Controls

When an organization engages a cloud provider, responsibility for activities and controls is shared between them, and they will agree a shared responsibility model. In general the cloud provider is responsible for the underlying infrastructure, while the customer is responsible for data, applications and configurations. The precise division of responsibility will depend on the cloud service model (IaaS, PaaS, or SaaS), with the customer having greater management responsiblity and control with IaaS than PaaS and SaaS. ...

What is a SOC2 report A SOC2 (System and Organization Controls) report assesses a service organisation’s control environment. Type 1 vs Type 2 report A Type 1 SOC2 report evaluates the design of controls at a specific point in time. A Type 2 SOC2 report assesses both the design and operating effectiveness of controls over a defined period, typically 12 months. Further reading Related pages ISAE 3402

A control is a procedure that a business adopts to mitigate a risk. A control may be preventative, in that it stops bad things from happening; detective, in that it notices when bad things happen and alerts the right people; or corrective, in that it not only detects the bad thing, but automatically fixes it. Preventative controls Includes: Authorisation Access controls Segregation of duties Validation checks Training Detective controls Includes: ...

Further reading The Open Group Risk Analysis (O-RA) Standard, Version 2.0.1. The Open Group standard O-RA mentions that vulnerability Controls are sometimes referred to as “resistive controls”, but this term tends to exclusively connote controls against malicious acts. An Overview of FAIR-CAM ; FAIR - Controls Analytics Model (PDF). FAIR define that resistive controls reduce the probability of successful illicit actions Related pages What is a control?