Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Conduct or Facilitate Security Audits

Organizations should conduct internal, external, and third-party audits as part of any security assessment and testing strategy. These audits should test all security controls that are currently in place. The following are some guidelines to consider as part of a good security audit plan:

  • At minimum, perform annual audits to establish a security baseline.

  • Determine your organization’s objectives for the audit and share them with the auditors.

  • Set the ground rules for the audit, including the dates/times of the audit, before the audit starts.

  • Choose auditors who have security experience.

  • Involve business unit managers early in the process.

  • Ensure that auditors rely on experience, not just checklists.

  • Ensure that the auditor’s report reflects risks that the organization has identified.

  • Ensure that the audit is conducted properly.

  • Ensure that the audit covers all systems and all policies and procedures.

  • Examine the report when the audit is complete.

Remember that internal audits are performed by personnel within the organization, while external or third-party audits are performed by individuals outside the organization or another company. Both types of audits should occur.

Many regulations today require that audits occur. Organizations used to rely on Statement on Auditing Standards (SAS) 70, which provided auditors information and verification about data center controls and processes related to data center users and their financial reporting. A SAS 70 audit verified that the controls and processes set in place by a data center are actually followed. The Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, is a newer standard that verifies the controls and processes and also requires a written assertion regarding the design and operating effectiveness of the controls being reviewed.


An SSAE 16 audit results in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting. There are two types of SOC 1 reports:

  • SOC 1, Type 1 report: Focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system, and/or service.

  • SOC 1, Type 2 report: Includes the Type 1 report as well as an audit of the effectiveness of controls over a certain time period, normally between six months and a year.

Two other report types are also available: SOC 2 and SOC 3. Both of these audits provide benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information. A SOC 2 report includes service auditor testing and results, and a SOC 3 report provides only the system description and auditor opinion. A SOC 3 report is for general use and provides a level of certification for data center operators that assures data center users of facility security, high availability, and process integrity. Table 6-5 briefly compares the three types of SOC reports.


Table 6-5 SOC Reports Comparison


What It Reports On

Who Uses It


Internal controls over financial reporting

User auditors and controller office


Security, availability, processing integrity, confidentiality, or privacy controls

Management, regulators, and others; shared under nondisclosure agreement (NDA)


Security, availability, processing integrity, confidentiality, or privacy controls

Publicly available to anyone

  • + Share This
  • 🔖 Save To Your Account