IT Examiner School, Seaside, CA

Pen Test Value

• Ascertain the likelihood of gaining system access • Likelihood of exploiting a low risk vulnerability to gain higher level access • Detecting vulnerabilities not easily found using standard system protective means • Measure of risk for a cyber attack • List of vulnerabilities needing patching • Ability of current security methods to detect or repel an attack • Additional efforts needed to protect the network(s)/system(s)

Service Organization Control (SOC) Reports

There are two types of Service Organization Control (SOC) Reports: • Type I – Describes the servicer’s descriptions of controls at a specific point in time – Auditor performs no testing of servicer’s controls- attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) – Includes information from a Type I Report – Detailed testing of the servicer’s controls over a minimum consecutive six month period – Auditor expresses an opinion based on their testing