Does anyone in the “lounge” have experience with a SOC Report? We’re talking to a credit union to rebuild their site and they asked me about it. It’s a requirement of their Board. I’ve researched it a little, but wanted to know if someone has gone through it and could recommend a company.
I would talk to the guys at SiteLoK
If you’re talking about a US based company, you’re getting into one of the heaviest regulated and controlled industries in the country.
Make sure you “price” your services to include a lot of time for multiple audits. Banks and companies providing services to them, will (not can) get audited from internal, external and regulatory agencies. You also will probably need things like Errors and omissions insurance.
My understanding of SOC reports Level 1 is the same as a SSAE (Statement on Standards for Attestation Engagements) report. The level 1 (SOC 1) focuses on your company’s focuses on a controls that are likely to be relevant to an audit of a user entity’s (customer’s) financial statements.
The SOC level 2 (probably what they are looking for) is much more detailed including security, processing integrity, confidentiality and privacy.
These reports are probably best put together by an outside Accounting firm.
@teefers Thank you. I’ll look into the SSAE as well. I’m wanting to get a handle on what questions are being asked. I believe they did say something about Level 2. This is the second time I’ve heard of an Accounting firm in connection to an SOC. I’ll call some CPA’s that I know.
We’ve already built a site a few years ago to a credit union. I have a friend who’s a VP of Information/Security for a credit union and he suggested that we do not provide the hosting. He said as long as he’s worked in that industry, the only web development companies that have been audited (at his employers) were those that provided the hosting too.
We do carry E&O for that same credit union customer.
My insurance agent, just sent me this: http://resource.onlinetech.com/what-is-a-service-organization-control-soc-2-report/. Thought I would post it in case anyone else needs it at a future date.