InfoX provides an initial gap assessment to determine risks and how effective controls in place are mitigating those risks. The different evaluations that we administer cover both the design of the controls and operating effectiveness over a period of time. Once issues are identified, we will guide you through the appropriate measures to optimize your controls.
- SOC 2 Reports – These reports address controls at a service organization associated with the Trust Service Principles (TSPs) of security, availability, processing integrity of a system or the confidentiality of the information processed by that system.
- Gap Assessments – InfoX helps service organizations identify their controls and determine any gaps that need to be filled before you start considering a Type 1 or Type 2 report.
- Type 1 Reports – You will receive a formal SOC assessment and report on the appropriateness and construction to date. Type 1 reports show that all controls are properly designed and allows for distribution to customers.
- Type 2 Reports – These reports are assessments spanning over at least 6 months. A Type 2 report allows InfoX to text several controls to ensure that they were operating appropriately during the period of assessment.
Within the AICPA Statement on Standards for Attestation Engagements, a release in December 2014, a guide is defined for completing a SOC2 review. It is the SOC2 review scope to independently issue a report based on a processing method at a data centers or processing location. Organizations that request a SOC review will be referencing the AICPA trusted services guides for reviews to include identified scopes from the Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. The result is an independent SOC report issued to present the findings based upon all or some of these criteria. These are covered under a type I or type II review and have a specified period of review coverage.
The identification, assessment, and prioritization of risks is a process that can be time consuming and extensive. InfoX can assist in creating a risk management plan, selecting appropriate controls or countermeasures to measure each risk. Once the business impact of each risk is determined, a plan to address each risk with avoidance, transference, mitigation or acceptance will be generated according to the asset’s value to the organization.
We can also help with Business Continuity Planning (BCP), Contingency Planning (CP), Incident Response Planning (IR), and Disaster Recovery Planning (DR). These major areas of risk planning are important to implement before and incident occurs, but having a response plan outlined is critical to assuring continued operations when things get tough. InfoX’s management, business and security experience can guide your enterprise to a compliant solution.