SOC Lessons Learned and Reporting Changes Dec. 16, 2014
Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for Crowe SOC Services Sue Horn, CISA, CPA Thought Leader for Crowe SOC Services 2014 Crowe Horwath LLP 2
Agenda Lessons Learned During 2014: How You Can Improve Your Organization s Reporting Process Going Forward Changes to SOC 2 Principles and Criteria Mapping of SOC 2 Principles and Criteria to Other Industry Standards Summary and Conclusion Q&A 2014 Crowe Horwath LLP 3
Types of SOC Reports Report Form SOC 1 SOC 2 SOC 3 Assurance Focus / Report Use Internal Controls Related to Financial Reporting Trust Services Principles Restricted Use Report Trust Services Principles General Use Report Underlying Standard SSAE 16/ AT 801 AT 101 2014 Crowe Horwath LLP 4
Which Report Should Be Chosen? 2014 Crowe Horwath LLP 5
Lessons Learned in 2014 2014 Crowe Horwath LLP 6
Lessons Learned Service organizations had fewer challenges with the report type and coverage selections; however, there were still challenges with SOC 2 reports. Service organizations had better organized and better prepared management assertions and the basis for the assertions however, they are still a work in process. Service organizations had better documented and more effective risk assessments. Service organizations effectively increased the information included in the description of systems. Summary - There was continued improvement in those areas for which the service organization s management is [partially or fully] responsible. 2014 Crowe Horwath LLP 7
Lessons Learned (Cont d) Communication of significant changes to service auditors improved as more touch points were taking place. Communication of complementary user entity controls to user organizations improved. An increase in the disclosures of subservice organizations continues to increase. There has been an increase in requests by clients for interim visits. Service organizations continued to look for ways to decrease audit costs and duplication of testing by requesting the service auditor to rely on the work performed by Internal Audit. Summary Audit and regulatory requirements continue to increase. Service organizations are responding to the increased scrutiny by improving in the areas of increased audit focus and in audit efficiency. 2014 Crowe Horwath LLP 8
Polling Question # 1 In your opinion, what is the primary driver for an organization to request a SOC report from a service provider? a) SOC reports are required to be reviewed periodically based on my organization s vendor management procedures. b) SOC reports are utilized in support of the financial reporting process of my organization. c) To gain assurance regarding a service organization s compliance with regulatory requirements (i.e. HIPAA) or a control framework of interest (i.e. NIST, COBIT). d) To assist in evaluating a service organization from a business or service level agreement standpoint. e) All of the above. 2014 Crowe Horwath LLP 9
Changes to SOC 2 Principles and Criteria 2014 Crowe Horwath LLP 10
Trust Services Principles Security The system is protected against unauthorized access, use, or modification. Availability The system is available for operation and use as committed or agreed to. Processing Integrity System processing is complete, valid, accurate, timely, and authorized. Confidentiality Information designated as confidential is protected as committed or agreed to. Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and the Canadian Institute of Chartered Accountants (CICA). 2014 Crowe Horwath LLP 11
Relationship Among Principles, Criteria, and Controls Principles Criteria Controls 2014 Crowe Horwath LLP 12
Revised Trust Services Principles (TSP) in 2014 A change was introduced to recognize that many of the criteria used to evaluate a system are shared among all the principles except privacy. Criteria common to security, availability, confidentiality, and processing integrity: Organization and management Communications Risk management and design and implementation of controls Monitoring of controls Logical and physical access controls System operations Change management Note: The criteria related to privacy are under review but remain unchanged at this time. 2014 Crowe Horwath LLP 13
Example Criteria and Illustrative Controls Common Criteria 7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert the principle(s) being reported on: security, availability, processing integrity, confidentiality, or any combination thereof] commitments and requirements. Illustrative Controls: System change requests must be reviewed and approved by the owner of the infrastructure or software and the change advisory board prior to work commencing on the requested change. Test plans and test data are created and used in required system and regression testing. Test plans and test data are reviewed and approved by the testing manager prior to and at the completion of testing, and reviewed by the change advisory board prior to newly developed or changed software being authorized for migration to production. Changes are reviewed and approved by the change advisory board prior to implementation. Logical access controls and change management tools restrict the ability to migrate between development, test, and production to change deployment personnel. 2014 Crowe Horwath LLP 14
Revised TSP in 2014 The common criteria constitute the complete set of criteria for the security principle. Effective date: time periods ending on or after Dec. 15, 2014; early adoption is permitted. Additional criteria have been created for the availability, confidentiality, and processing integrity principles: Availability 3 criteria Confidentiality 6 criteria Processing integrity 6 criteria 2014 Crowe Horwath LLP 15
Example Criteria and Illustrative Controls Confidentiality Principle: Criteria C1.2 Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements. Illustrative Controls: Access to data is restricted to authorized applications through access control software. Access rules are created and maintained by information security personnel during the application development process. Logical access other than through authorized application is restricted to administrators through database management system native security. Creation and modification of access control records for the database management systems occur through the access-provisioning process. Application-level security restricts the ability to access, modify, and delete data to authenticated users who have been granted access through records in the access control list. Creation and modification of access control records occur through the access-provisioning process. Application security restricts output to approved roles or user IDs. Paper forms are secured physically after data entry. Physical access is restricted to storage clerks. 2014 Crowe Horwath LLP 16
Polling Question # 2 If your organization issues a SOC report, who is the primary decision maker/buyer? a) Chief Financial Officer b) Chief Compliance Officer c) Chief Information Officer d) Director/VP of Internal Audit e) Marketing Officer f) Information Security Officer g) N/A - My organization does not issue a SOC report h) Unsure/don t know 2014 Crowe Horwath LLP 17
Mapping 2014 TSP to 2009 TSP Source: AICPA http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/tspc/trust_services_criteria_mapping_2009_2014.pdf 2014 Crowe Horwath LLP 18
Mapping of SOC 2 Principles and Criteria to Other Industry Standards in Support of Third Party Risk Management 2014 Crowe Horwath LLP 19
A Couple Recent Headlines Sony Pictures hack A PR Car Crash from which the company may never recover, www.theguardian.com, December 14, 2014 Target Puts Data Breach Costs at $148 Million, and Forecast Profit Drop, www.nytime.com, August 5, 2014 Just within the last several months, data breaches have made international headlines and may have caused irreversible damage to two of the largest U.S. companies. 2014 Crowe Horwath LLP 20
Third-Party Risk Management Requirements and Importance Continue to Increase Over the last few years there has been a marked increase in the number and severity of data breaches. Studies show that the costs of a data breach are significant. Below are highlights from a recent study related to breaches: The average number of breached records per incident in the United States was 28,765 The average total cost per incident to the organization in the United States was $5.4 million, excluding fines. The average breach cost per record was approximately $188. This number varied, depending on the industry. (Source - 2013 Cost of Data Breach Study: Global Analysis, research sponsored by Symantec, May 2013, Ponemon Institute.) The need for developing a robust 3 rd party risk management program which includes obtaining control assurance from critical 3 rd parties is a long term trend. 2014 Crowe Horwath LLP 21
Breaches by the Numbers Forty-three percent of companies had a data breach in the past year. Only 15 percent of breaches make it into the media. 600-700 breaches are reported nationally in an average year. Sources: http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197/ http://www-935.ibm.com/services/multimedia/sel03027usen_poneman_2014_cost_of_data_breach_study.pdf 2014 Crowe Horwath LLP 22
Data Breach Costs Average cost per record lost in 2014 = $145 Source: http://www-935.ibm.com/services/multimedia/sel03027usen_poneman_2014_cost_of_data_breach_study.pdf 2014 Crowe Horwath LLP 23
Third-Party Risk Management Concerns 0% 20% 40% 60% 80% 100% Experienced at least one disruption 27% 73% 75% Disruptions originated below the immediate tier one supplier IT or Telecommunication cause 61% 39% 42% 48% 52% 55% 2011 2012 2013 Suffered more than 1m Euro in costs per incident 15% 21% 79% Source: Supply Chain Resilience, November 2012 and November 2013, Business Continuity Institute 2014 Crowe Horwath LLP 24
Third-Party Risk Management Activities Vendor management activities performed should be based on risk associated with the vendor. To see that the risks with third parties are addressed properly, organizations should consider performing the following activities: Review service providers policies and procedures. Request that service providers respond to internal control questionnaires. Perform on-site reviews of service providers operations. Review SOC reports: Organizations can use SOC reports to obtain a level of comfort over a service provider s controls related to security, availability, processing integrity, confidentiality and privacy controls. 2014 Crowe Horwath LLP 25
Polling Question # 3 What type of SOC reports is your organization receiving from vendors and/or providing to customers on an annual basis? a) SOC 1 / SSAE 16 b) SOC 2 c) SOC 1 and SOC 2 d) Other (e.g., AT101, AT601, Agreed-Upon Procedures) e) SOC 1, SOC 2 and Other f) None - Our organization to does not obtain SOC reports from service providers or issue a SOC report g) Unsure/don t know 2014 Crowe Horwath LLP 26
Commonly Outsourced Functions Payroll Processing Customer Service Accounts Receivable Accounts Payable IT Services Cloud Computing Managed Services Co-location Services 2014 Crowe Horwath LLP 27
Cloud Computing Source: IDG Enterprise 2014 Crowe Horwath LLP 28
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Developed by the CSA Establishes a controls framework for cloud providers to follow Assists cloud customers in evaluating cloud services providers Provides a controls framework in 16 domains that are mapped to other industryaccepted security standards, regulations, and controls frameworks 2014 Crowe Horwath LLP 29
CCM Domains Source: https://cloudsecurityalliance.org/ 2014 Crowe Horwath LLP 30
CCM Controls Map to SOC 2 Criteria Datacenter Security DCS-02 Control Specification: Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. SOC 2 TSP Criteria: CC5.5 - Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel. 2014 Crowe Horwath LLP 31
Illustrative SOC 2 Report With the Criteria in the CSA CCM Opinion of SOC 2 Report Source: AICPA 2014 Crowe Horwath LLP 32
Illustrative SOC 2 Report With the Criteria in the CSA CCM Opinion of SOC 2 Report Source: AICPA 2014 Crowe Horwath LLP 33
Illustrative SOC 2 Report With the Criteria in the CSA CCM Source: AICPA 2014 Crowe Horwath LLP 34
Polling Question #4 In addition to the Cloud Control Matrix, which of the following control/regulatory frameworks do you think will also become valuable to cover as additional subject matter within a SOC 2 report? a) HIPAA a) NIST Cybersecurity Framework b) PCI DSS c) ISO 27001 d) CobIT 5.0 e) All of the above f) Unsure/don t know 2014 Crowe Horwath LLP 35
Summary and Concluding Thoughts Vendor management activities will continue to be an emphasis in the marketplace and drive the need for SOC reporting. The number of SOC 2 reports will increase faster than the more mature SOC 1 / SSAE 16 report format (which will also grow quickly.) The SOC 2 assurance focus is both fixed (covers a set of standard TSPC) and flexible (can add other subject matter, as desired); more organizations will take advantage of this feature over time. SOC 2 reports will be used increasingly to demonstrate compliance with other popular control frameworks the CCM is just the first of several frameworks that will be added to the base TSPC. 2014 Crowe Horwath LLP 36
Questions? 2014 Crowe Horwath LLP 37
For More Information, Contact: Arshad Ahmed 574.236.7602 arshad.ahmed@crowehorwath.com Rod Smith 212.751.8151 rod.smith@crowehorwath.com Sue Horn 614.365.2236 sue.horn@crowehorwath.com Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. 2014 Crowe Horwath LLP 2014 Crowe Horwath LLP 38