IT Attestation in the Cloud Era

Similar documents
Understanding and Evaluating Service Organization Controls (SOC) Reports

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

ISACA Cincinnati Chapter March Meeting

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Auditing IT General Controls

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Evaluating SOC Reports and NEW Reporting Requirements

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

SOC Reporting / SSAE 18 Update July, 2017

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Making trust evident Reporting on controls at Service Organizations

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

IGNITING GROWTH. Why a SOC Report Makes All the Difference

SOC Lessons Learned and Reporting Changes

Achieving third-party reporting proficiency with SOC 2+

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Information Technology General Control Review

Transitioning from SAS 70 to SSAE 16

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

_isms_27001_fnd_en_sample_set01_v2, Group A

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

The SOC 2 Compliance Handbook:

Protecting your data. EY s approach to data privacy and information security

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Information for entity management. April 2018

HITRUST CSF: One Framework

How to avoid storms in the cloud. The Australian experience and global trends

HIPAA Privacy, Security and Breach Notification

Demonstrating data privacy for GDPR and beyond

CASE STUDY: USING THE HYBRID CLOUD TO INCREASE CORPORATE VALUE AND ADAPT TO COMPETITIVE WORLD TRENDS

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SOC 3 for Security and Availability

Cyber security and awareness for non-financial services. 24/25 May 2017

CSF to Support SOC 2 Repor(ng

Position Description IT Auditor

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

The Common Controls Framework BY ADOBE

GDPR: A QUICK OVERVIEW

Cloud First Policy General Directorate of Governance and Operations Version April 2017

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Google Cloud & the General Data Protection Regulation (GDPR)

Audit Considerations Relating to an Entity Using a Service Organization

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

TRACKVIA SECURITY OVERVIEW

Granted: The Cloud comes with security and continuity...

SOC for cybersecurity

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

THE POWER OF TECH-SAVVY BOARDS:

QuickBooks Online Security White Paper July 2017

Checklist: Credit Union Information Security and Privacy Policies

Exploring Emerging Cyber Attest Requirements

01.0 Policy Responsibilities and Oversight

Credit Union Service Organization Compliance

Application for Certification

University of Pittsburgh Security Assessment Questionnaire (v1.7)

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Certified Information Security Manager (CISM) Course Overview

TEL2813/IS2820 Security Management

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

EY s data privacy service offering

ADIENT VENDOR SECURITY STANDARD

TSC Business Continuity & Disaster Recovery Session

Peer Collaboration The Next Best Practice for Third Party Risk Management

SECURITY & PRIVACY DOCUMENTATION

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Clarity on Cyber Security. Media conference 29 May 2018

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Data Security: Public Contracts and the Cloud

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Workday s Robust Privacy Program

Projectplace: A Secure Project Collaboration Solution

Cyber Criminal Methods & Prevention Techniques. By

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

HIPAA Federal Security Rule H I P A A

A Model for Resilience

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

The GDPR Are you ready?

Cybersecurity The Evolving Landscape

Baseline Information Security and Privacy Requirements for Suppliers

Enabling Hybrid Cloud Transformation

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

ISO/ IEC (ITSM) Certification Roadmap

Transcription:

IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting

Contents Introduction SOC Assurance Reporting Overview & Market Trends Effectively using SOC reports Conclusion Q/A 1

Cloud Impact on Business Cloud Environment = Internet-based data access & exchange + Internet-based access to low cost computing & applications Virtualized Technology Virtualized Processes Opportunities to Leverage Commoditized Enterprise Applications and Economies of Scale Virtualized Organization Virtualized Business Models Speed to Market Improve Working Capital Reduce Invested Capital Reduce Cost of Goods Sold Reduce SG&A 2

KPMG Recent Survey 100% 80% 60% 68% Over 2/3 Are Already Using Cloud or Plan To In Next 2 Years 40% 40% 28% 20% 9% 6% 10% 7% 0% Already using Cloud Planning to do so within next 2 years Planning to do so in 2-3 years Planning to do so in 3+ years No, not at this time Not sure what the plans are 3

Key Security Challenges Security has been the greatest concern surrounding Cloud Adoption at enterprises 4

Computing Model Employees, Private Intranet Internal External Strangers, Public Internet Complexity and Exposure define assurance model Proprietary, Distributed, Complex Cloud Need for Increased assurance Private Cloud Virtual Private Cloud Public Cloud External Portal Exposure Corporate Data Center Outsourced Data Center Reliance on Internal Controls Traditional Familiar, Simple 5

Service Organization Control Assurance Reporting Overview and Market Trends

Service Organization Control (SOC) Assurance Reporting Scope/Focus Report Summary Applicability Internal Control Over Financial Reporting (ICOFR) ISAE3402 / SOC1* Detailed report for users and their auditors Focused on financial reporting risks and controls specified by the service provider. Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. Operational Controls ISAE3000/ SOC2 SM ISAE3000 / SOC3 SM ** Detailed report for user organizations, their auditors, and specified parties Short report that can be more generally distributed, with the option of displaying a web site seal Focused on Trust Services Principles: - Security - Availability - Confidentiality - Processing Integrity and/or - Privacy. Applicable to a broader variety of systems. * Sometimes also referred to as an SSAE 16, AT 801 ** Sometimes also referred to as a SysTrust, WebTrust, or Trust Services report 7

Type 1 and Type 2 Reports Point in time reports (Type 1) reports cover the suitability of design of controls as of a point in time. The Type I report is a snapshot in time. Period of time (Type 2) reports cover the suitability of design and operating effectiveness of controls over a period of time, typically 6 or 12 months. For example, a service organization providing a new service might start by completing an initial SOC2 Type 1 examination and then complete recurring SOC2 Type 2 examinations. Generally, when talking about a service organization control report, a Type II report is meant. A Type I report should be seen as an informative report. 8

Contrasting SOC2/SOC3 and SOC1 Report Scope Attribute SOC2/SOC3 SOC1 Required Focus Operational Controls ICOFR Defined Scope of System Infrastructure Software Procedures People Data Classes of transactions Procedures for processing and reporting transactions Accounting records of the system Handling of significant events and conditions other than transactions Report preparation for users Other aspects relevant to processing and reporting user transactions Control Domains Covered Security Availability Transaction processing controls Supporting IT general controls Confidentiality Processing Integrity and/or Privacy Level of Standardization Principles selected by service provider. Pre-defined criteria used rather than control objectives. Control objectives defined by service provider and may vary depending on the type of service provided. 9

Applicability of Trust Services Principles Domain Trust Services Principle Trends Regarding Applicability Most commonly requested area of coverage. Security The system is protected against unauthorized access (both physical and logical). Security criteria are also incorporated into the other principles because security controls provide a foundation for the other domains. Applicable to all outsourced environments, particularly where enterprise users require assurance regarding the service provider s security controls for any system, nonfinancial or financial. Availability The system is available for operation and use as committed or agreed. Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering. Most applicable where enterprise users require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which cannot be covered as part of SOC1 reports 10

Applicability of Trust Services Principles (continued) Domain Trust Services Principle Trends Regarding Applicability Confidentiality Processing Integrity Information designated as confidential is protected as committed or agreed. System processing is complete, accurate, timely, and authorized. Most applicable where the user requires additional assurance regarding the service provider s practices for protecting sensitive business information. Applicable where a service provider is entrusted to maintain the confidentiality of an enterprise customer s data of all types. Potentially applicable for a wide variety of non-financial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing. Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles and regulatory frameworks. Most applicable where the service provider interacts directly with end users and gathers their personal information. Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program. 11

SOC2/SOC3 Criteria Summary Security Security policies Security awareness and communication Risk assessment Threat identification Information classification Logical access Physical access Security monitoring Incident management Encryption Personnel Systems development and maintenance Configuration management Change management Monitoring / compliance Availability Confidentiality Processing Integrity Privacy Availability policy Backup and restoration Environmental controls Disaster recovery Confidentiality policy Confidentiality of inputs, data processing, and outputs Information disclosures Confidentiality of Information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and enforcement 12

Contrasting the level of detail provided by SOC 2 and SOC 3 reports SOC 2 SOC 3 Common benefits Detailed examination based on defined Criteria for Security, Availability, Confidentiality, Processing Integrity, and/ or Privacy Report includes a brief system description Report includes management s assertion regarding controls Where subservice providers are used, management may include its monitoring controls over of those operations. Unique benefits Potential drawbacks SOC 2 is more flexible than SOC 3 for the service provider in that it permits carve out of supporting services provided by subservice providers. SOC 2 includes detail on the service provider s controls as well as the auditor s detailed test procedures, and test results, enabling the reader of the report to assess the service provider at a more granular level. The user may need to obtain additional reports from significant subservice providers to gain comfort over their activities. The user may not want to review the detail of the report (controls, tests, etc.) rather than an overall conclusion. Service providers may not be willing to share a detailed report due to concerns regarding disclosing sensitive information (i.e., detailed security controls). SOC 3 provides an overall conclusion on whether the service provider achieved the stated Trust Services Criteria, and the user does not need to digest pages of detailed control descriptions, and test procedures. If the service provider meets all of the Criteria, it may choose to display the SOC 3 seal on its Web site which links to the SOC 3 report. SOC 3 does not permit carve-out of significant subservice provider activities. If it is not feasible to cover those activities as part of the service provider s audit, SOC 3 is not an available option. If one or more of the Criteria are not met, the service provider would not be able to display the SOC 3 seal until the issue(s) are corrected, and re-audited. 13

SOC report structure Traditional SAS 70 SOC1 SOC 2 SOC 3 Auditor s Opinion Auditor s Opinion Auditor s Opinion Auditor s Opinion - Management Assertion Management Assertion Management Assertion System Description (including controls) System Description (including controls) System Description (including controls) System Description (including controls) Control objectives Control objectives Criteria Criteria (referenced) Control activities Control activities Control activities - Tests of operating effectiveness* Tests of operating effectiveness* Tests of operating effectiveness* - Results of tests* Results of tests* Results of tests* - Other Information (if applicable) Other Information (if applicable) Other Information (if applicable) - * Note: Applicable for Type 2 reports 14

Effectively Using SOC Reports

SOC Reports for Different Scenarios SOC1 Financial Reporting Controls Financial services Asset management and custody services Healthcare claims processing Payroll processing Payment processing Cloud ERP service Data center co-location IT systems management SOC2/SOC3 Operational Controls Cloud-based services (SaaS, PaaS, IaaS) HR services Security services Email, collaboration and communications Any service where customers primary concern is security, availability or privacy Financial Process and Supporting System Controls Security Processing Integrity Availability Confidentiality Privacy 16

Using SOC Reports to Streamline Vendor Questionnaire Processing and Assist with Regulatory Compliance The SOC2 report can serve as a tool to: Answer questions that would ordinarily be included in vendor questionnaires Assist user organizations in addressing regulatory compliance requirements such as those imposed by SOX-404 and Data Protection law and other local regulatory requirements (i.e.bog Governors s act 2577/2006) As shown below, the service provider could include a mapping table in the Other Information section of the SOC2 report showing how their controls align with common vendor security questionnaire topics or the requirements of a specific standard/regulation (for example, ISO 27001/27002). SAMPLE Relation of Service Provider s Controls to ISO 27001/27002 Control Objectives Service Provider has developed its controls to align with the ISO 27001/27002 control objectives. Included below is a mapping of the ISO 27001/27002 topics to related Service Provider controls covered in this report. ISO 27001/27002 Control Objective Topics A.5.1 Information security policy 1.01.01, 1.02.01 A.6.1 Internal organization 1.03.01 A.6.2 External parties 1.02.02 Related Service Provider Controls 17

Our IT Attestation Methodology The following diagram provides an overview of our IT Attestation approach. It reflects our Manage to Success philosophy for first year audits. Readiness Review Remediation Attestation Define the audit scope. Select relevant principles/criteria and determine which systems, processes, and groups are in scope. Identify key controls that are in place or needed to address the audit objectives or criteria. Conduct interviews; review system documentation, policies, and procedures; and perform focused tests to identify any significant gaps. Provide recommendations to address identified gaps. Conduct periodic meetings or conference calls to review remediation progress and answer any questions. Plan the timing of the audit. Provide documentation requests and schedule interviews. Perform test procedures to determine whether controls are properly designed and operating effectively to achieve the audit objective or criteria. Issue KPMG s examination report. Provide a management report reflecting any observations and recommendations. 18

Conclusion ISAE 3402 ISAE 3000 Service Organization User Organization - Provide a competitive advantage - The SO can avoid unexpected audits - Assist in building trust & confidence - SOC2/3 can incorporate other publically available frameworks such as ISO 2700x, PCI/ etc. - Provide an independent assessment - Assist with regulatory compliance - Reduce the possibility of additional audit costs - Increase audit efficiency 19

Q & A

Thank You 2013 KPMG Advisors AE, a Greek Societe Anonyme and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback