CYBERSECURITY SERVICES

With every passing day, more headlines emerge about cyberattacks compromising a seemingly endless array of entities. This problem seems as though it is only getting worse as individuals, corporations, and governments find themselves increasingly vulnerable to sophisticated attacks on their data and resources. The paradigm is changing from ‘if’ an entity will suffer an attack, to ‘when’ will the attack happen? This unknown creates significant risks for an organization not only from the perspective of their own systems and information, but also from data shared with their vendors, clients, and business partners. When your company suffers a cyber-attack, do you know what to do?

Bowman & Company LLP’s System and Organization Control (SOC) attestation practice helps service organizations minimize downtime and focus on what they do best. Through these measures, we help satisfy third-party risk and assurance requirements and assists organizations in demonstrating the integrity of their control environment.

There are three types of SOC attestation reports related to cybersecurity. These reports can help you get a plan in motion. SOC for Cybersecurity, SOC 2, and SOC 3 proactively address and prepare organizations for inevitable risks.

SOC FOR CYBERSECURITY REPORT: WHAT IS IT?

An in-depth examination of cybersecurity risk management efforts that are in support of Security, Availability, and Confidentiality.

This report is generated through a review of the organization’s entity-wide cybersecurity risk management program. Our team works directly with your firm’s management to identify and proactively address cybersecurity risks. Together, this report is generated in three segments:

• Practitioner’s Report – Provides an opinion on the fairness of the Organization’s Description of its Cybersecurity Risk Management Program and results of Cybersecurity Control Testing
• Organization’s Description of its Cybersecurity Risk Management Program – Management’s outline and judgement of the existing criteria used to determine effectiveness of the cybersecurity policies
• Management’s Assertion – Management’s statement of its responsibility for the organization’s Cybersecurity Risk Management Program

These segments identify and illuminate the intended objectives of your cybersecurity risk management system. By working directly with management throughout the attestation process, our practitioners are able to create a unique report that caters to the sensitive information you aim to protect. The specialization of SOC for Cybersecurity allows this report to assess the efficiency of specific corresponding internal controls. This process allows a company to reconcile, validate, and highlight their cybersecurity controls while creating a basis for continuous improvement. Once the report is compiled, it can be used to communicate these strengths to key stakeholders within and outside of the organization.

SOC for Cybersecurity reports specifically address one or more of the following five key system principles:

• Security – The system is protected against unauthorized access (both physical and logical).
• Availability – The system is available for operation and use as committed or agreed.
• Processing integrity – System processing is complete, accurate, timely, and authorized.
• Confidentiality – Information designated as confidential is protected as committed or agreed.
• Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

SOC 2 REPORT: WHAT IS IT?

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy for internal stakeholders.

SOC 2 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description. Within this engagement, there are two types:

Type 1 – Reports on internal controls as of a specified date.

Type 2 – Reports on internal controls throughout a specified time period.

These reports are prepared in accordance with Trust Services Principles (TSP) Section 100, Trust Services for Security, Availability, Processing Integrity, Confidentiality, and Privacy, and are specifically intended to increase confidence in a service organization’s systems. Included in a SOC 2 report is a description of the service organization’s controls, listing of tests performed by the service auditor, and results of those tests.

SOC 2 reports specifically address one or more of the following five key system principles:

• Security – The system is protected against unauthorized access (both physical and logical).
• Availability – The system is available for operation and use as committed or agreed.
• Processing integrity – System processing is complete, accurate, timely, and authorized.
• Confidentiality – Information designated as confidential is protected as committed or agreed.
• Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

SOC 3 REPORT: WHAT IS IT?

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy for general audience.

This report covers many of the same areas as a SOC 2 report. However, a SOC 3 report allows for your organization to publicly share its high degree of confidentiality and security with your consumers and audience. This report can be listed on your company’s website in order to market verifiable assurance to potential and existing customers.

POTENTIAL BENEFITS

Increased client confidence through transparency Minimization of frequent external audits Enhanced risk management

Improved competitive advantage through differentiation Streamlined business processes and controls Potential marketing tools for prospective customers

These reports are designed to be actively utilized by the management of the service organization, user entities, prospective user entities, and regulators. The organization may also indicate on its website and marketing materials that it has undergone a SOC 2, SOC 3, and SOC for Cybersecurity engagement.

Our understanding of various industries, experience in providing attestation services, and our team of skilled professionals distinctly qualify us to serve as your company’s cybersecurity auditor.