Assurance

[David Walker <>]

Steve,

I believe SOC2 is not really a certification; it's guidance for auditors that could be used in conjunction with a certification standard (e.g., Gramm-Leach-Bliley).  The analogy for InCommon's assurance program would be the "Statements on Standards for Attestation Engagements" referenced in section 4.2 of the IAAF (version 1.2).

That said, it probably does address many of the operational aspects of InCommon certification, so a data center that has been audited in accordance with SOC2 could, in theory, use their SOC2 audit report as evidence for any parts of their Silver audit that had already been covered by the SOC2 audit.

David

On Mon, 2012-11-12 at 13:57 -0500, Steven Carmody wrote:
> The Silver profile requires that any systems storing a user's password, 
> or any systems that the user's password transits through in plaintext 
> form, meet a number of operational and technical requirements. (eg 
> 4.2.3.4 (resistance of credential to guessing), 4.2.5.x, 4.2.8.2, 
> 4.2.8.4, etc).
>
> Someone locally has asked me whether a data center that has been 
> successfully audited against SOC2 would, by definition, meet all of 
> those requirements ? Well, maybe not "resistance of credential to 
> guessing". But, how many of the other requirement would it meet ?
>
> SOC2 has been described to me as an auditing standard for data center 
> operation. Its easy to find summary descriptions of it like "SOC2 
> assures clients we use systems to protect their data. It audits 
> security, availability, process integrity, privacy and confidentiality.".
>
> Has there been any discussion about having Silver rely on SOC2 ?
>
> Thanks!