IT Examiner School, Providence, RI

Pen Test Value

Ascertain the likelihood of gaining system access

Likelihood of exploiting a low risk vulnerability to gain higher level access

Detecting vulnerabilities not easily found using standard system protective means

Measure of risk for a cyber attack

List of vulnerabilities needing patching

Ability of current security methods to detect or repel an attack

Additional efforts needed to protect the network(s)/system(s)

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls  at a specific point in time • Auditor performs no testing of servicer’s  controls‐ attesting to controls based on  servicer’s account of controls‐ no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a  minimum consecutive six month period • Auditor expresses an opinion based on their  testing

There are  two types  of Service  Organizatio n Control  (SOC)  Reports: