SOC Lessons Learned and Reporting Changes

Similar documents
ISACA Cincinnati Chapter March Meeting

Exploring Emerging Cyber Attest Requirements

IT Attestation in the Cloud Era

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SOC Reporting / SSAE 18 Update July, 2017

Evaluating SOC Reports and NEW Reporting Requirements

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

HITRUST CSF: One Framework

SOC for cybersecurity

Understanding and Evaluating Service Organization Controls (SOC) Reports

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

CSF to Support SOC 2 Repor(ng

DeMystifying Data Breaches and Information Security Compliance

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SOC 3 for Security and Availability

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Achieving third-party reporting proficiency with SOC 2+

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Peer Collaboration The Next Best Practice for Third Party Risk Management

The Common Controls Framework BY ADOBE

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

WHITE PAPER. Title. Managed Services for SAS Technology

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Making trust evident Reporting on controls at Service Organizations

Google Cloud & the General Data Protection Regulation (GDPR)

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

SECURITY & PRIVACY DOCUMENTATION

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Information for entity management. April 2018

Adopting SSAE 18 for SOC 1 reports

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

The SOC 2 Compliance Handbook:

Standard CIP Cyber Security Critical Cyber Asset Identification

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Standard CIP Cyber Security Critical Cyber Asset Identification

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

COBIT 5 With COSO 2013

Vendor Security Questionnaire

HITRUST Common Security Framework - Are you prepared?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

01.0 Policy Responsibilities and Oversight

Recommendations for Implementing an Information Security Framework for Life Science Organizations

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity The Evolving Landscape

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Audit Considerations Relating to an Entity Using a Service Organization

Workday s Robust Privacy Program

Transitioning from SAS 70 to SSAE 16

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

IGNITING GROWTH. Why a SOC Report Makes All the Difference

How to avoid storms in the cloud. The Australian experience and global trends

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Optimising cloud security, trust and transparency

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Why you should adopt the NIST Cybersecurity Framework

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Twilio cloud communications SECURITY

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cybersecurity in Higher Ed

How Credit Unions Are Taking Advantage of the Cloud

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Altius IT Policy Collection Compliance and Standards Matrix

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Cyber Security Incident Response Fighting Fire with Fire

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cybersecurity & Privacy Enhancements

locuz.com SOC Services

Altius IT Policy Collection Compliance and Standards Matrix

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

HIPAA Privacy, Security and Breach Notification

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Demonstrating data privacy for GDPR and beyond

Keys to a more secure data environment

Data Processing Agreement

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Transcription:

SOC Lessons Learned and Reporting Changes Dec. 16, 2014

Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for Crowe SOC Services Sue Horn, CISA, CPA Thought Leader for Crowe SOC Services 2014 Crowe Horwath LLP 2

Agenda Lessons Learned During 2014: How You Can Improve Your Organization s Reporting Process Going Forward Changes to SOC 2 Principles and Criteria Mapping of SOC 2 Principles and Criteria to Other Industry Standards Summary and Conclusion Q&A 2014 Crowe Horwath LLP 3

Types of SOC Reports Report Form SOC 1 SOC 2 SOC 3 Assurance Focus / Report Use Internal Controls Related to Financial Reporting Trust Services Principles Restricted Use Report Trust Services Principles General Use Report Underlying Standard SSAE 16/ AT 801 AT 101 2014 Crowe Horwath LLP 4

Which Report Should Be Chosen? 2014 Crowe Horwath LLP 5

Lessons Learned in 2014 2014 Crowe Horwath LLP 6

Lessons Learned Service organizations had fewer challenges with the report type and coverage selections; however, there were still challenges with SOC 2 reports. Service organizations had better organized and better prepared management assertions and the basis for the assertions however, they are still a work in process. Service organizations had better documented and more effective risk assessments. Service organizations effectively increased the information included in the description of systems. Summary - There was continued improvement in those areas for which the service organization s management is [partially or fully] responsible. 2014 Crowe Horwath LLP 7

Lessons Learned (Cont d) Communication of significant changes to service auditors improved as more touch points were taking place. Communication of complementary user entity controls to user organizations improved. An increase in the disclosures of subservice organizations continues to increase. There has been an increase in requests by clients for interim visits. Service organizations continued to look for ways to decrease audit costs and duplication of testing by requesting the service auditor to rely on the work performed by Internal Audit. Summary Audit and regulatory requirements continue to increase. Service organizations are responding to the increased scrutiny by improving in the areas of increased audit focus and in audit efficiency. 2014 Crowe Horwath LLP 8

Polling Question # 1 In your opinion, what is the primary driver for an organization to request a SOC report from a service provider? a) SOC reports are required to be reviewed periodically based on my organization s vendor management procedures. b) SOC reports are utilized in support of the financial reporting process of my organization. c) To gain assurance regarding a service organization s compliance with regulatory requirements (i.e. HIPAA) or a control framework of interest (i.e. NIST, COBIT). d) To assist in evaluating a service organization from a business or service level agreement standpoint. e) All of the above. 2014 Crowe Horwath LLP 9

Changes to SOC 2 Principles and Criteria 2014 Crowe Horwath LLP 10

Trust Services Principles Security The system is protected against unauthorized access, use, or modification. Availability The system is available for operation and use as committed or agreed to. Processing Integrity System processing is complete, valid, accurate, timely, and authorized. Confidentiality Information designated as confidential is protected as committed or agreed to. Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and the Canadian Institute of Chartered Accountants (CICA). 2014 Crowe Horwath LLP 11

Relationship Among Principles, Criteria, and Controls Principles Criteria Controls 2014 Crowe Horwath LLP 12

Revised Trust Services Principles (TSP) in 2014 A change was introduced to recognize that many of the criteria used to evaluate a system are shared among all the principles except privacy. Criteria common to security, availability, confidentiality, and processing integrity: Organization and management Communications Risk management and design and implementation of controls Monitoring of controls Logical and physical access controls System operations Change management Note: The criteria related to privacy are under review but remain unchanged at this time. 2014 Crowe Horwath LLP 13

Example Criteria and Illustrative Controls Common Criteria 7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert the principle(s) being reported on: security, availability, processing integrity, confidentiality, or any combination thereof] commitments and requirements. Illustrative Controls: System change requests must be reviewed and approved by the owner of the infrastructure or software and the change advisory board prior to work commencing on the requested change. Test plans and test data are created and used in required system and regression testing. Test plans and test data are reviewed and approved by the testing manager prior to and at the completion of testing, and reviewed by the change advisory board prior to newly developed or changed software being authorized for migration to production. Changes are reviewed and approved by the change advisory board prior to implementation. Logical access controls and change management tools restrict the ability to migrate between development, test, and production to change deployment personnel. 2014 Crowe Horwath LLP 14

Revised TSP in 2014 The common criteria constitute the complete set of criteria for the security principle. Effective date: time periods ending on or after Dec. 15, 2014; early adoption is permitted. Additional criteria have been created for the availability, confidentiality, and processing integrity principles: Availability 3 criteria Confidentiality 6 criteria Processing integrity 6 criteria 2014 Crowe Horwath LLP 15

Example Criteria and Illustrative Controls Confidentiality Principle: Criteria C1.2 Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements. Illustrative Controls: Access to data is restricted to authorized applications through access control software. Access rules are created and maintained by information security personnel during the application development process. Logical access other than through authorized application is restricted to administrators through database management system native security. Creation and modification of access control records for the database management systems occur through the access-provisioning process. Application-level security restricts the ability to access, modify, and delete data to authenticated users who have been granted access through records in the access control list. Creation and modification of access control records occur through the access-provisioning process. Application security restricts output to approved roles or user IDs. Paper forms are secured physically after data entry. Physical access is restricted to storage clerks. 2014 Crowe Horwath LLP 16

Polling Question # 2 If your organization issues a SOC report, who is the primary decision maker/buyer? a) Chief Financial Officer b) Chief Compliance Officer c) Chief Information Officer d) Director/VP of Internal Audit e) Marketing Officer f) Information Security Officer g) N/A - My organization does not issue a SOC report h) Unsure/don t know 2014 Crowe Horwath LLP 17

Mapping 2014 TSP to 2009 TSP Source: AICPA http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/tspc/trust_services_criteria_mapping_2009_2014.pdf 2014 Crowe Horwath LLP 18

Mapping of SOC 2 Principles and Criteria to Other Industry Standards in Support of Third Party Risk Management 2014 Crowe Horwath LLP 19

A Couple Recent Headlines Sony Pictures hack A PR Car Crash from which the company may never recover, www.theguardian.com, December 14, 2014 Target Puts Data Breach Costs at $148 Million, and Forecast Profit Drop, www.nytime.com, August 5, 2014 Just within the last several months, data breaches have made international headlines and may have caused irreversible damage to two of the largest U.S. companies. 2014 Crowe Horwath LLP 20

Third-Party Risk Management Requirements and Importance Continue to Increase Over the last few years there has been a marked increase in the number and severity of data breaches. Studies show that the costs of a data breach are significant. Below are highlights from a recent study related to breaches: The average number of breached records per incident in the United States was 28,765 The average total cost per incident to the organization in the United States was $5.4 million, excluding fines. The average breach cost per record was approximately $188. This number varied, depending on the industry. (Source - 2013 Cost of Data Breach Study: Global Analysis, research sponsored by Symantec, May 2013, Ponemon Institute.) The need for developing a robust 3 rd party risk management program which includes obtaining control assurance from critical 3 rd parties is a long term trend. 2014 Crowe Horwath LLP 21

Breaches by the Numbers Forty-three percent of companies had a data breach in the past year. Only 15 percent of breaches make it into the media. 600-700 breaches are reported nationally in an average year. Sources: http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197/ http://www-935.ibm.com/services/multimedia/sel03027usen_poneman_2014_cost_of_data_breach_study.pdf 2014 Crowe Horwath LLP 22

Data Breach Costs Average cost per record lost in 2014 = $145 Source: http://www-935.ibm.com/services/multimedia/sel03027usen_poneman_2014_cost_of_data_breach_study.pdf 2014 Crowe Horwath LLP 23

Third-Party Risk Management Concerns 0% 20% 40% 60% 80% 100% Experienced at least one disruption 27% 73% 75% Disruptions originated below the immediate tier one supplier IT or Telecommunication cause 61% 39% 42% 48% 52% 55% 2011 2012 2013 Suffered more than 1m Euro in costs per incident 15% 21% 79% Source: Supply Chain Resilience, November 2012 and November 2013, Business Continuity Institute 2014 Crowe Horwath LLP 24

Third-Party Risk Management Activities Vendor management activities performed should be based on risk associated with the vendor. To see that the risks with third parties are addressed properly, organizations should consider performing the following activities: Review service providers policies and procedures. Request that service providers respond to internal control questionnaires. Perform on-site reviews of service providers operations. Review SOC reports: Organizations can use SOC reports to obtain a level of comfort over a service provider s controls related to security, availability, processing integrity, confidentiality and privacy controls. 2014 Crowe Horwath LLP 25

Polling Question # 3 What type of SOC reports is your organization receiving from vendors and/or providing to customers on an annual basis? a) SOC 1 / SSAE 16 b) SOC 2 c) SOC 1 and SOC 2 d) Other (e.g., AT101, AT601, Agreed-Upon Procedures) e) SOC 1, SOC 2 and Other f) None - Our organization to does not obtain SOC reports from service providers or issue a SOC report g) Unsure/don t know 2014 Crowe Horwath LLP 26

Commonly Outsourced Functions Payroll Processing Customer Service Accounts Receivable Accounts Payable IT Services Cloud Computing Managed Services Co-location Services 2014 Crowe Horwath LLP 27

Cloud Computing Source: IDG Enterprise 2014 Crowe Horwath LLP 28

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Developed by the CSA Establishes a controls framework for cloud providers to follow Assists cloud customers in evaluating cloud services providers Provides a controls framework in 16 domains that are mapped to other industryaccepted security standards, regulations, and controls frameworks 2014 Crowe Horwath LLP 29

CCM Domains Source: https://cloudsecurityalliance.org/ 2014 Crowe Horwath LLP 30

CCM Controls Map to SOC 2 Criteria Datacenter Security DCS-02 Control Specification: Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. SOC 2 TSP Criteria: CC5.5 - Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel. 2014 Crowe Horwath LLP 31

Illustrative SOC 2 Report With the Criteria in the CSA CCM Opinion of SOC 2 Report Source: AICPA 2014 Crowe Horwath LLP 32

Illustrative SOC 2 Report With the Criteria in the CSA CCM Opinion of SOC 2 Report Source: AICPA 2014 Crowe Horwath LLP 33

Illustrative SOC 2 Report With the Criteria in the CSA CCM Source: AICPA 2014 Crowe Horwath LLP 34

Polling Question #4 In addition to the Cloud Control Matrix, which of the following control/regulatory frameworks do you think will also become valuable to cover as additional subject matter within a SOC 2 report? a) HIPAA a) NIST Cybersecurity Framework b) PCI DSS c) ISO 27001 d) CobIT 5.0 e) All of the above f) Unsure/don t know 2014 Crowe Horwath LLP 35

Summary and Concluding Thoughts Vendor management activities will continue to be an emphasis in the marketplace and drive the need for SOC reporting. The number of SOC 2 reports will increase faster than the more mature SOC 1 / SSAE 16 report format (which will also grow quickly.) The SOC 2 assurance focus is both fixed (covers a set of standard TSPC) and flexible (can add other subject matter, as desired); more organizations will take advantage of this feature over time. SOC 2 reports will be used increasingly to demonstrate compliance with other popular control frameworks the CCM is just the first of several frameworks that will be added to the base TSPC. 2014 Crowe Horwath LLP 36

Questions? 2014 Crowe Horwath LLP 37

For More Information, Contact: Arshad Ahmed 574.236.7602 arshad.ahmed@crowehorwath.com Rod Smith 212.751.8151 rod.smith@crowehorwath.com Sue Horn 614.365.2236 sue.horn@crowehorwath.com Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. 2014 Crowe Horwath LLP 2014 Crowe Horwath LLP 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback