About Us | Contact Us
View Cart

New Metrics for a New Round of SOC Reviews

By Matt Jolley | Monday, October 1, 2018 - Leave a Comment

Just in time for the next round of SOC reviews, we’ve reviewed and updated our metrics…


Well it’s that time of year again: the days are growing shorter, the leaves are changing color and your compliance officer is gathering up SOC reports for this year’s round of reviews!

Here at infotex we’ve long maintained a spreadsheet containing the key information from SOC reviews–number of expected controls, missing controls, number of exceptions and so on–but as the years have gone by our review process has been refined and we discovered that our most recent scores were diverging slightly from reports completed many years ago.

As the resident “SOC Guru,” the task of creating a new table of metrics fell upon me, and after several hours of collecting and sorting the data from the last three rounds of reviews I’m proud to offer a look at the metrics we’ll be using when comparing reviews starting this year.

On average, our “Overall Risk” metric (a combination of the risk level we’ve assigned to missing controls and noted exceptions) for reviews conducted since 2016 is 131.90. That number doesn’t mean much by itself, but in the context of the report we prepare for clients the overall risk metric allows you to compare your vendors with others we have reviewed recently. How does your core processor’s risk compare to other such vendors we’ve reviewed? The overall risk score will give you a general idea.

To see what we mean, we’ve made available a version of our metrics spreadsheet (with vendor names replaced with a generic description) available for free, and it is located here.

For those who don’t feel like browsing through a spreadsheet at the moment, here’s a few takeaways from our latest metrics review: the three organizations with the lowest risk were a datacenter for cloud computing and two other datacenters, coming in with overall risk metric numbers around 80. On the other end of the spectrum, our highest overall risk was found in a datacenter, a credit/debit card processor and a mortgage processor–their overall risk was around 180.

We think the data shows that the type of vendor has little to do with the overall risk: there isn’t one type of organization you can assume to be “safe” or “unsafe.” We can also say that there also isn’t a clear correlation between the size and clout an organization may have and the risk they may present to your company–some big names in the industry posted great scores, and others were considerably worse. You can use our metrics to compare your relative risk once you receive a score, but you can’t use them as a guide for a vendor that has yet to be reviewed.


Article by Matt Jolley, Staff Auditor at infotex.


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Many organizations still fail to consider the unique risks posed by cloud computing… An article review. Last month thousands of Western Digital MyCloud device owners learned about the risks of cloud-based solutions the hard way: their data had been wiped remotely due to a flaw in the internet-facing component of their external hard drives. While […]
    infotex does not use Kaseya… We are protecting our Clients! Another blog post meant to inspire thought about IT Governance . . . . To all infotex managed security service Clients: As you may be aware there was a large ransomware attack recently that leveraged a remote management tool called Kaseya that is used by many […]
    While we’re not a news service, we often use current events to comment on trends and our services. This blog is intended to get people thinking about topics and trends in Technology Risk Management, through our article reviews, as well as through original blog articles about current events and our MSSP services (such as our […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS Dan Hadaway and Sara Fultz co-wrote an article in the Spring 2021 issue of the Ohio Record, the Official Magazine of the Ohio Bankers League.  Find out on page 20 and 21 of the magazine how tabletop testing strengthens bank cybersecurity. You can read the article here! […]
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    After the large number of high-profile breaches in the recent months, it is easy to become disconcerted about how to prevent such things from happening to your Bank. The answer to preventing a breach is a very complex one. infotex will explore this with you! The heightened level of awareness and extra protective tendencies that […]
    A follow-up on Dan’s 2008 Password Manifesto On the NIST Publication on Digital Identity Guidelines Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . In June 2017, NIST released a special publication on digital identity, NIST SP 800-63, that is starting to get the attention […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Over Seven Billion Usernames Have Been Leaked in Breaches Since 2011… An article review. An unfortunate fact of modern life seems to be the inevitable announcement of new data breaches, and if you’ve lost track of how many breaches you’ve had to perform a risk assessment on you’re probably not alone…but just how much personal […]