Today, many companies, including those in the vacation ownership industry, are being asked to complete detailed cybersecurity and IT infrastructure questionnaires by their biggest and best customers.
For many organizations, the requests are becoming much more frequent. The completion of these digital security questionnaires require the time of senior IT and Security resources; time which can be spent much more productively elsewhere. Additionally, once a company completes and submits these questionnaires they no longer have control of this sensitive information and there is a risk that these listings of digital security protocols could fall in the hands of malicious actors who might use this information to launch targeted cyber attacks.
Cybersecurity concerns are being embedded in enterprise risk management procedures and policies of a growing number of companies. This fact has caused most large and middle market companies to institute strict vendor management policies requiring all organizations that they conduct business with and that have access to their data and systems to demonstrate that they have instituted robust digital security protocols.
How can companies satisfy the cybersecurity vendor management requirements of their biggest and best customers without continually tying up the time of their senior IT and security people? Additionally, how can companies clearly communicate to potential new customers that they have implemented robust digital security practices, thereby giving them a competitive advantage in the marketplace?
The answers to both of these questions is a third party security audit report known as a SOC Report; SOC stands for System and Organization Controls. SOC reports address Security, Confidentiality, Processing Integrity Availability and Privacy relative to a company’s IT policies and controls concerning the acquisition, processing, storage, transport and access to data and systems.
Two distinct varieties of SOC reports that can provide assurance
- SOC 2 for Service Organizations
- SOC for Cybersecurity – Cybersecurity risk management report
Both of these reports are accompanied by an opinion of a licensed third party service auditor that addresses the fairness of the system description in accordance with prescribed criteria, the adequacy of the controls and their design and, perhaps most importantly, if the listed controls were effective for the audit period. The included System Description outlines the scope of the report and provides an overview of the infrastructure as well as the IT environment and related policies, procedures, IT controls and business process controls.
The SOC 2 for Service Organization report includes a detailed control testing matrix which lists the prescribed criteria mapped to the individual control activities as well as a summary of the tests applied to each control and the results of that testing. The SOC for Cybersecurity report does not include this detailed control testing matrix and as such is intended for general distribution at the discretion of the company.
Organizations that have not had a SOC examination previously and are considering engaging a service auditor to perform one should consider engaging a firm to conduct a consulting engagement first. These consulting engagements, typically referred to as Readiness Assessments, assist a company in the documentation of existing processes and the underlying IT and business process control activities and in performing control activity gap analysis. During this consulting phase, the relevant SOC criteria will be mapped to existing controls and new control activities will be developed and implemented to ensure that control activities are in place and mapped to all required criteria to reduce risk. This resulting documentation, to be adopted by management, will provide a basis for the SOC 2 or SOC for Cybersecurity audit. This type of planning and preparation service is designed to assist companies in successfully preparing for the initial SOC 2 or SOC for Cybersecurity audit.
Addressing the cybersecurity concerns of your customers with a SOC report is just good business! At a minimum, it will eliminate the need for completing multiple security questionnaires. Having a SOC security report will also position a company to attract larger customers. Successful completion of a SOC report will enable your company to display the SOC Logo on all communications, digital and print. This illustrates to the marketplace that your company has embraced digital security and is poised to expand their business to the next level.
If you have additional questions or would like more information about the services our Timeshare Developers and Owners Associations group offers, please fill out the form below!
How Can We Help?
