SlideShare a Scribd company logo

SOC Certification Runbook Template

ā€¢
ā€¢
Mark S. Mahre
Mark S. Mahre

Trying to manage all the critical controls, testing and procedures to prepare for your SOC Audit? We created a Runbook and Framework to help manage the project execution process before your SOC Audit.

Leadership & Management
1 of 16
Download to read offline
Achieving SOC Certification Integration Runbook V 2.2 Planning, Design, Execution & Testing of Critical Controls Prepared By: Mark S Mahre Managing Partner US Mobile 678-641-0390 mark.mahre@clearcost.us March 2018
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #2 TABLE OF CONTENTS SOC PROJECT ENGAGEMENT..................................................................................................................................................................................................................................4 Engagement Process ..........................................................................................................................................................................................................................................5 Critical Controls Process.....................................................................................................................................................................................................................................6 Areas of Required Critical Controls ....................................................................................................................................................................................................................7 Five Principles of Critical Controls......................................................................................................................................................................................................................8 Types of Reporting .............................................................................................................................................................................................................................................8 CLIENT Leadership Meetings..............................................................................................................................................................................................................................8 Project Approach and Execution........................................................................................................................................................................................................................9 ClearCost Responsibilities ................................................................................................................................................................................................................................10 CLIENT Responsibilities ....................................................................................................................................................................................................................................10 MAJOR COMPOMENTS OF PROJECT ENGAGMENT..............................................................................................................................................................................................11 Project Deliverables & Documentation............................................................................................................................................................................................................12 SOC Compliance & Readiness Templates.........................................................................................................................................................................................................13 SOC INTEGRATION FRAMEWORK.........................................................................................................................................................................................................................14 Task Owners:....................................................................................................................................................................................................................................................14 Recording Tasks and Key Objectives: ...................................................................................................................................................................................................................15 Mapping & Approach:..................................................................................................................................................................................................................................15 Readiness & Resources: ...............................................................................................................................................................................................................................15 Analysis, Architecture & Processes: .............................................................................................................................................................................................................15 Suitability, Remediate & Pre-Testing: ..........................................................................................................................................................................................................15 Execution, Sustainability & Reporting:.........................................................................................................................................................................................................15 Testing, Sampling, and Fairness: ..................................................................................................................................................................................................................15 IN CLOSING...........................................................................................................................................................................................................................................................16
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #3 Version Control Created By: Mark S Mahre Title: Managing Partner US Ver # Revised By Date Revised Notes 1.0 Mark S Mahre January 2017 Template Creation 1.1 Mark S Mahre March 2018 Added more SOC Project Engagement Details 2.0 Mark S Mahre March 2018 Made for generic ā€˜CLIENTā€™ for sending for Marketing 2.1 Mark S Mahre April 2018 Modified for Partners 2.2 Mark S Mahre April 2018 Modified for LinkedIn QA Approval Date Approved By:
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #4 SOC PROJECT ENGAGEMENT ClearCost US will provide professional services (or ā€œConsulting Servicesā€) for the purpose of a Service Organization Controls 2 (ā€œSOCā€) engagement covering the System Description, Information Security and the Critical Controls Table and other components within SOC. This engagement will NOT cover any Out-of-Scope Areas of Control shown in table below. ClearCost may also provide guidance on building a central repository for housing all the supporting SOC documentation. Specific SOC components for SOC Compliance: SOC Component Critical Control Area System Description Company & Services In Scope Information Security IT Operations & Controls In Scope Readiness Planning & Strategy On-Going Meetings with Audit Firm and Setting Target Requirements In Scope Critical Controls Section Security In Scope Critical Controls Section Availability In Scope Critical Controls Section Processing Integrity In Scope Critical Controls Section Confidentiality In Scope Critical Controls Section Privacy (includes PHI & HIPAA) In Scope Governance, Policies & Procedures Repository, Processes, Training & Documentation In Scope Infrastructure & Monitoring All Items Technical Services In Scope Evidence & Audit Procedures, Timing, Expectations, Resources In Scope Management Assertion Performed by Audit Firm Out of Scope Fairness & Evidence Report Performed by Audit Firm Out of Scope ClearCost consulting services will include guidance and readiness for the SOC audit, however ClearCost will not include any legal advice or direction for implementing controls, procedures or policies within the CLIENT data center facility, meaning that CLIENT employees will be responsible for creating the proper governance, controls and procedures for each component of Critical Control Targets within the Critical Controls Criteria. The Audit Firm will provide services marked in Light Blue, ClearCost consultant(s) will Lead for the following components in Red, with the CLIENT Lead subjects noted in Dark Blue. Assertion System Description Critical Control Targets & Execution SOC Reporting Fairness & Evidence Strategy & Planning Policies & Procedures Information Security Readiness Assessment SOC Training Infrastructure & Monitoring Uploading Evidence Providing Evidence Fairness Meetings, Status Meetings, Critical Control Target Reviews, and Compliance Documentation Reviews Assertion Approvals
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #5 Engagement Process
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #6 Critical Controls Process This engagement will include guidance and framework for the System Description, Information Security and Critical Controls Table (Five Areas) that are suitable for Type 1 or Type 2 reporting. Services will also identify risk assessment gaps within the control domains and remediation recommendations before the pre-audit and audit process. ClearCost services will include reviewing controls related to Change Management, Breach Compliance, Help Desk, Client SLAā€™s, Change Authorization Board Governance, SOC Training, Quarterly SOC Leadership Meetings and HR Controls for meeting compliance. The diagram covers the Lead Responsibilities for setting the Critical Controls Language and Targets. Critical Controls: Assessments, Language & Targets Define Governance, Security, Policies & Controls Execute Governance, Security, Policies & Contols Achieve Compliance & Evidence Gathering Evidence Review & Evidence Uploads ClearCost Lead Joint Efforts CLIENT Lead
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #7 Areas of Required Critical Controls
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #8 Five Principles of Critical Controls SOC 2 reports focus on controls at a service organization relevant to the following principles: ā€¢ Security: The system is protected against unauthorized access (both physical and logical); end-point security, Network, DCā€™s and Cloud environments, ā€¢ Availability: The system is available for operation and use as committed or agreed SLAā€™s, ā€¢ Processing Integrity: System processing is complete, accurate, timely, and authorized, ā€¢ Confidentiality: Information designated as confidential is protected as committed or agreed, and ā€¢ Privacy: Personal information collected, used, retained, disclosed, and destroyed in conformity with the commitments by CLIENT criteria set forth with regards to Health Insurance Portability & Accountability Act of 1996 (ā€œHIPAAā€) and Personal Health Information (ā€œPHIā€) privacy principles. Types of Reporting The types of reporting are: ā€¢ Type I or Report 1 - A report on managementā€™s description of the service organizationā€™s system and the suitability of the design of the critical controls - at one- point-in-time, ā€¢ Type 2 or Report 2 - A report on managementā€™s description of the service organizationā€™s system and the suitability of the design and operating effectiveness of the controls ā€“ during the duration of time, ā€¢ Fairness and Evidence Process ā€“ What controls and required, how controls are defined, who is responsible for controls, maintain service levels per client contracts, adhere to standards, and produce evidence during the audit period. CLIENT Leadership Meetings Quarterly Meetings with the CLIENT Leadership Team for meeting compliance: ā€¢ Predict, Monitor, Identify, Mitigate and Address areas of Risk and implement a proper Risk Mitigation strategy ā€¢ Controls for understanding the Compliance and Risk associated with the data and metadata that: āœ“ operates, āœ“ collects, āœ“ processes, āœ“ transmits, āœ“ stores, āœ“ organizes, āœ“ maintains and āœ“ disposes of information for our clientā€™s entities.
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #9 Project Approach and Execution Below is a systematic approach to our SOC Strategy, Analysis, Design, Governance, Readiness, Testing, Execution and Audit criteria and controls for the project.
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #10 ClearCost Responsibilities This assessment engagement is designed to provide reasonable, but not absolute assurance on all controls and governance within the data center environment. ClearCost will not perform any evidence gathering or write in documentation for the CLIENT environment outside of the noted areas of services shown in the deliverables table on next page. Consultant will be responsible for leading the following: ā€¢ Project Kick-Off Meeting, ā€¢ Project Status Meetings, ā€¢ SOC Overview Status Reporting, ā€¢ System Description Delivery, ā€¢ Information Security Delivery, ā€¢ Critical Controls Targets, ā€¢ Change Management, Infrastructure & Compliance Meetings, ā€¢ Pre-Audit Run Through, ā€¢ Evidence Uploading and, ā€¢ SOC Leadership Management DARā€™s. CLIENT Responsibilities Because this assessment engagement is designed to provide reasonable, but not absolute assurance on all controls and governance within the data center environment, ClearCost will not perform any examinations of systems, data or application transactions within the CLIENT environment, and not responsible for any breaches outside of the noted areas of services in project scope section. In addition, the assessment services cannot be relied on for any instances of non-compliance with laws of regulations, fraud or material errors attributed to CLIENT personnel. CLIENT will understand its responsibility to inform, train and clearly communicate the security, availability, confidentiality and privacy that fall under the SOC regulations and responsibilities. Meaning that CLIENT understands its responsibilities to proper training and testing systems within the user community. CLIENT will be responsible for the following: ā€¢ Maintaining the content for System Description and Information Security documentation, ā€¢ Managing content of Critical Controls Table throughout the consulting engagement period and then until the final term after the official audit, ā€¢ Providing all services to support and compliance of the Critical Controls Table functions, ā€¢ Having personnel available for designing, implementing, documenting the controls suitable for operation effectiveness to fulfill the trust services criteria, ā€¢ Providing supporting documentation for the following; governance, workflow, organization structure, information systems, and third-party contracts, ā€¢ Participating in interviews, walk though reviews and evidence support to understand the elements within the Critical Controls Table, ā€¢ Provide ClearCost consultants with proper and reasonable access to resources in a timely manner, and ā€¢ Provide personnel for recording meeting notes, minutes and documenting recommendations during the consulting engagement.
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #11 MAJOR COMPOMENTS OF PROJECT ENGAGMENT The following tasks are major components of deliverables for the consulting services engagement: (Contact ClearCost for receiving IP information within the following sections) Subject Task Est. Dates (*) Estimates are based on very limited information on the CLIENT Organizationā€™s Capability Maturity Level Integration (aka ā€œCMMā€ or ā€œCMMIā€) and what is currently available at the time of engagement. However, after the Project Kick-Off Meeting a ā€˜High-Leveā€™ Project Plan will be created to provide better accuracy and only ACTUAL time worked on the specific tasks will invoiced for the project.
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #12 Project Deliverables & Documentation ClearCost Consultant(s) deliverables for the project include: Documents Format Project Planning (modification of this template) MS Word Monthly Project Status Reports PDF SOC Project Kickoff PDF System Description Template MS Word Information Security Template MS Word Critical Controls Table MS Excel Change Management Controls MS Word and/or Visio SOC Training Template PPTX SOC Integration Framework Poster 24ā€x 48ā€ Poster Compliance & Readiness Templates MS Word Risk Assessment Quarterly Meeting Agenda Template PPTX Risk Assessment Worksheet Excel
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #13 SOC Compliance & Readiness Templates Project templates may Include the following: āœ“ Employee Handbook āœ“ Employee Training Manuals āœ“ Employee Job Descriptions āœ“ Consultant or 3-Party Contractor NDAā€™s & Contracts āœ“ Client, Vendor and 3-Party MSAā€™s āœ“ Cloud or DC Infrastructure Diagrams āœ“ Monitoring & Escalation Policy āœ“ Asset Manage (CMDB) Table āœ“ Risk Assessment Quarterly Agenda āœ“ Risk Assessment Worksheet āœ“ Breach Notification āœ“ HIPAA Privacy Policy āœ“ Terms of Acceptable Use Policy āœ“ Incident Response Process āœ“ Change Management Process āœ“ Help Desk Process āœ“ HIPAA / PHI Security Practice and Certification Manuals āœ“ SOC Training Certifications
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #14 SOC INTEGRATION FRAMEWORK The following SOC Integration Framework will be used for the Project Execution. Business Objectives Project Execution & Milestone Tracking Analysis, Strategy, Architecture, Apps & Processes Mapping, Approach & Budgeting Mark SMahre SOC-2 Integration Framework PLANINITIATE Suitability, Remediate & Pre-Testing AUDIT C-Level , Security Officer, Analysts, Subject Matter Experts, Project Managers & Consultants Assessment, Resources & Templates Sponsors Strategy, Requirements & Roadmap Business Case Project Scope Success Criteria HIPPA Req. Road Map Approvals Project Design Project Tasks Risk Assessment As-Is Assessment Financials Scheduling Project Timeline Resource Requirements Gap Analysis To-Be Requirements Create Templates Identify Partnerships SOC Governance HIPPA Mandates Status Reporting Change Controls Authentication Encryption Controls Project Kick-Off Auditor Assessment Employee Awareness Critical Controls System Description Information Security Operational Effectiveness Controls Testing Readiness Reviews Quarterly Meetings Monitor Results Lessons Learned Upload Evidence Audit Procedures Sampling Process SOC Compliance Report Auditor s Letter SOC Gap Letter DESIGN CONTROLS OPERATIONAL Execution, Sustainability & Reporting Risk Mitigations Suitability of Design Data RPO/RTO DR/BCP Strategy Incident Response Cloud Services Mahre & Schweizer 2017 Auditor Analysis Testing, Sampling & Fairness Task Owners: Assigning the Task Owners (Stakeholders / SPOC) for each task in the tables below. CXO & Leadership CISO CIO COO Legal CFO PMO SOC Team Security Team IT Team Operations Team Contracts Team Finance Team Consultants
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #15 RECORDING TASKS AND KEY OBJECTIVES: (Contact ClearCost for receiving IP information within the following sections) Mapping & Approach: Readiness & Resources: Analysis, Architecture & Processes: Suitability, Remediate & Pre-Testing: Execution, Sustainability & Reporting: Testing, Sampling, and Fairness:
Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #16 IN CLOSING Comments and Next Steps Analyze, Predict, Plan, Test, Implement and Improve End of Document

Recommended

Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
Ā 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsMark S. Mahre
Ā 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
Ā 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
Ā 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
Ā 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
Ā 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
Ā 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
Ā 

Recommended

Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
Ā 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsMark S. Mahre
Ā 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
Ā 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
Ā 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
Ā 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
Ā 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
Ā 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
Ā 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Ā 
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖSecurity operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖReZa AdineH
Ā 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
Ā 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
Ā 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
Ā 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
Ā 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
Ā 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
Ā 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
Ā 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
Ā 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
Ā 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
Ā 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
Ā 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
Ā 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Ā 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
Ā 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
Ā 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
Ā 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
Ā 
SOC 2 for Startups ā€“ A Complete Guide
SOC 2 for Startups ā€“ A Complete GuideSOC 2 for Startups ā€“ A Complete Guide
SOC 2 for Startups ā€“ A Complete GuideBrielle Aria
Ā 
Trackment
TrackmentTrackment
Trackmentmeaannn
Ā 

More Related Content

What's hot

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Ā 
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖSecurity operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖReZa AdineH
Ā 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
Ā 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
Ā 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
Ā 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
Ā 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
Ā 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
Ā 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
Ā 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
Ā 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
Ā 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
Ā 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
Ā 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Ā 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
Ā 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
Ā 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
Ā 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
Ā 

What's hot (20)

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
Ā 
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖSecurity operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Security operations center-SOC Presentation-Ł…Ų±Ś©Ų² Ų¹Ł…Ł„ŪŒŲ§ŲŖ Ų§Ł…Ł†ŪŒŲŖ
Ā 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Ā 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Ā 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
Ā 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
Ā 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Ā 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Ā 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Ā 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Ā 
Security architecture
Security architectureSecurity architecture
Security architecture
Ā 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Ā 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
Ā 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Ā 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Ā 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
Ā 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
Ā 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Ā 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
Ā 

Similar to SOC Certification Runbook Template

SOC 2 for Startups ā€“ A Complete Guide
SOC 2 for Startups ā€“ A Complete GuideSOC 2 for Startups ā€“ A Complete Guide
SOC 2 for Startups ā€“ A Complete GuideBrielle Aria
Ā 
Trackment
TrackmentTrackment
Trackmentmeaannn
Ā 
Sexton_Jay_MPM357_IP5
Sexton_Jay_MPM357_IP5Sexton_Jay_MPM357_IP5
Sexton_Jay_MPM357_IP5Jay T Sexton
Ā 
Description of Methodology
Description of MethodologyDescription of Methodology
Description of MethodologyDavid Facter
Ā 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
Ā 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowShyamMishra72
Ā 
MCGlobalTech Cyber Capability Statement_Final
MCGlobalTech Cyber Capability Statement_FinalMCGlobalTech Cyber Capability Statement_Final
MCGlobalTech Cyber Capability Statement_FinalWilliam McBorrough
Ā 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
Ā 
Demystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data SecurityDemystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data SecurityShyamMishra72
Ā 
Internal audit manual template
Internal audit manual templateInternal audit manual template
Internal audit manual templateCenapSerdarolu
Ā 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
Ā 
SOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp DrataSOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp DrataKashish Trivedi
Ā 
Safety management report of electrical engineering
Safety management report of electrical engineeringSafety management report of electrical engineering
Safety management report of electrical engineeringManeAbhijeet1
Ā 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
Ā 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
Ā 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
Ā 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
Ā 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
Ā 

Similar to SOC Certification Runbook Template (20)

SOC 2 for Startups ā€“ A Complete Guide
SOC 2 for Startups ā€“ A Complete GuideSOC 2 for Startups ā€“ A Complete Guide
SOC 2 for Startups ā€“ A Complete Guide
Ā 
Trackment
TrackmentTrackment
Trackment
Ā 
Sexton_Jay_MPM357_IP5
Sexton_Jay_MPM357_IP5Sexton_Jay_MPM357_IP5
Sexton_Jay_MPM357_IP5
Ā 
Description of Methodology
Description of MethodologyDescription of Methodology
Description of Methodology
Ā 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
Ā 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to Know
Ā 
MCGlobalTech Cyber Capability Statement_Final
MCGlobalTech Cyber Capability Statement_FinalMCGlobalTech Cyber Capability Statement_Final
MCGlobalTech Cyber Capability Statement_Final
Ā 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAH
Ā 
Demystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data SecurityDemystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data Security
Ā 
Internal audit manual template
Internal audit manual templateInternal audit manual template
Internal audit manual template
Ā 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ā 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
Ā 
SOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp DrataSOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp Drata
Ā 
Safety management report of electrical engineering
Safety management report of electrical engineeringSafety management report of electrical engineering
Safety management report of electrical engineering
Ā 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
Ā 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Ā 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
Ā 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
Ā 
SOC Certification.pdf
SOC Certification.pdfSOC Certification.pdf
SOC Certification.pdf
Ā 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Ā 

More from Mark S. Mahre

Technology Alignment Framework
Technology Alignment FrameworkTechnology Alignment Framework
Technology Alignment FrameworkMark S. Mahre
Ā 
Technology Assessment Framework
Technology Assessment FrameworkTechnology Assessment Framework
Technology Assessment FrameworkMark S. Mahre
Ā 
Aprio Consulting Services - Cloud, ITFM, Compliance, Innovation, Technology
Aprio Consulting Services - Cloud, ITFM, Compliance, Innovation, TechnologyAprio Consulting Services - Cloud, ITFM, Compliance, Innovation, Technology
Aprio Consulting Services - Cloud, ITFM, Compliance, Innovation, TechnologyMark S. Mahre
Ā 
Governance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesGovernance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesMark S. Mahre
Ā 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0Mark S. Mahre
Ā 
US State Government Case Study
US State Government Case StudyUS State Government Case Study
US State Government Case StudyMark S. Mahre
Ā 
ClearCost License & Implementation under $50K
ClearCost License & Implementation under $50KClearCost License & Implementation under $50K
ClearCost License & Implementation under $50KMark S. Mahre
Ā 
VP Reference Letter_Oct2015
VP Reference Letter_Oct2015VP Reference Letter_Oct2015
VP Reference Letter_Oct2015Mark S. Mahre
Ā 
CFO Reference Letter_Sept2015
CFO Reference Letter_Sept2015CFO Reference Letter_Sept2015
CFO Reference Letter_Sept2015Mark S. Mahre
Ā 
ClearCost Introduction 2015
ClearCost Introduction 2015ClearCost Introduction 2015
ClearCost Introduction 2015Mark S. Mahre
Ā 
Mark S Mahre - Info-Tech final
Mark S Mahre - Info-Tech finalMark S Mahre - Info-Tech final
Mark S Mahre - Info-Tech finalMark S. Mahre
Ā 
Spending Request Example V4
Spending Request Example V4Spending Request Example V4
Spending Request Example V4Mark S. Mahre
Ā 
IT Dashboard User Manual V2.2
IT Dashboard User Manual V2.2IT Dashboard User Manual V2.2
IT Dashboard User Manual V2.2Mark S. Mahre
Ā 
Capacity Management Process Handbook
Capacity Management Process HandbookCapacity Management Process Handbook
Capacity Management Process HandbookMark S. Mahre
Ā 
PMO Framework Corus360 V2B
PMO Framework Corus360 V2BPMO Framework Corus360 V2B
PMO Framework Corus360 V2BMark S. Mahre
Ā 
Data Migrations Framework V33
Data Migrations Framework V33Data Migrations Framework V33
Data Migrations Framework V33Mark S. Mahre
Ā 
FundFlow V3.6 Overview (Printable) 08-18-03
FundFlow V3.6 Overview (Printable) 08-18-03FundFlow V3.6 Overview (Printable) 08-18-03
FundFlow V3.6 Overview (Printable) 08-18-03Mark S. Mahre
Ā 
Enterprise Project Process Diagram May 2010
Enterprise Project Process Diagram May 2010Enterprise Project Process Diagram May 2010
Enterprise Project Process Diagram May 2010Mark S. Mahre
Ā 

More from Mark S. Mahre (19)

Technology Alignment Framework
Technology Alignment FrameworkTechnology Alignment Framework
Technology Alignment Framework
Ā 
Technology Assessment Framework
Technology Assessment FrameworkTechnology Assessment Framework
Technology Assessment Framework
Ā 
Aprio Consulting Services - Cloud, ITFM, Compliance, Innovation, Technology
Aprio Consulting Services - Cloud, ITFM, Compliance, Innovation, TechnologyAprio Consulting Services - Cloud, ITFM, Compliance, Innovation, Technology
Aprio Consulting Services - Cloud, ITFM, Compliance, Innovation, Technology
Ā 
Governance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesGovernance - Project Management Office Professional Services
Governance - Project Management Office Professional Services
Ā 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
Ā 
US State Government Case Study
US State Government Case StudyUS State Government Case Study
US State Government Case Study
Ā 
ClearCost License & Implementation under $50K
ClearCost License & Implementation under $50KClearCost License & Implementation under $50K
ClearCost License & Implementation under $50K
Ā 
ClearCost
ClearCostClearCost
ClearCost
Ā 
VP Reference Letter_Oct2015
VP Reference Letter_Oct2015VP Reference Letter_Oct2015
VP Reference Letter_Oct2015
Ā 
CFO Reference Letter_Sept2015
CFO Reference Letter_Sept2015CFO Reference Letter_Sept2015
CFO Reference Letter_Sept2015
Ā 
ClearCost Introduction 2015
ClearCost Introduction 2015ClearCost Introduction 2015
ClearCost Introduction 2015
Ā 
Mark S Mahre - Info-Tech final
Mark S Mahre - Info-Tech finalMark S Mahre - Info-Tech final
Mark S Mahre - Info-Tech final
Ā 
Spending Request Example V4
Spending Request Example V4Spending Request Example V4
Spending Request Example V4
Ā 
IT Dashboard User Manual V2.2
IT Dashboard User Manual V2.2IT Dashboard User Manual V2.2
IT Dashboard User Manual V2.2
Ā 
Capacity Management Process Handbook
Capacity Management Process HandbookCapacity Management Process Handbook
Capacity Management Process Handbook
Ā 
PMO Framework Corus360 V2B
PMO Framework Corus360 V2BPMO Framework Corus360 V2B
PMO Framework Corus360 V2B
Ā 
Data Migrations Framework V33
Data Migrations Framework V33Data Migrations Framework V33
Data Migrations Framework V33
Ā 
FundFlow V3.6 Overview (Printable) 08-18-03
FundFlow V3.6 Overview (Printable) 08-18-03FundFlow V3.6 Overview (Printable) 08-18-03
FundFlow V3.6 Overview (Printable) 08-18-03
Ā 
Enterprise Project Process Diagram May 2010
Enterprise Project Process Diagram May 2010Enterprise Project Process Diagram May 2010
Enterprise Project Process Diagram May 2010
Ā 

Recently uploaded

Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
Ā 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
Ā 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Reviewthomas851723
Ā 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
Ā 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentationcraig524401
Ā 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
Ā 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentationmintusiprd
Ā 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sectorthomas851723
Ā 
Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)
Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)
Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)jennyeacort
Ā 
原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ
原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ
原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁjdkhjh
Ā 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
Ā 
VIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With Roomdivyansh0kumar0
Ā 
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Nehwal
Ā 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
Ā 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineeringthomas851723
Ā 
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...AgileNetwork
Ā 

Recently uploaded (17)

Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
Ā 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Ā 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Review
Ā 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Ā 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentation
Ā 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
Ā 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentation
Ā 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sector
Ā 
Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)
Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)
Call UsšŸ”ā‡›+91-97111šŸ”47426 Call In girls Munirka (DELHI)
Ā 
原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ
原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ
原ē‰ˆ1:1复刻åƆč„æč„æęƔ大学ęƕäøščƁMississippięƕäøščƁē•™äæ”å­¦åŽ†č®¤čƁ
Ā 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Ā 
VIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat šŸ‘‰ 8250192130 Available With Room
Ā 
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Ā 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Ā 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineering
Ā 
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
Ā 
sauth delhi call girls in Defence ColonyšŸ” 9953056974 šŸ” escort Service
sauth delhi call girls in Defence ColonyšŸ” 9953056974 šŸ” escort Servicesauth delhi call girls in Defence ColonyšŸ” 9953056974 šŸ” escort Service
sauth delhi call girls in Defence ColonyšŸ” 9953056974 šŸ” escort Service
Ā 

SOC Certification Runbook Template

  • 1. Achieving SOC Certification Integration Runbook V 2.2 Planning, Design, Execution & Testing of Critical Controls Prepared By: Mark S Mahre Managing Partner US Mobile 678-641-0390 mark.mahre@clearcost.us March 2018
  • 2. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #2 TABLE OF CONTENTS SOC PROJECT ENGAGEMENT..................................................................................................................................................................................................................................4 Engagement Process ..........................................................................................................................................................................................................................................5 Critical Controls Process.....................................................................................................................................................................................................................................6 Areas of Required Critical Controls ....................................................................................................................................................................................................................7 Five Principles of Critical Controls......................................................................................................................................................................................................................8 Types of Reporting .............................................................................................................................................................................................................................................8 CLIENT Leadership Meetings..............................................................................................................................................................................................................................8 Project Approach and Execution........................................................................................................................................................................................................................9 ClearCost Responsibilities ................................................................................................................................................................................................................................10 CLIENT Responsibilities ....................................................................................................................................................................................................................................10 MAJOR COMPOMENTS OF PROJECT ENGAGMENT..............................................................................................................................................................................................11 Project Deliverables & Documentation............................................................................................................................................................................................................12 SOC Compliance & Readiness Templates.........................................................................................................................................................................................................13 SOC INTEGRATION FRAMEWORK.........................................................................................................................................................................................................................14 Task Owners:....................................................................................................................................................................................................................................................14 Recording Tasks and Key Objectives: ...................................................................................................................................................................................................................15 Mapping & Approach:..................................................................................................................................................................................................................................15 Readiness & Resources: ...............................................................................................................................................................................................................................15 Analysis, Architecture & Processes: .............................................................................................................................................................................................................15 Suitability, Remediate & Pre-Testing: ..........................................................................................................................................................................................................15 Execution, Sustainability & Reporting:.........................................................................................................................................................................................................15 Testing, Sampling, and Fairness: ..................................................................................................................................................................................................................15 IN CLOSING...........................................................................................................................................................................................................................................................16
  • 3. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #3 Version Control Created By: Mark S Mahre Title: Managing Partner US Ver # Revised By Date Revised Notes 1.0 Mark S Mahre January 2017 Template Creation 1.1 Mark S Mahre March 2018 Added more SOC Project Engagement Details 2.0 Mark S Mahre March 2018 Made for generic ā€˜CLIENTā€™ for sending for Marketing 2.1 Mark S Mahre April 2018 Modified for Partners 2.2 Mark S Mahre April 2018 Modified for LinkedIn QA Approval Date Approved By:
  • 4. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #4 SOC PROJECT ENGAGEMENT ClearCost US will provide professional services (or ā€œConsulting Servicesā€) for the purpose of a Service Organization Controls 2 (ā€œSOCā€) engagement covering the System Description, Information Security and the Critical Controls Table and other components within SOC. This engagement will NOT cover any Out-of-Scope Areas of Control shown in table below. ClearCost may also provide guidance on building a central repository for housing all the supporting SOC documentation. Specific SOC components for SOC Compliance: SOC Component Critical Control Area System Description Company & Services In Scope Information Security IT Operations & Controls In Scope Readiness Planning & Strategy On-Going Meetings with Audit Firm and Setting Target Requirements In Scope Critical Controls Section Security In Scope Critical Controls Section Availability In Scope Critical Controls Section Processing Integrity In Scope Critical Controls Section Confidentiality In Scope Critical Controls Section Privacy (includes PHI & HIPAA) In Scope Governance, Policies & Procedures Repository, Processes, Training & Documentation In Scope Infrastructure & Monitoring All Items Technical Services In Scope Evidence & Audit Procedures, Timing, Expectations, Resources In Scope Management Assertion Performed by Audit Firm Out of Scope Fairness & Evidence Report Performed by Audit Firm Out of Scope ClearCost consulting services will include guidance and readiness for the SOC audit, however ClearCost will not include any legal advice or direction for implementing controls, procedures or policies within the CLIENT data center facility, meaning that CLIENT employees will be responsible for creating the proper governance, controls and procedures for each component of Critical Control Targets within the Critical Controls Criteria. The Audit Firm will provide services marked in Light Blue, ClearCost consultant(s) will Lead for the following components in Red, with the CLIENT Lead subjects noted in Dark Blue. Assertion System Description Critical Control Targets & Execution SOC Reporting Fairness & Evidence Strategy & Planning Policies & Procedures Information Security Readiness Assessment SOC Training Infrastructure & Monitoring Uploading Evidence Providing Evidence Fairness Meetings, Status Meetings, Critical Control Target Reviews, and Compliance Documentation Reviews Assertion Approvals
  • 5. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #5 Engagement Process
  • 6. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #6 Critical Controls Process This engagement will include guidance and framework for the System Description, Information Security and Critical Controls Table (Five Areas) that are suitable for Type 1 or Type 2 reporting. Services will also identify risk assessment gaps within the control domains and remediation recommendations before the pre-audit and audit process. ClearCost services will include reviewing controls related to Change Management, Breach Compliance, Help Desk, Client SLAā€™s, Change Authorization Board Governance, SOC Training, Quarterly SOC Leadership Meetings and HR Controls for meeting compliance. The diagram covers the Lead Responsibilities for setting the Critical Controls Language and Targets. Critical Controls: Assessments, Language & Targets Define Governance, Security, Policies & Controls Execute Governance, Security, Policies & Contols Achieve Compliance & Evidence Gathering Evidence Review & Evidence Uploads ClearCost Lead Joint Efforts CLIENT Lead
  • 7. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #7 Areas of Required Critical Controls
  • 8. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #8 Five Principles of Critical Controls SOC 2 reports focus on controls at a service organization relevant to the following principles: ā€¢ Security: The system is protected against unauthorized access (both physical and logical); end-point security, Network, DCā€™s and Cloud environments, ā€¢ Availability: The system is available for operation and use as committed or agreed SLAā€™s, ā€¢ Processing Integrity: System processing is complete, accurate, timely, and authorized, ā€¢ Confidentiality: Information designated as confidential is protected as committed or agreed, and ā€¢ Privacy: Personal information collected, used, retained, disclosed, and destroyed in conformity with the commitments by CLIENT criteria set forth with regards to Health Insurance Portability & Accountability Act of 1996 (ā€œHIPAAā€) and Personal Health Information (ā€œPHIā€) privacy principles. Types of Reporting The types of reporting are: ā€¢ Type I or Report 1 - A report on managementā€™s description of the service organizationā€™s system and the suitability of the design of the critical controls - at one- point-in-time, ā€¢ Type 2 or Report 2 - A report on managementā€™s description of the service organizationā€™s system and the suitability of the design and operating effectiveness of the controls ā€“ during the duration of time, ā€¢ Fairness and Evidence Process ā€“ What controls and required, how controls are defined, who is responsible for controls, maintain service levels per client contracts, adhere to standards, and produce evidence during the audit period. CLIENT Leadership Meetings Quarterly Meetings with the CLIENT Leadership Team for meeting compliance: ā€¢ Predict, Monitor, Identify, Mitigate and Address areas of Risk and implement a proper Risk Mitigation strategy ā€¢ Controls for understanding the Compliance and Risk associated with the data and metadata that: āœ“ operates, āœ“ collects, āœ“ processes, āœ“ transmits, āœ“ stores, āœ“ organizes, āœ“ maintains and āœ“ disposes of information for our clientā€™s entities.
  • 9. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #9 Project Approach and Execution Below is a systematic approach to our SOC Strategy, Analysis, Design, Governance, Readiness, Testing, Execution and Audit criteria and controls for the project.
  • 10. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #10 ClearCost Responsibilities This assessment engagement is designed to provide reasonable, but not absolute assurance on all controls and governance within the data center environment. ClearCost will not perform any evidence gathering or write in documentation for the CLIENT environment outside of the noted areas of services shown in the deliverables table on next page. Consultant will be responsible for leading the following: ā€¢ Project Kick-Off Meeting, ā€¢ Project Status Meetings, ā€¢ SOC Overview Status Reporting, ā€¢ System Description Delivery, ā€¢ Information Security Delivery, ā€¢ Critical Controls Targets, ā€¢ Change Management, Infrastructure & Compliance Meetings, ā€¢ Pre-Audit Run Through, ā€¢ Evidence Uploading and, ā€¢ SOC Leadership Management DARā€™s. CLIENT Responsibilities Because this assessment engagement is designed to provide reasonable, but not absolute assurance on all controls and governance within the data center environment, ClearCost will not perform any examinations of systems, data or application transactions within the CLIENT environment, and not responsible for any breaches outside of the noted areas of services in project scope section. In addition, the assessment services cannot be relied on for any instances of non-compliance with laws of regulations, fraud or material errors attributed to CLIENT personnel. CLIENT will understand its responsibility to inform, train and clearly communicate the security, availability, confidentiality and privacy that fall under the SOC regulations and responsibilities. Meaning that CLIENT understands its responsibilities to proper training and testing systems within the user community. CLIENT will be responsible for the following: ā€¢ Maintaining the content for System Description and Information Security documentation, ā€¢ Managing content of Critical Controls Table throughout the consulting engagement period and then until the final term after the official audit, ā€¢ Providing all services to support and compliance of the Critical Controls Table functions, ā€¢ Having personnel available for designing, implementing, documenting the controls suitable for operation effectiveness to fulfill the trust services criteria, ā€¢ Providing supporting documentation for the following; governance, workflow, organization structure, information systems, and third-party contracts, ā€¢ Participating in interviews, walk though reviews and evidence support to understand the elements within the Critical Controls Table, ā€¢ Provide ClearCost consultants with proper and reasonable access to resources in a timely manner, and ā€¢ Provide personnel for recording meeting notes, minutes and documenting recommendations during the consulting engagement.
  • 11. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #11 MAJOR COMPOMENTS OF PROJECT ENGAGMENT The following tasks are major components of deliverables for the consulting services engagement: (Contact ClearCost for receiving IP information within the following sections) Subject Task Est. Dates (*) Estimates are based on very limited information on the CLIENT Organizationā€™s Capability Maturity Level Integration (aka ā€œCMMā€ or ā€œCMMIā€) and what is currently available at the time of engagement. However, after the Project Kick-Off Meeting a ā€˜High-Leveā€™ Project Plan will be created to provide better accuracy and only ACTUAL time worked on the specific tasks will invoiced for the project.
  • 12. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #12 Project Deliverables & Documentation ClearCost Consultant(s) deliverables for the project include: Documents Format Project Planning (modification of this template) MS Word Monthly Project Status Reports PDF SOC Project Kickoff PDF System Description Template MS Word Information Security Template MS Word Critical Controls Table MS Excel Change Management Controls MS Word and/or Visio SOC Training Template PPTX SOC Integration Framework Poster 24ā€x 48ā€ Poster Compliance & Readiness Templates MS Word Risk Assessment Quarterly Meeting Agenda Template PPTX Risk Assessment Worksheet Excel
  • 13. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #13 SOC Compliance & Readiness Templates Project templates may Include the following: āœ“ Employee Handbook āœ“ Employee Training Manuals āœ“ Employee Job Descriptions āœ“ Consultant or 3-Party Contractor NDAā€™s & Contracts āœ“ Client, Vendor and 3-Party MSAā€™s āœ“ Cloud or DC Infrastructure Diagrams āœ“ Monitoring & Escalation Policy āœ“ Asset Manage (CMDB) Table āœ“ Risk Assessment Quarterly Agenda āœ“ Risk Assessment Worksheet āœ“ Breach Notification āœ“ HIPAA Privacy Policy āœ“ Terms of Acceptable Use Policy āœ“ Incident Response Process āœ“ Change Management Process āœ“ Help Desk Process āœ“ HIPAA / PHI Security Practice and Certification Manuals āœ“ SOC Training Certifications
  • 14. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #14 SOC INTEGRATION FRAMEWORK The following SOC Integration Framework will be used for the Project Execution. Business Objectives Project Execution & Milestone Tracking Analysis, Strategy, Architecture, Apps & Processes Mapping, Approach & Budgeting Mark SMahre SOC-2 Integration Framework PLANINITIATE Suitability, Remediate & Pre-Testing AUDIT C-Level , Security Officer, Analysts, Subject Matter Experts, Project Managers & Consultants Assessment, Resources & Templates Sponsors Strategy, Requirements & Roadmap Business Case Project Scope Success Criteria HIPPA Req. Road Map Approvals Project Design Project Tasks Risk Assessment As-Is Assessment Financials Scheduling Project Timeline Resource Requirements Gap Analysis To-Be Requirements Create Templates Identify Partnerships SOC Governance HIPPA Mandates Status Reporting Change Controls Authentication Encryption Controls Project Kick-Off Auditor Assessment Employee Awareness Critical Controls System Description Information Security Operational Effectiveness Controls Testing Readiness Reviews Quarterly Meetings Monitor Results Lessons Learned Upload Evidence Audit Procedures Sampling Process SOC Compliance Report Auditor s Letter SOC Gap Letter DESIGN CONTROLS OPERATIONAL Execution, Sustainability & Reporting Risk Mitigations Suitability of Design Data RPO/RTO DR/BCP Strategy Incident Response Cloud Services Mahre & Schweizer 2017 Auditor Analysis Testing, Sampling & Fairness Task Owners: Assigning the Task Owners (Stakeholders / SPOC) for each task in the tables below. CXO & Leadership CISO CIO COO Legal CFO PMO SOC Team Security Team IT Team Operations Team Contracts Team Finance Team Consultants
  • 15. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #15 RECORDING TASKS AND KEY OBJECTIVES: (Contact ClearCost for receiving IP information within the following sections) Mapping & Approach: Readiness & Resources: Analysis, Architecture & Processes: Suitability, Remediate & Pre-Testing: Execution, Sustainability & Reporting: Testing, Sampling, and Fairness:
  • 16. Methodology Created and Documented by Written Mark S Mahre ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #16 IN CLOSING Comments and Next Steps Analyze, Predict, Plan, Test, Implement and Improve End of Document