How are findings handled during security audits?
SOC
-Three exceptions types: description misstatement, control design issue, control operating effectiveness issue.
-Description misstatements and design issues are in section 1 of the report.
-Operating effectiveness issues are in section 4 of the report.
-CPAs use professional judgment to determine if exceptions are material and pervasive.
-Material/Not Pervasive 👉🏼 Qualified Opinion
-Material/Pervasive 👉🏼 Adverse Opinion
-Not Material 👉🏼 Unqualified Opinion
-Reasons for qualified or adverse opinions are in section 1 of the report.
-Management’s responses to exceptions are in section 5 of the report.
ISO 27001
-Nonconformities (NCs) are in the audit report issued by the certification body (CB).
-NCs are recorded against a specific requirement and contain a statement of the NC, identifying the evidence on which the NC is based.
-A root cause analysis is provided to the CB for all NCs.
-Plans for correction for all minor NCs are provided to the CB.
-The client must correct major NCs within 6 months after the last day of the stage 2 audit, or another stage 2 audit will be conducted.
-Opportunities for improvement (OFIs) may be noted, but do not impact the certification decision.
-Certification is granted if no major NCs exist and plans for correction are accepted by thd CB.
-The certificate does not include NCs and OFIs.
 PCI v4.0
-Findings are in the Report on Compliance (ROC).
-Section 1.7 of the ROC notes the overall assessment results as one of the following: “Compliant”, “Non-Compliant”, or “Compliant but with Legal Exception”.
-Section 1.8 of the ROC notes the assessment findings for each requirement as one of the following: “In Place”, “In Place with Remediation”, “Not Applicable”, “Not Tested”, or “Not In Place”.
-“In Place with Remediation” means a requirement was not in place at some point during the assessment period, but the gap was remedied prior to completing the assessment.
-The Attestation of Compliance (AOC) includes action plans for non-compliant requirements in Part 4.
FedRamp
-Vulnerabilities are in Section 4 of the Security Assessment Report (SAR).
-Vulnerabilities from control testing are in the assessor’s Security Test Procedure Workbook.
-The cloud service provider (CSP) documents a Plan of Action & Milestones (POA&M) to address the vulnerabilities.
-The POA&M and SAR are part of the CSP’s security package submitted to their Authorizing Official (AO).
-The AO considers the vulnerabilities as part of their risk-based decision on whether or not to authorize the CSP’s system.
CMMC
-Will be officially documented when the CMMC Assessment Process (CAP) is approved for release by the DoD.
-POA&Ms will be allowed, but only for certain practices.
-POA&Ms will need to be remedied within a specific timeframe.
Source: LinkedIN – Troy Fine