Tag: ssae 16 controls

Firewall Controls in SOC 1 and 2: A Practical Example

Another series we will have periodic posts about will be related to potential controls that would be expected to be in place, almost regardless of the entity in question. This will be a real basic one to help get everyone up to speed, we will delve into other areas that may be a little more advanced in the future. Example: Firewalls are in place at all externally facing access points.The point of this control is to ensure that firewalls are being used at the organization to help prevent hacking attempts, thus, the theft of data. Companies outsourcing their workloads want to have comfort that the company performing the work has adequate security measures in place to lower the chance of their data being stolen. The Importance of Firewalls Firewalls act as a barrier between your secure internal network and untrusted external networks such as the internet. Their primary function is to control the incoming and outgoing network traffic by analyzing data packets and determining whether they should be allowed through or not, based on predetermined security rules. Why Firewalls Are Essential Immediate Action Required If your organization does not currently have firewalls in place at all externally facing access points, this should be addressed immediately. The absence of this basic control not only exposes you to unnecessary risks but may also result in non-compliance with various regulatory standards.

SSAE 16 Terminology – Controls at a Service Organization

Controls at a Service Organization refer to the controls that are in place at your company. Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control. Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed. Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly. This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

Get Our Emails

SOC Reporting Guide

Tag: ssae 16 controls

Firewall Controls in SOC 1 and 2: A Practical Example

SSAE 16 Terminology – Controls at a Service Organization

Get Our Emails

Popular SSAE Resources

SSAE 18 (SSAE 16) Preparation Tips

SSAE 16 and the Federal HealthCare Exchange

SOC 1 and SOC 2: A Comparative Analysis

Are Service Provider Contract Updates Needed with SSAE 18?

SSAE 16 Terminology – Controls at a Service Organization

What does Management Need to Provide the Auditors?

SOC Reporting Guide Newsletter

Copyright 2024 © All rights Reserved.