When the Romans perfected aqueducts, those channels that transported fresh water from the source to established cities and towns became the backbone of those areas. Though the Romans were excellent civil engineers, the creation and implementation of aqueducts still required a lot of planning—projects could consist of different elements like pipes, tunnels, canals, and bridges, as well as combinations of these.

Can I have disaster recovery controls within my SOC 1 test of controls matrix?

Is there a SOC certification similar to an ISO 27001 certification?

Although undergoing a SOC 2 examination is not a mandatory security framework and as such, is not a legal or regulatory requirement for every business, it is often considered a necessity for companies. This is especially true for organizations that regularly store customer data and handle sensitive information.

Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.

When auditors begin to test procedures for compliance examinations (i.e., SOC 1, SOC 2), there are cases where the clients are performing certain tasks; however, they are not documented, which puts the auditors in a precarious position.

In my line of work, it is not only advisable to have a mastery of the facts, but prudence would suggest that a good dose of foresight and reason based on actual experience can often times be as valuable a tool. Since the days of the SAS 70, we have seen several subjective opinions about both the appropriateness and/or the ineffectiveness of the SAS 70 report. Even today, there continues to be concerns on how SOC 1 reports, also known as SSAE 16 examinations, are being used in situations that fail to have bearing on internal controls over financial reporting.

DevOps, like Agile development before it, accents the continuous evolving state of software development, particularly in cloud-base software. Like any technology change, there is no surprise that auditor and security professionals are challenged as the traditional separation of duties become more and more gray. As someone who oversaw product management in an Agile / SaaS development environment and now manages audits and certifications for leading edge cloud solution providers, I offer my perspective.