1. Schedule a 30-minute Discovery Session
2. We determine IF and HOW we can help
3. We provide a Tailored Proposal
4. Together, we review the Proposal
Developed by the AICPA, SOC 2 is specifically designed for technology service providers that store client data in the cloud. SOC 2 applies to nearly every SaaS (Software-as-a-Service) company, as well as any company that uses the cloud to store client information. To become SOC 2 compliant, companies must conduct a cybersecurity audit. This audit analyzes five controls, known as the Trust Service Principles (TSP): security, availability, processing integrity, confidentiality, and privacy. Auditors assure that these five controls are relevant to the industry.
We recommend penetration testing once a quarter as part of SOC 2 compliance.
There are two types of SOC 2 Audits – Type I and Type II. A SOC 2 Type I audit is more of a documentation review, whereas a SOC 2 Type II audit is a review of operations – control implementation effectiveness.
Penetration testing is primarily used to test control effectiveness in SOC 2 Type II audits.
We follow a seven phase methodology designed to maximize our efficiency, minimize risk, and provide complete and accurate results. The overarching seven phases of the methodology are:
We think it is better to have an ethical hacker find the holes into your enterprise than an adversary. Our SOC 2 Penetration Testing provides details on exploitable vulnerabilities in a prioritized, tangible manner. Our report allows you to better understand what your environment looks like from an attacker perspective. This helps you prioritize efforts to mitigate risk to reduce breach likelihood or damage.
Not only do our SOC 2 Penetration Testing Services show you what your attack surface looks like to an adversary attacker, but they can be used as a safe way to test your organization’s Incident Response (IR) and digital forensics capabilities. Our Penetration Testing services can be used to tune and test your security controls, such as your IDS, Firewall, Endpoint Security, Router ACLs, etc.
The SOC 2 Penetration Test Report includes IP addresses, URLs, mobile apps, and APIs tested, vulnerabilities discovered, steps taken during the assessment, exploitable areas discovered, and prioritized recommendations. For any systems we are able to exploit, an “Attack Narrative” section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.
SOC 2 Type II – an audit of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. A SOC 2 Type II audit looks at how the controls are described and used over a minimum of a 6-month time-frame. The intent is to determine if the controls are functioning as described by the management. An auditor will test the controls and provide an opinion (attestation) based on the description by management versus the operating effectiveness (test results) of the controls.
Although SOC 2 only specifies a penetration test every 180 days, we recommend a quarterly program that includes validation testing.
We understand that often the key objective of testing medical devices is to assist with FDA approval.
We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI.
The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.