Which of (he following should the manager request to complete the assessment?

A security manager needs to assess the security posture of one of the organization’s vendors. The contract with the vendor does not allow for auditing of the vendor’s security controls.

Which of (he following should the manager request to complete the assessment?
A . A service-level agreement
B. A business partnership agreement
C. A SOC 2 Type 2 report
D. A memorandum of understanding

View Answer

Answer: C

Explanation:

SOC 2 (Service Organization Control 2) is a type of audit report that evaluates the controls of service providers to verify their compliance with industry standards for security, availability, processing integrity, confidentiality, and privacy. A Type 2 report is based on an audit that tests the effectiveness of the controls over a period of time, unlike a Type 1 report which only evaluates the design of the controls at a specific point in time.

A SOC 2 Type 2 report would provide evidence of the vendor’s security controls and how effective they are over time, which can help the security manager assess the vendor’s security posture despite the vendor not allowing for a direct audit.

The security manager should request a SOC 2 Type 2 report to assess the security posture of the vendor. References: CompTIA Security+ Study Guide: Exam SY0-601, Chapter 5