SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?"

Transcription

1 WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe coalfire.com

2 TABLE OF CONTENTS Summary... 3 Key players... 3 What are SOC reports, and where did they come from?... 3 What are the differences between SOC 1, 2, and 3?... 5 SOC 1 SM Report... 5 SOC 2 SM Report... 5 SOC 3 SM Report... 5 The different variations within the SOC reports (type 1 and type 2)... 6 Type Type Defining the trust principles of a SOC Structure of a SOC 1 and SOC Section 1: Independent auditor's report... 8 Section 2: Management's assertion... 8 Section 3: Description of the system... 8 Section 4: Auditor's tests of controls and results of tests... 8 How to successfully prepare for A SOC audit... 8 The phases of a SOC audit Multi-Use benefits of a SOC

3 SUMMARY Service Organization Control (SOC) reports are on the rise in the IT assurance and compliance world. Even more specifically, the SOC 2 report is being used as a premier IT audit report that is paired with other IT compliance standards to create a do once, use many approach for service organizations and auditors. With this rapid growth in demand for SOC reports, it is crucial for businesses to understand what the reports are and how an audit works, so they can better plan for and navigate an audit to achieve a successful result. In this white paper, we answer the following questions to help you improve SOC understanding: 1. What are SOC reports? Which SOC report will best serve your organization: SOC 1 or SOC 2? 2. What is involved in a SOC audit? 3. How does the SOC audit relate to and enhance other IT assessments? KEY PLAYERS Before delving into the details of SOC assessments, it s important to understand the key roles related to SOC: Service organization: an entity that possesses, stores, or handles information or transactions on behalf of its customers (user entities) User entity: the company that outsources its information or business processes to a service organization Service auditor: a CPA who reports on the controls of a service organization User auditor: a CPA who audits the financial statements of a user entity that uses a service organization WHAT ARE SOC REPORTS, AND WHERE DID THEY COME FROM? Let s get started by looking at the origin of SOC reports. Traditionally, user entities worked with service organizations for functions such as payroll processing, medical claims processing, etc. These functions impact user entities financial data. To institute controls around these functions, the American Institute of Certified Public Accountants (AICPA) issued Statement on Auditing Standards (SAS) number 70 in This SAS provides guidance to service auditors reporting on a service organization s controls relevant to user entities financial reporting and the user auditors. The SAS 70 report on the service organization (performed by the service auditor) allowed user entities and their auditors to see that the user entity s financial data was properly processed by the service organization. Without this report, user auditors (on behalf of their user entities) would have to constantly bombard the service organization with questions about its controls to meet requirements for the financial audit of the user entity. SAS 70 allowed the auditing of those controls to occur one time by the service auditor. Service audit results are documented and provided to the user auditor, saving the service organization time and money. 3

4 Let s have a look at a graphic to help explain this further. As time went on and technology advanced, the marketplace for service organizations changed. Service organizations started to offer administrative outsourcing (human resources, document management, etc.), workflow, and cloud computing (applications, data storage, etc.) services. With these changes to service organization offerings, the SAS 70 reports were used for audits of controls outside of financial reporting, even though the report s intent remained financial in nature. For example, a data storage service organization has minimal to no impact on a user entity s financial statements, but the service organization controls are still important to the user entity. Service auditors, without a better option, continued to issue SAS 70 audit reports for non-financial controls, and the term SAS 70 certified was inappropriately used by user entities. By 2004, the AICPA recognized there was a problem in this reporting and the Auditing Standards Board attempted to clarify the issue by splitting SAS 70 into two standards. The guidance for user auditors remained an auditing standard for financial statements, and the guidance for service auditors became an attestation standard for service organizations. In 2010, that attestation standard became the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Like the old SAS 70, SSAE 16 focuses on guidance for service auditors assessing financial statement controls at the service organization that affects user entities. SSAE then provided the basis for the SOC 1 report. NOTE: The SSAE 16 guidance will be superseded by SSAE 18 effective May 1, The AICPA recognized that a different report was needed for service organizations providing nonfinancial services to user entities. To address service organization system controls, rather than just financial controls, the SOC 2 report was launched in The SOC 2 offered the service auditor guidance on conducting an attestation engagement to report on the service organization s controls related to security, availability, confidentiality, and processing integrity of its system, or the privacy of the information processed by that system. The SOC 3 report was implemented at the same time, and is a short-form SOC 2 report (i.e., no description of tests of controls and results). The SOC 3 report may be used in a service organization s marketing efforts as the SOC 3 is considered a public report. 4

5 WHAT ARE THE DIFFERENCES BETWEEN SOC 1, 2, AND 3? Now that you know how we got the different reports, let s see how the AICPA summarizes the differences among SOC 1, SOC 2, and SOC 3. SOC 1 SM Report Reporting on controls at a service organization relevant to user entities internal control over financial reporting Meets the needs of user entities management and auditors as they evaluate the effect of a service organization s controls on a user entity s financial statement assertions. These reports are important components of user entities evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits. SOC 2 SM Report Reporting on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy For those who need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality, or privacy. These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Stakeholders who may use these reports include management or those charged with governance of the user entities and of the service organization, customers, regulators, business partners, and suppliers, among others. SOC 3 SM Report Trust services report for service organizations Designed to accommodate users who want assurance on a service organization s controls related to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for the detailed and comprehensive SOC 2 report. It can be used in a service organization s marketing efforts. 5

6 The differences in the three reports can also be compared in the following manner: Report type Intended users Why needed What SOC 1 Management of the service organization User entities User auditors Audit of the financial statements of user entities Controls relevant to user entity financial reporting (e.g., payroll processing) SOC 2 Management of the service organization User entities User auditors Regulators Other Audit of the financial statements of user entities Meeting governance, risk, and compliance programs Oversight Due diligence Controls relevant to a service organization system s security, availability, processing integrity, confidentiality, or privacy SOC 3 Any users with need for confidence in the security, availability, processing integrity, confidentiality, or privacy of a service organization s system Marketing purposes Public information Detail not needed Seal and report on controls THE DIFFERENT VARIATIONS WITHIN THE SOC REPORTS (TYPE 1 AND TYPE 2) Both SOC 1 and SOC 2 reports have different types. The AICPA refers to these types simply as type 1 or type 2. What are the differences? A type 1 report focuses on the description of a service organization s system, related control objectives, and the suitability of controls to achieve those objectives as of a specified date. A type 2 report contains the same information as a type 1 report with the addition of an assessment of the operating effectiveness of the controls to achieve the control objectives included in the description throughout a specified period. A type 2 report also includes a detailed description of the service auditor s tests of controls and results. Type 1 Opinion of the system and design of controls How it achieves control objectives in the system description As of a specific date Does not show tests of controls or results Type 2 Same opinion as type 1, plus if the controls are operating effectively Opinion throughout a specified period for the report Shows descriptions of the service auditor's tests of controls and results of test 6

7 DEFINING THE TRUST PRINCIPLES OF A SOC 2 With more and more service organizations getting requests from their user entities for SOC 2 reports, it is important to understand what the trust services are and how they can be reported in a SOC 2. Trust services are a set of services based on a core set of criteria that address the risks and opportunities of IT-enabled systems and/or privacy programs. The following criteria are used in SOC 2 trust services engagements: Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and Chartered Accountants of Canada (CICA). A service organization can choose to report on any of the trust principles for a SOC 2 engagement. If a system only needs to report on its security, then only the security criterion would be used for the SOC 2. If a system needs all five criteria, then the SOC 2 would cover all five. Deciding which criteria to report on (and best fits the need) is up to service organization management. It is important to note that conducting a SOC 2 on the first four criteria (security, availability, processing integrity, and confidentiality) uses similar control objectives with minimal variation in testing, so testing these four criteria does not require much more effort from the service organization or the service auditor than testing one. Privacy, however, does require an additional set of rules and control objectives requiring a substantial increase in the amount of work needed to complete the SOC 2. Unless a service organization is processing or housing personally identifiable information (PII), typically they will have their SOC 2 completed on only the other four trust principles. In 2014, the AICPA changed the reporting for SOC 2 to streamline the control objectives to facilitate the process for the service organization, service auditors, and readers of the SOC 2 report. In previous SOC 2 reports, each criterion would get its own set of control objectives, leading to duplicated information for the controls put into place by the service organization, the service auditor s test of controls, and results of the tests. After the 2014 revision, the bulk of the report consists of the common criteria that are related to the trust principles of security, availability, processing integrity, and confidentiality. After the common criteria, a small number of controls will relate specifically to the individual four criteria. In 2016, the trust service principles were revised again. Minor changes were made to security and confidentiality, but the major change affected privace. The privacy criteria were simplified to make it a more more attainable SOC 2 principle. A summary of the changes in the privacy principle can be found here. In 2017, the AICPA will revise the trust service principles yet again, resulting in control objectives that will be based on the COSO 2013 framework. Watch for updates from Coalfire on the 2017 changes. STRUCTURE OF A SOC 1 AND SOC 2 For the most part, a SOC 1 and SOC 2 are similar in report structure. Section 1 is the independent auditor s opinion;; section 2 is management s assertion;; section 3 is a description of the system(s);; and section 4 includes the control objectives and controls in place at the service organization, tests of controls, and results of tests. Remember, the auditor s opinion will vary between a type 1 and type 2 engagement. Let s look at each of the four sections in more detail. 7

8 Section 1: Independent auditor's report Provides the reader the service auditor s opinion on the system description, design, and operating effectiveness to meet the control objectives Section 2: Management's assertion Provides the reader the facts and assertions made by the service organization s management related to the system(s) under audit Section 3: Description of the system The detail of the system(s) being reported on (written by management) Boundary, infrastructure, controls, subservice organizations, user entity controls, and other system information Inclusions in this section should be capable of being audited to meet the control objectives Section 4: Auditor's tests of controls and results of tests Shows four columns of information: Control objective (related to the applicable trust service principles) Controls in place at the service organization to meet the objectives Auditor's tests of the controls Results of the tests HOW TO SUCCESSFULLY PREPARE FOR A SOC AUDIT Preparing your service organization for a SOC audit is similar whether you re pursuing SOC 1 or SOC 2. The first thing to consider is the trust service principles (SOC 2) or control objectives (SOC 1) that you want to report on. As a service organization, you need to ask, What do readers of this report want to know? Knowing your audience and what information they need is essential to providing the correct information in your SOC report. Your service organization should only report on what is relevant to the user entities. A critical element of this is defining the scope and boundary of the audit because it helps all parties (service organization, service auditor, user entities, and user auditors) understand what is and is not reported (and audited). For example, if you are a data center that only houses client servers, you might report on the trust services criteria of security and availability, but your internal SharePoint system may not be relevant to the user entities, so you would not include that in the boundary of your report. After you determine the system(s) on which to report, make sure policies and procedures are in place to meet the requirements of a SOC audit. Examples include (but are not limited to): System security plan (SSP) Incident response plan Disaster recovery Security awareness (and training) Human resources plans (hire, termination, handbook, etc.) Rules of behavior Configuration management Password policy 8

9 The policies should be robust in their content and structure. Many organizations start with policy guidance provided by the National Institute of Standards and Technology (NIST) or the SysAdmin, Audit, Networking, and Security (SANS) Institute. Along with making sure the policies are complete for the system(s), you should ensure: 1. The procedures in place are adequate and follow the written policies. 2. You have documented the communication of the policies and procedures to your employees. 3. There is evidence of monitoring the policies and procedures, as well as the system(s). After you determine the scope and boundary of the system(s) being reported on and establish the policies and procedures, you should prepare for a SOC audit by writing section 3 of the audit report and performing internal testing to validate that audit procedures will be met. Section 3 is the system description and acts as a security assessment plan (SAP) for the service auditor. It provides the service auditor guidance on what is included in the system boundary, scope, and current internal controls. A completed section 3 gives the service auditor the best guidance on how to plan and perform the audit. Once section 3 is completed, you or a hired advisor can take the testing guidance for a SOC 1 or SOC 2 and perform internal tests. This mock audit allows you to remediate any problems before the auditors perform their work. Here is a visual summary you can use to prepare for a SOC audit. 9

10 THE PHASES OF A SOC AUDIT Your service organization is ready for an audit, so what is next? While not required, a gap analysis by the CPA who will perform the actual audit or consultants (can be CPA or non-cpa) is recommended. The key to a successful analysis is that the person(s) performing the review have a detailed understanding of SOC to properly assess if you will meet the requirements of the formal audit. The reviewer should provide a gap analysis related to the testing section (section 4), identifying areas that you would currently fail during a formal audit. If the reviewer also evaluated the system description (section 3), then comments to improve the write-up should be included. After the gap analysis is performed and the reviewer has provided comments, you can remediate the findings. Fixing identified issues gives you a better opportunity for a successful, clean (unqualified) audit. Remediation can include updating policies, hardening the system(s), solidifying procedures, and having better substantive evidence of procedures, communication, and/or monitoring. Once ALL remediation is completed, you are ready for formal audit. Ideally, the audit period will not begin until AFTER remediation is completed. This results in a cleaner audit report. The audit procedures by the CPA firm may occur during the period under audit or after the audit period. The audit procedures performed will follow the applicable SOC guidance and should have a similar feel to the gap analysis. Let s look at the phases and related timing in an example below: 10

11 This example assumes that the service organization wants a cleaner audit report, so the audit period does not start until after remediation. That is NOT required. A SOC audit period can be for any timeframe. If the service organization chose a calendar year audit (January 1 to December 31), the audit report would show deficiencies (or exceptions) if conducted before the system findings were remediated. This leads to the potential for a qualified (i.e., bad) audit opinion. Many companies prefer minimal deficiencies in their first audit and elect to start the period later as seen in our example. After the first audit year, assuming there are no significant changes to the system(s), the next audit period can be a 12-month basis (January 1 to December 31) if desired, as presumably the identified deficiencies would be fixed. MULTI-USE BENEFITS OF A SOC 2 Many companies pursue a SOC 2 for the obvious benefit of simply obtaining a SOC 2 audit opinion. What they don t realize is that a properly implemented SOC 2 assessment can open doors to NIST SP800-53, PCI, ISO, HIPAA, and other accreditations (or vice versa) and consequently, a larger market share. A SOC 2 audit shares a large portion of documentation requirements with these other assessments. SOC 2 and many of these other assessments are based on the underlying framework of transparency of design and operation of controls. Because of this, a company that has invested in a SOC 2 audit has already completed a large portion of the work, for example, for an ISO accreditation. This gives companies an edge on their competition and access to a different market through reduced cost and faster assessments. Coalfire mapped required SOC 2 controls to various other assessment requirements based on our extensive experience completing these assessments. This mapping allows us to either utilize other IT security work performed and repurpose it for SOC 2 use, or start with a SOC 2 audit and use it as the groundwork for other accreditations. This do once, use many approach reduces the time and of Coalfire assessments now and in the future. Another example of the SOC 2 gaining momentum as a compliance standard has been the recent SOC 2 leveraging of the Common Security Framework (CSF) for HITRUST reporting. The American Institute of Certified Public Accountants (AICPA) and HITRUST worked together to create a mapping of SOC 2 controls to the CSF, which led to the development of a SOC 2 + HITRUST report. This report allows both frameworks to be reported on in a single, all-inclusive report. Our experience leading streamlined, comprehensive SOC 1 and SOC 2 compliance efforts gives Coalfire the advantage of understanding the underlying concepts of SOC engagements, how those concepts relate to other IT compliance standards, and how to best fit those concepts to specific client requirements. In tandem with this understanding, we have extensive experience performing streamlined and effective certification assessments under multiple requirements using a standardized and repeatable assessment methodology. In fact, our team has conducted more than 700 security assessments including those for FedRAMP, FISMA, HIPAA/HITECH, HITRUST, and PCI-DSS compliance. Coalfire has the most FedRAMP experience of any Third Party Assessment Organization (3PAO), having assessed more systems than any accredited 3PAO. 11

12 Through our detailed understanding of the SOC requirements, experience preparing companies for their accreditations, and mapping required controls for SOC audits to NIST SP800-53, HITRUST, PCI, ISO, and other requirements, Coalfire can grant your company access to new market share by not only supporting your SOC 1 and SOC 2 compliance efforts, but also using that framework to reduce the effort and cost of future assessments. ABOUT COALFIRE As cybersecurity risk management and compliance experts, Coalfire delivers cybersecurity advice, assessments, testing, and implementation support to IT and security departments, executives, and corporate directors of leading enterprises and public sector organizations. By addressing each organization s specific challenges, we re able to develop a long-term strategy that improves our clients overall cyber risk profiles. Armed with our trusted insights, clients can get to market faster with the security to succeed. Coalfire has offices throughout the United States and Europe. Coalfire.com Copyright Coalfire Systems, Inc. All Rights Reserved. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must explicitly reference the entirety of the document inclusive of the title and publication date;; neither party will publish a press release referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor and/or your relevant standard authority. WP_ServiceOrgControl_

Exploring Emerging Cyber Attest Requirements

Exploring Emerging Cyber Attest Requirements Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working

More information

CSF to Support SOC 2 Repor(ng

CSF to Support SOC 2 Repor(ng CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and

More information

IT Attestation in the Cloud Era

IT Attestation in the Cloud Era IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction

More information

Understanding and Evaluating Service Organization Controls (SOC) Reports

Understanding and Evaluating Service Organization Controls (SOC) Reports Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3

More information

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background

More information

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager

More information

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American

More information

HITRUST CSF: One Framework

HITRUST CSF: One Framework HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior

More information

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust

More information

SOC for cybersecurity

SOC for cybersecurity April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory

More information

SOC Reporting / SSAE 18 Update July, 2017

SOC Reporting / SSAE 18 Update July, 2017 SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)

More information

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18

More information

Achieving third-party reporting proficiency with SOC 2+

Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents,

More information

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010 JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor

More information

SOC Lessons Learned and Reporting Changes

SOC Lessons Learned and Reporting Changes SOC Lessons Learned and Reporting Changes Dec. 16, 2014 Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for

More information

The SOC 2 Compliance Handbook:

The SOC 2 Compliance Handbook: The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between

More information

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle

More information

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,

More information

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved. HITRUST CSF Assurance Program HITRUST CSF Assurance Program The Need Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated

More information

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types

More information

Evaluating SOC Reports and NEW Reporting Requirements

Evaluating SOC Reports and NEW Reporting Requirements Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1

More information

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach

More information

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance. HITRUST CSF Roadmap for 2018 and Beyond HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review

More information

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE

More information

Audit Considerations Relating to an Entity Using a Service Organization

Audit Considerations Relating to an Entity Using a Service Organization An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of

More information

Transitioning from SAS 70 to SSAE 16

Transitioning from SAS 70 to SSAE 16 Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda

More information

IGNITING GROWTH. Why a SOC Report Makes All the Difference

IGNITING GROWTH. Why a SOC Report Makes All the Difference IGNITING GROWTH Why a SOC Report Makes All the Difference Many service organizations depend on the integrity of their control environment to protect their business as well as that of their customers. With

More information

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR) Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

More information

Convergence of BCM and Information Security at Direct Energy

Convergence of BCM and Information Security at Direct Energy Convergence of BCM and Information Security at Direct Energy Karen Kemp Direct Energy Session ID: GRC-403 Session Classification: Advanced About Direct Energy Direct Energy was acquired by Centrica Plc

More information

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant

More information

Credit Union Service Organization Compliance

Credit Union Service Organization Compliance Credit Union Service Organization Compliance How do SOC reporting and PCI requirements affect your overall compliance strategy? May 15 2012 Your Speakers Dennis Lavin Credit Union Assurance Partner Moderator

More information

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &

More information

10 Considerations for a Cloud Procurement. March 2017

10 Considerations for a Cloud Procurement. March 2017 10 Considerations for a Cloud Procurement March 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents

More information

The value of visibility. Cybersecurity risk management examination

The value of visibility. Cybersecurity risk management examination The value of visibility Cybersecurity risk management examination Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals

More information

Addressing Cybersecurity Risk

Addressing Cybersecurity Risk The CPA s Role in Addressing Cybersecurity Risk How the Auditing Profession Promotes Cybersecurity Resilience MAY 2017 Contents 1. EXECUTIVE SUMMARY 1 2. THE LANDSCAPE OF CYBERSECURITY RISK 3 The Need

More information

Workday s Robust Privacy Program

Workday s Robust Privacy Program Workday s Robust Privacy Program Workday s Robust Privacy Program Introduction Workday is a leading provider of enterprise cloud applications for human resources and finance. Founded in 2005 by Dave Duffield

More information

WHITE PAPER. Title. Managed Services for SAS Technology

WHITE PAPER. Title. Managed Services for SAS Technology WHITE PAPER Hosted Title Managed Services for SAS Technology ii Contents Performance... 1 Optimal storage and sizing...1 Secure, no-hassle access...2 Dedicated computing infrastructure...2 Early and pre-emptive

More information

COBIT 5 With COSO 2013

COBIT 5 With COSO 2013 Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder

More information

Introduction to AWS GoldBase

Introduction to AWS GoldBase Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener

More information

American Association for Laboratory Accreditation

American Association for Laboratory Accreditation R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.

More information

Adopting SSAE 18 for SOC 1 reports

Adopting SSAE 18 for SOC 1 reports Adopting SSAE 18 for SOC 1 reports Overview Since its adoption in 2011, service auditor reports issued in accordance with SSAE 16 have become increasingly common in the marketplace. In April 2016, the

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

Optimising cloud security, trust and transparency

Optimising cloud security, trust and transparency Optimising cloud security, trust and transparency April 2013 Jim Reavis, CSA Founder and Executive Director Daniele Catteddu, CSA Managing Director EMEA About the Cloud Security Alliance! Global, not-for-profit

More information

The Evolving Threat to Corporate Cyber & Data Security

The Evolving Threat to Corporate Cyber & Data Security The Evolving Threat to Corporate Cyber & Data Security Presented by: Sara English, CIPP/US Sara.English@KutakRock.com 1 http://blogs.wsj.com/law/2015/12/09/employee error leading cause of data breaches

More information

Auditing the Cloud. Paul Engle CISA, CIA

Auditing the Cloud. Paul Engle CISA, CIA Auditing the Cloud Paul Engle CISA, CIA About the Speaker Paul Engle CISA, CIA o Fifteen years performing internal audit, IT internal audit, and consulting projects o Internal audit clients include ADP,

More information

Keys to a more secure data environment

Keys to a more secure data environment Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting

More information

SAS70 Type II Reports Use and Interpretation for SOX

SAS70 Type II Reports Use and Interpretation for SOX SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background

More information

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE 2018 1 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents

More information

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based

More information

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE 1. Scope REQUIREMENTS FOR CERTIFICATION BODIES 1.1 This document describes the requirements the Certification Bodies (CBs) are expected to meet

More information

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18 Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are

More information

THE POWER OF TECH-SAVVY BOARDS:

THE POWER OF TECH-SAVVY BOARDS: THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

Public Safety Canada. Audit of the Business Continuity Planning Program

Public Safety Canada. Audit of the Business Continuity Planning Program Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely

More information

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration Statement Comments by the electrical industry on the EU Cybersecurity Act manufacturer s declaration industrial security Cybersecurity Quality basis security LED-Modul Statement P January 2018 German Electrical

More information

Intermedia s Private Cloud Exchange

Intermedia s Private Cloud Exchange Intermedia s Private Cloud Exchange This is a practical guide to implementing Intermedia s Private Cloud Exchange on AWS. Intermedia, the world s independent provider of Hosted Exchange, and AWS, the leading

More information

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

IT Audit Process Prof. Liang Yao Week Two IT Audit Function Week Two IT Audit Function Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Avanade s Approach to Client Data Protection

Avanade s Approach to Client Data Protection White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success

More information

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE Table of Contents Dedicated Geo-Redundant Data Center Infrastructure 02 SSAE 16 / SAS 70 and SOC2 Audits 03 Logical Access Security 03 Dedicated

More information

SAP Security Remediation: Three Steps for Success Using SAP GRC

SAP Security Remediation: Three Steps for Success Using SAP GRC SAP Security Remediation: Three Steps for Success Using SAP GRC All companies need strong application security environments as part of a successful overall risk management strategy. Strong risk-oriented

More information

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle

More information

Auditing IT General Controls

Auditing IT General Controls Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program

More information

Data Security Standards

Data Security Standards Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a

More information

Global Statement of Business Continuity

Global Statement of Business Continuity Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM) Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program

More information

Application for Certification

Application for Certification Application for Certification Requirements to Become a Certified Information Security Manager To become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade on the

More information

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction Compact_ IT Advisory 41 SAS 70 revised ISAE 3402 will focus on financial reporting control procedures Jaap van Beek and Marco Francken J.J. van Beek is a partner at KPMG IT Advisory. He has over twenty-years

More information

Independent Assurance Statement

Independent Assurance Statement Independent Assurance Statement Scope and Objectives DNV GL Business Assurance USA, Inc. (DNV GL) was commissioned by Lockheed Martin Corporation (Lockheed Martin) to conduct independent assurance of its

More information

Sage Data Security Services Directory

Sage Data Security Services Directory Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time

More information

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Cyber Rule Considerations For Contractors In 2018 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors

More information

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 14001 Lead Implementer www.pecb.com The objective of the PECB Certified ISO 14001 Lead Implementer examination is to ensure that the candidate

More information

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2 Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme Version 1.2 July 2015 Copyright, Cradle to Cradle Products Innovation Institute, 2015

More information

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by

More information

Minimum Requirements For The Operation of Management System Certification Bodies

Minimum Requirements For The Operation of Management System Certification Bodies ETHIOPIAN NATIONAL ACCREDITATION OFFICE Minimum Requirements For The Operation of Management System Certification Bodies April 2011 Page 1 of 11 No. Content Page 1. Introduction 2 2. Scope 2 3. Definitions

More information

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research. CONTENTS i. INTRODUCTION 3 ii. OVERVIEW SPECIFICATION PROTOCOL DOCUMENT DEVELOPMENT PROCESS 4 1. SCOPE 5 2. DEFINITIONS 5 3. REFERENCES 6 4. MANAGEMENT STANDARDS FOR APPROVED CERTIFICATION BODIES 6 4.1

More information

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San

More information

The Open Group Certification for People. Certification Policy. for Examination-Based Programs

The Open Group Certification for People. Certification Policy. for Examination-Based Programs The Open Group Certification for People Certification Policy for Examination-Based Programs Version 1.0 April 2016 Copyright 2009-2016, The Open Group All rights reserved. This publication may be reproduced,

More information

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program White Paper FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud FedRAMP Federal Risk Authorization Management Program FedRAMP 2 Table of Contents Introduction 3 fedramp overview 3

More information

Overview. Business value

Overview. Business value PRODUCT SHEET CA Top Secret for z/vse CA Top Secret for z/vse CA Top Secret for z/vse provides innovative and comprehensive security for business transaction environments which enable your business to

More information

TRACKVIA SECURITY OVERVIEW

TRACKVIA SECURITY OVERVIEW TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times

More information

Achilles System Certification (ASC) from GE Digital

Achilles System Certification (ASC) from GE Digital Achilles System Certification (ASC) from GE Digital Frequently Asked Questions GE Digital Achilles System Certification FAQ Sheet 1 Safeguard your devices and meet industry benchmarks for industrial cyber

More information

CA/Browser Forum Meeting

CA/Browser Forum Meeting CA/Browser Forum Meeting WebTrust for CA Update June 21, 2017 Jeff Ward / Don Sheehy / Janet Treasure Current Status WebTrust for CA 2.1 As you are aware, based on ISO 21188 WebTrust criteria based on

More information

IS Audit and Assurance Guideline 2002 Organisational Independence

IS Audit and Assurance Guideline 2002 Organisational Independence IS Audit and Assurance Guideline 2002 Organisational Independence The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards

More information

An Overview of ISO/IEC family of Information Security Management System Standards

An Overview of ISO/IEC family of Information Security Management System Standards What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information

More information

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Implementer www.pecb.com The objective of the Certified ISO 22000 Lead Implementer examination is to ensure that the candidate

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability Session 2: Conformity Assessment Principles 12-16 October 2015 Beijing, China Keith Mainwaring ITU Expert Agenda 1. Context

More information

Introduction to GlobalPlatform Compliance Secretariat

Introduction to GlobalPlatform Compliance Secretariat Introduction to GlobalPlatform Compliance Secretariat Introduction Key to market stability is the adoption of proven standards. Industry acceptance of any standard or specification, however, will only

More information

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2016 through June 30, 2016 SOC 3 SM SOC 3 is a service

More information

RSPO Certification Step by step

RSPO Certification Step by step RSPO Certification Step by step Index Terms and definitions... 3 Objectives and applicable certification schemes... 5 Evaluation procedures... 7 Certification request... 7 Critical analysis of certification

More information

A Global Look at IT Audit Best Practices

A Global Look at IT Audit Best Practices A Global Look at IT Audit Best Practices 2015 IT Audit Benchmarking Survey March 2015 Speakers Kevin McCreary is a Senior Manager in Protiviti s IT Risk practice. He has extensive IT audit and regulatory

More information

NCSF Foundation Certification

NCSF Foundation Certification NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity

More information

UNCONTROLLED IF PRINTED

UNCONTROLLED IF PRINTED 161Thorn Hill Road Warrendale, PA 15086-7527 1. Scope 2. Definitions PROGRAM DOCUMENT PD 1000 Issue Date: 19-Apr-2015 Revision Date: 26-May-2015 INDUSTRY MANAGED ACCREDITATION PROGRAM DOCUMENT Table of

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 18/EN WP261 Article 29 Working Party Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679 Adopted on 6 february 2018 1 THE

More information

Streamlined FISMA Compliance For Hosted Information Systems

Streamlined FISMA Compliance For Hosted Information Systems Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and

More information

Timber Products Inspection, Inc.

Timber Products Inspection, Inc. Timber Products Inspection, Inc. Product Certification Public Document Timber Products Inspection, Inc. P.O. Box 919 Conyers, GA 30012 Phone: (770) 922-8000 Fax: (770) 922-1290 TP Product Certification

More information

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ 1 SWIFT Customer Security Controls Framework Why has SWIFT launched new security

More information