INDUSTRIES

 

 

Managed services providers that traditionally used the SAS 70 report to communicate the organizations’ control environment to their clients are seeking an alternative to meet their needs now that the SAS 70 has retired. Most organizations that received a SAS 70 audit have migrated to the SSAE 16 SOC 1 report, but this option is not available to service organizations that do not impact the internal controls over financial reporting of their clients, such as some managed services providers. The AICPA has developed the SOC 2 report based on the TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Privacy, Confidentially and Processing Integrity for services organizations to communicate their control environment when those controls do not impact their clients’ internal controls over financial reporting.

 

Managed security providers focus on their clients’ information security needs by managing and monitoring firewalls, routers and IDS sensors. They provide continuous support for these critical devices as well as experienced security professionals. The managed security providers have administrator access to these devices in order to perform routine maintenance, modify device configuration or take immediate action to defend against an attack on their clients’ system resources. Whether these devices are owned by the managed security provider or their clients, the managed security provider is responsible for the external security of their clients.

 

With the responsibility and level of administrator access given to the managed security provider, a service organization controls report is needed to communicate the policies, procedures and processes in place to ensure an acceptable level of internal controls have been implemented. The managed security provider needs to communicate the security controls that are in place to protect against unauthorized access to system resources, the confidentiality controls that are in place to protect their clients’ sensitive data and the availability controls that are in place to ensure the infrastructure and supporting processes are designed to ensure availability of the contracted services.

 

A-lign performs SOC 2 reports for managed security providers covering the security, confidentiality and availability principles. The SOC2 report includes the predefined criteria outlined by the American Institute of Certified Public Accountants (AICPA) that lists industry best practices regarding policies, procedures and processes related to security, availability and confidentiality that should be in place in order to demonstrate a strong system of internal controls. The managed security provider has an alternative to the SAS 70 that clearly communicates the relevant controls to their customers.