Exam SY0-601 topic 1 question 104 discussion

Do not overthink. The question is simply on auditing.. note the words in the question. "...has requested that a third-party vendor provide supporting documents." Hence the correct answer is indeed SOC 2. See below directly from Professer messer notes: If your organization has undergone an audit, then you’re probably familiar with the SSAE SOC 2 types I and II. This is from the American Institute of Certified Public Accountants, or the AICPA. It’s an auditing standard called the Statement on Standards for Attestation Engagements number 18, or SSAE 18. During these audits, there’s a series of reports that are created, and the name for the suite of reports that are associated with trust services criteria, or security controls, is the SOC 2, that’s the System and Organization Controls number two. This audit focuses on topics that can include firewalls, intrusion prevention, or intrusion detection, or multi-factor authentication.

I am split between SOC Type 2 and GDPR compliance -> SOC Type 2 -> A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. GDPR Compliance Attestations -> ATC 315 also helps mature your internal controls over GDPR compliance and can help you manage GDPR compliance risk beyond what internal risk assessments and audits provide. ATC 315 can identify deficiencies in internal controls, pinpoint areas for improvement, and will strengthen your organization’s GDPR compliance posture. It seems that SOC Type 2 Report better matches the requirement. I listen to you ...

D: "The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle." C is for the Cloud - didn't specify whether the vendor might be a CSP B is for the Cloud - didn't specify whether the vendor might be a CSP A is good if the 3rd party vendor follows European rules or resides in Europe

C. SOC 2 Type 2 report

A SOC 2 (Service Organization Control 2) Type 2 report is a widely recognized report that provides assurance about the controls and security measures implemented by a service organization. It is designed to evaluate a service provider's controls relevant to security, availability, processing integrity, confidentiality, and privacy. The SOC 2 Type 2 report specifically assesses the effectiveness of these controls over a specified period of time. Given that the Chief Information Security Officer (CISO) is requesting supporting documents to show proper controls in place to protect customer data, a SOC 2 Type 2 report would be the best choice. This report demonstrates that the third-party vendor has undergone an independent audit of its controls, providing valuable information about its security practices and compliance with industry standards.

GDPR specifically relates to customer data so that's what I went with. The question doesn't mention the EU, but it also doesn't mention anywhere outside of the EU.

A SOC 2 (System and Organization Controls 2) report is a widely recognized standard for evaluating and reporting on the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. A Type 2 report specifically covers a specified period of time and provides more in-depth information about the design and effectiveness of controls. By providing a SOC 2 Type 2 report, the third-party vendor can demonstrate that they have undergone a comprehensive assessment of their controls by an independent auditor and that they have implemented appropriate measures to protect customer data.

"...[T]he System and Organization Controls (SOC) 2 report covers organizational cybersecurity controls. The auditor creates the SOC 2 report after evaluating an organization’s security controls. The SOC 2 report indicates that the organization is SOC 2 compliant and gives customers a level of assurance that the organization has adequate security controls in place. SOC 2 addresses five trust service principles: confidentiality, integrity, availability, security, and privacy. • SOC 2 Type II. The Type II report describes an organization’s systems and covers security controls’ operational effectiveness over a range of dates, such as 12 months. In this context, operational effectiveness refers to how well the security controls worked when mitigating risks during the range of dates. Soc 2 Type 2 compliance gives a higher level of assurance than SOC 2 Type I." Security+ SY0-601 Get Certified Get Ahead by D. Gibson

A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. https://www.onelogin.com/compliance/soc-2-type-2

this is one of those questions that just throw you of then cent.

C. In the SOC 2 Type report, the auditor confirms that the controls are functioning properly.

I work in GRC and third party vendonrs provides a soc2 report. GDPR is almost a law where they stated they compliance, but its never audited/certified

The SOC 2 is a separate report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality, and privacy of a system. GDPR is the unique possible response, even though It's only applied in EU. The other responses are not related to client data.

GDPR only applies when the entity operates or collects data in any EU country. This question doesn't specify if the personal information in question belongs to an EU member country. Therefore, we can eliminate option A. If the question stated anything at all about Europe, it would be A. Since it didn't, It's SOC 2 Type 2 is the correct answer. It's basically a modernized security audit that occurs usually at a minimum of every 6 months. A 3rd party supplying the results from its internal SOC 2 Type 2 audit would provide the required supporting documents to satisfy the CISO.

GDPR related to EU nothing in question to say they are in EU. SOC type 2 : tests security controls in place