State Lottery

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project.  I would like to outline the purpose of the two projects and when you would select each.

Read More

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services  A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each.

Read More

Ask A-LIGN: Is my Organization Required to Obtain a Type 2 SSAE 16 Examination Annually?

Answer: This is a question we are asked frequently by our clients and prospective clients, and the answer is: It Depends. Here’s why: The SSAE 16 guidance states that the period of review, or time frame that the report covers, should be at least six (6) months in the case of a Type 2 SSAE 16 examination.  While this standard sets a minimum period of review, it can be set to cover any period of time over 6 months – i.e., six months, nine months or one year.

Read More

Too many SSAE 16 audit detours?

  Does your Auditor offer: fixed fees? NO out-of-pocket expenses? a declining fee structure? over 250 SOC Audits of experience? the draft report within 10 days of completion? responds to your calls and emails on the same day?   If your current CPA firm is not meeting these standards,…

Read More

A-LIGN Security and Compliance Services To Present Webinar, “Reducing Audit Impact by A-LIGNing PCI DSS, SOC 1 & 2 Requirements”

Gene Geiger, Director at A-LIGN Security and Compliance Services will present a webinar to share practical recommendations for improving overall audit efficiency which will lead to reduced audit impact, audit costs and audit fatigue. The presentation will take place on April 18, 2012 from 1-2 pm EST. All individuals/organizations are…

Read More

The Value of SOC 2

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting functions, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.

Read More

Cloud Computing and SOC 2

As more businesses begin to shift their interests to Cloud Computing, there are concerns regarding security-related risks.  First, let’s discuss the “Cloud”. Cloud computing is a new way of delivering computing resources, not a new technology.  Cloud computing providers give end users the ability to access applications via the internet.  As Cloud computing is achieving increased popularity, security concerns have become paramount with the adoption of this new computing model.  The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as the characteristics of this innovative deployment model differ widely from those of traditional architectures.

Read More

SOC 1 / SSAE 16 Case Study for Payroll Administration Services

Case Study - SSAE 16 (SOC 1) for Payroll Administration Services Industry Organizations that directly provide payroll administration services to your clients or are a vendor associated with companies that provide payroll administration services such as electronic funds transfer, payroll debit cards, payroll software, tax filing, or time and attendance and as such have a direct or an indirect impact on the end customers’ financial statements.

Read More

Value of the SOC 2 for Service Organizations

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting function, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.

Read More

SOC 2 – Not your prior year SAS 70

After a 20 year reign as the service auditor’s report, the SAS 70 was retired this summer with much fanfare. After being used to communicate the design, implementation and operating effectiveness of controls at every type of service organization imaginable, the AICPA published new standards that better align the type of service organization and service provided to the report used to communicate the design, implementation and operating effectiveness of controls to the user of the report.

Read More