
Penetration Testing

Proactively identify and attempt to exploit critical vulnerabilities, drawing remediation insights prior to a real-world attack

loupe

 
Vulnerability Management

Detect, categorize, and score vulnerabilities existing in your organization’s website, applications, network, or devices

employee

 
Virtual CISO (vCISO)

Leverage a team of veteran security professionals full or part-time to identify risks and enhance your security program

        

court

 
Compliance

Achieve and maintain compliance with the state, federal, and industry regulations and frameworks required for your organization

secure-shield

 
Risk & Business Resiliency

Assess your organization’s present risk level and develop policies, procedures, programs, and plans to mitigate risks identified

artificial-intelligence

 
Social Engineering & Awareness

Foster security awareness among your team and simulate real-world attack scenarios to assess the effectiveness of training

        

cloud-computing

 
Cloud Security

Evaluate your organization’s cloud infrastructure attack surface, identifying vulnerabilities in controls and configurations

Cybersecurity Services

 
Incident Response & Forensics

Determine the extent of a compromise, create a plan to keep damage under control, and preserve evidence for further investigation

copy-writing

 
White Label Security Services

Provide quality security services to your clients to expand your service offerings while our experts work under your brand name

Financial Services

 
Financial Services

Banks, credit unions, insurance, processors

Gaming

 
Gaming

Casinos, lottery services, online gambling

Government

 
Government

State, local, and tribal government agencies

        

Healthcare

 
Healthcare

Hospitals, clinics, pharmaceuticals

Higher Education

 
Higher Education

Colleges, universities, online schools

Hospitality

 
Hospitality

Hotels, restaurants, entertainment, tourism

        

Manufacturing

 
Manufacturing

Transforming materials into finished products

Nonprofit

 
Nonprofit

Charities, museums, religious institutions

Retail

 
Retail

Brick-and-mortar stores, online shopping

        

Technology

 
Technology

Technology-based products and services

Utilities

 
Utilities

Electricity, gas, water, sewage, transportation

        

Case Studies

 
Case Studies

In-depth investigations into our engagements

Datasheets

 
Datasheets

Detailed summaries of the services we offer

eBooks & Checklists

 
eBooks & Checklists

Downloadable files to help mitigate your risks

        

Glossary of Terms

 
Glossary of Abbreviations

Industry abbreviations listed and described

Industry News

 
Industry News

Recent cybersecurity and compliance news

Webinars & Videos

 
Webinars & Videos

Video content produced by our experts

About Us

 
About Us

Learn more about our story and mission

Career Opportunities

 
Career Opportunities

Explore career opportunities and apply today

Certifications

 
Certifications

Industry-leading certifications and education

        

Community

 
Community

See how we give back to the community

Events

 
Events

Upcoming conferences and webinars

Meet the Team
Meet the Team

Meet our executive team of experts

        

Press Releases

 
Press Releases

Major company news and announcements

Request a Speaker

 
Request a Speaker

Request our experts to speak at your event

Testimonials

 
Testimonials

Hear what others have to say about us
Contact Us

Penetration Testing

 
Penetration Testing

Proactively identify and attempt to exploit critical vulnerabilities, drawing remediation insights prior to a real-world attack

loupe

 
Vulnerability Management

Detect, categorize, and score vulnerabilities existing in your organization’s website, applications, network, or devices

employee

 
Virtual CISO (vCISO)

Leverage a team of veteran security professionals full or part-time to identify risks and enhance your security program

        

court

 
Compliance

Achieve and maintain compliance with the state, federal, and industry regulations and frameworks required for your organization

secure-shield

 
Risk & Business Resiliency

Assess your organization’s present risk level and develop policies, procedures, programs, and plans to mitigate risks identified

artificial-intelligence

 
Social Engineering & Awareness

Foster security awareness among your team and simulate real-world attack scenarios to assess the effectiveness of training

        

cloud-computing

 
Cloud Security

Evaluate your organization’s cloud infrastructure attack surface, identifying vulnerabilities in controls and configurations

Cybersecurity Services

 
Incident Response & Forensics

Determine the extent of a compromise, create a plan to keep damage under control, and preserve evidence for further investigation

copy-writing

 
White Label Security Services

Provide quality security services to your clients to expand your service offerings while our experts work under your brand name

Financial Services

 
Financial Services

Banks, credit unions, insurance, processors

Gaming

 
Gaming

Casinos, lottery services, online gambling

Government

 
Government

State, local, and tribal government agencies

        

Healthcare

 
Healthcare

Hospitals, clinics, pharmaceuticals

Higher Education

 
Higher Education

Colleges, universities, online schools

Hospitality

 
Hospitality

Hotels, restaurants, entertainment, tourism

        

Manufacturing

 
Manufacturing

Transforming materials into finished products

Nonprofit

 
Nonprofit

Charities, museums, religious institutions

Retail

 
Retail

Brick-and-mortar stores, online shopping

        

Technology

 
Technology

Technology-based products and services

Utilities

 
Utilities

Electricity, gas, water, sewage, transportation

        

Case Studies

 
Case Studies

In-depth investigations into our engagements

Datasheets

 
Datasheets

Detailed summaries of the services we offer

eBooks & Checklists

 
eBooks & Checklists

Downloadable files to help mitigate your risks

        

Glossary of Terms

 
Glossary of Abbreviations

Industry abbreviations listed and described

Industry News

 
Industry News

Recent cybersecurity and compliance news

Webinars & Videos

 
Webinars & Videos

Video content produced by our experts

About Us

 
About Us

Learn more about our story and mission

Career Opportunities

 
Career Opportunities

Explore career opportunities and apply today

Certifications

 
Certifications

Industry-leading certifications and education

        

Community

 
Community

See how we give back to the community

Events

 
Events

Upcoming conferences and webinars

Meet the Team
Meet the Team

Meet our executive team of experts

        

Press Releases

 
Press Releases

Major company news and announcements

Request a Speaker

 
Request a Speaker

Request our experts to speak at your event

Testimonials

 
Testimonials

Hear what others have to say about us
Compliance Services

SOC Reporting Services

SOC Reporting Services

For organizations new to the SOC process or organizations interested in reviewing high risk areas that may have emerged since their last audit, Compass IT Compliance offers the SOC Readiness Assessment. This solution assists organizations in identifying the necessary internal controls, documentation, and gaps within their business, information technology, and security programs. SOC audits can be a daunting and intimidating task for organizations of any size. Our team of certified professionals has extensive experience in helping organizations navigate the complex requirements needed to complete a SOC audit successfully. Compass IT Compliance helps organizations across all industries examine and improve their data privacy and compliance controls to meet evolving customer, partner, industry, and regulatory requirements.

Services are performed by skilled professionals who have extensive experience in risk and control-oriented audits and information security to validate, prior to an actual service audit, the different criteria for the 5 Trust Services Criteria (TSC) defined in conjunction with an independent CPA firm. Our SOC Readiness Assessment is a multi-step process outlined below:

      

Steps

     

This approach ensures your preparedness and future success for this type of engagement and reduces the possibility of a qualified opinion or reporting exception. Contact us today to learn more and discuss your unique situation!

What is a SOC Report?

System & Organizational Controls (SOC) reports are internal control reports that outline the services that are being provided by a service organization and the controls related to the service that is being offered. This provides valuable information to potential customers and allows the service organization to build trust and confidence around their service offerings. A Service Auditor's Report can help a service organization to:

  • Build trust with customers
  • Be a key differentiator to prospective clients
  • Ensure that all requests from user organizations and their auditors rely on the SOC report

SOC reports are intended to build consumer trust, and are required or beneficial for organizations such as: Data Centers, Loan Servicing, Payroll, Medical Claims, SaaS, Software Developers, etc. Not all SOC reports are alike. These documents come in the following variations:

     

SOC 1 Report

A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management.

SOC 2 Report

The SOC 2 report deals specifically with controls related to Security, Confidentiality, Privacy, Availability, and Processing Integrity and are known as the 5 Trust Services Criteria (TSC). SOC 2 reports provide organizations with a broad range of information and assurance in regards to the controls and organization has in place for their systems that deal with the information processed by these systems.

SOC 3 Report

The SOC 3 report is intended to be publicly shareable, and can be provided to clients or posted on an organization's website to boost consumer confidence in the organization's controls, whereas the SOC 1 & 2 can't be publicly shared. SOC 3 covers the same areas as SOC 2, but the report removes confidential information and details.

       

These reports can be performed as either a Type I or Type II:

      

Type I Report

The Type I report is a report on management's description of the system(s) in scope and the suitability and design of the controls related to the Trust Services Criteria (TSC) at a point in time.

Type II Report

The Type II report is more detailed. The Type II report includes the statements above, related to a Type I report, but takes it a step further to outline the operating effectiveness of the controls in place over a period of time, not less than 6 months.

    

Selecting Trust Services Criteria (TSC)

When preparing for a SOC 2 report, one of the first steps is to select which Trust Services Criteria (TSC) will be included in the report. Every SOC 2 report includes the Security criterion, as it is a required component of the report. Beyond the Security criterion, organizations have the option to also include the Availability, Processing Integrity, Confidentiality, and Privacy criteria. Compass IT Compliance Account Managers and Cybersecurity Practitioners are always available to consult with organizations prior to beginning the SOC readiness and audit process to identify which criteria may be best suited for the organization’s business needs. Below are some situations organizations may want to consider when selecting Trust Services Criteria for an upcoming SOC 2 report:

   

Security

This criterion (also known as the Common Criteria) is required for all SOC 2 reports and refers to the protection of information during its collection or creation, use, processing, transmission, and storage. It also covers those information systems that use, process, or store that information to enable the entity to meet its objectives.

Availability

This criterion should be included if your organization wants to provide evidence to customers that your systems are available for operation. This includes customers that have expectations regarding downtime service-level agreements, uptime guarantees, status updates, and other accessibility requests.

Processing Integrity

This criterion should be included if your organization deals with the processing of data and needs to ensure that the data input into your systems is accurate. Organizations who provide financial, e-commerce, or other data-related services should consider this criterion.

Confidentiality

This criterion should be included if your customers have confidential non-personal data stored in your organization’s platform (transaction details, business plans, etc), want their data deleted when contracts end, or require non-disclosure agreements when doing business with you.

Privacy

This criterion should be included if your organization is governed by privacy regulations such as HIPAA, GDPR, CCPA, etc. or if your customers have sensitive personally identifiable information in your organization’s platform, such as names, social security numbers, health information, or home addresses.

        

Related Resources

Vulnerability Assessment

Penetration Testing

Incident Response Planning

Business Continuity Planning

Cloud Security Risk Assessments

SOC Blog Posts

Contact Us

Compass IT Compliance, LLC

Corporate Office:
2 Asylum Road
North Providence, RI 02904
 
Phone: (401) 353-3024
 

Recent Posts

Subscribe to Our Blog!
Copyright © 2022 Compass IT Compliance, LLC. All Rights Reserved.