Compliance Services

SOC Reporting Services

Establish and report controls to differentiate your organization

Maximize Return on Investment | 100% On Time Delivery | Audit Automation
Over 65% of security breaches can be traced to third parties. SOC 2 attestation reports help service organizations give their customers assurance and confidence that the organization has the right processes and controls in place to properly secure their data.

A System and Organization Controls report (SOC 1, 2 or 3 report) is a great way to ensure trust and confidence in your security and financial control posture that is widely recognized around the world. SOC 1 reports follow the guidance from the AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16) and SOC 2 reports follow AT Section 101.

Reports include:

SOC 1 – SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting and are potentially used in an audit of a user entity’s financial statements.

SOC 2 – SOC 2 reports address controls at a service organization related to the Trust Service Principles (TSPs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.

SOC 3 – SOC 3 reports address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted. Anyone may use these reports, and they may be posted on a website under a seal.  To allow for this, the SOC 3 report is typically redacted from its SOC 2 counterpart for any proprietary and/or confidential information, enabling it to be publicly available.

How TBO can help

TBO offers the following services to help service providers with their SOC reporting needs.

  • Gap Assessments – During a gap assessment, we help service organizations identify and document their controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified.
  • Type 1 Reports – Receive a formalized SOC assessment and report on the suitability and design of controls as of a point in time. Receiving a Type 1 report denotes that all controls are properly designed and implemented. Additionally, the Type 1 report can be distributed to customers.
  • Type 2 Reports – We deliver a formalized SOC assessment and report on the suitability, design, and operating effectiveness of controls. A Type 2 report is an assessment over a period (typically at least six months). A Type 2 report differs from a Type 1 report in that it requires TBO to sample test several controls (HR, logical access, and change management) to ensure that the controls in place were operating effectively during the assessment period, thereby increasing our overall level of effort.

GDPR Compliance | General Data Protection Regulation

Part of a sound data governance program

The General Data Protection Regulation (GDPR) is an imperative for organizations that store and process EU personal data. They are at all stages of the journey, from initial planning through finalizing strategic implementations. Our industry-leading GDPR experts are here to assist you every step of the way.

An increased level of accountability is required with regards to data protection, make sure you are prepared all the way down to the process level.

 Why GDPR?

  • GDPR impacts any organization with EU customers or employees. Regardless of your location (EU, US, or elsewhere), you are accountable if you have EU customers or plans to expand into Europe in the near future.
  • Maintain and secure the trust of your customers and staff by providing assurance that you handle their data properly.
  • Stay focused on your core business by hiring cybersecurity professionals that provide expert assistance with GDPR implementation.
  • Invest in improving your privacy and cybersecurity profile rather than pay large fines to regulators.

Our services include:

GDPR Gap Assessment – TBO offers a gap assessment service conducted using an interactive workshop and process review. Using our cybersecurity expertise, our CIPP-certified consultants provide strategic and tactical recommendations to give you a clear picture of your company’s readiness and direction on what next steps you should take.

GDPR Advisory Services – Our industry experts deliver projects tailored to your particular needs – whether it is policy and procedure updates to account for changes in breach notification communication, third-party assessments to ensure your vendors follow the processes you expect, or cyber engineering to re-architect data flows and storage, TBO provides trusted insights and advice.

GDPR Attestation/Audit – We provide cybersecurity assurance services in order to validate your compliance and deliver documentation you can share with the relevant data protection authorities.

Why Choose TBO as your GDPR Partner?

  • Major cloud providers rely on TBO to make their environments secure. We leverage that deep understanding of data complexity for all our clients, giving you confidence that your customer information is handled appropriately no matter your industry.
  • A collaborative partnership with TBO allows you to continually manage compliance with the agility to respond to future enforcement activity.
  • With proven global expertise in standards like ISO, PCI and HIPAA with privacy elements that overlap with GDPR, we work with you to leverage your previous compliance efforts whenever possible to reduce duplication of effort and compliance fatigue.
  • We take the time to understand your business requirements and help you prioritize and operationalize the different components of GDPR compliance.

NYDFS | New York Cybersecurity Regulation

The New York Financial Services Cybersecurity Regulations have been developed to address significant cybersecurity threats to the financial services industry. The regulations prescribe certain standards for a financial service company’s cybersecurity program for the purpose of promoting protection of customer information and protecting regulated information systems.

Third Party Risk | Managing Mission Critical Vendors

Imagine a one-of-a-kind vendor management platform to assess and inventory vendors all in one place. Whether it is an outsourced data center, a team of developers, or a direct mail provider; we are all trusting the care of mission critical data and business processes to a business partner. For this reason, it is more important than ever to have an effective and transparent third party risk management program.