Certified Information Systems Security Professional (CISSP) — Question 251

An application is used for funds transfers between an organization and a third-party. During a security audit, an auditor has found an issue with the business continuity disaster recovery policy and procedures for this application. Which of the following reports should the auditor file with the organization?

Answer options

• A. Statement on Auditing Standards (SAS) 70-1
• B. Statement on Auditing Standards (SAS) 70
• C. Service Organization Control (SOC) 1
• D. Service Organization Control (SOC) 2

Correct answer: D

Explanation

The correct answer is D, as SOC 2 reports are specifically designed to evaluate the controls related to security, availability, processing integrity, confidentiality, and privacy, which are crucial for applications handling sensitive data like fund transfers. Options A and B relate to auditing standards but do not focus on the operational controls relevant to IT service organizations. Option C, SOC 1, is more concerned with financial reporting controls rather than the broader criteria of operational effectiveness that SOC 2 assesses.