Achieving third-party reporting proficiency with SOC 2+

Similar documents
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Adopting SSAE 18 for SOC 1 reports

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

ISACA Cincinnati Chapter March Meeting

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

SOC for cybersecurity

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

IT Attestation in the Cloud Era

Multi-factor authentication enrollment guide for Deloitte client or business partner user

The SOC 2 Compliance Handbook:

Cyber Security is it a boardroom issue?

Achieving effective risk management and continuous compliance with Deloitte and SAP

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Vulnerability Management. June Risk Advisory

The New Healthcare Economy is rising up

MFA Enrollment Guide. Multi-Factor Authentication (MFA) Enrollment guide STAGE Environment

Emerging Technologies The risks they pose to your organisations

Understanding and Evaluating Service Organization Controls (SOC) Reports

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SOC Lessons Learned and Reporting Changes

Exploring Emerging Cyber Attest Requirements

HIPAA Privacy, Security and Breach Notification

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

CFOs in a new global environment Sandy Cockrell, Deloitte

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

The value of visibility. Cybersecurity risk management examination

Are we breached? Deloitte's Cyber Threat Hunting

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

HITRUST CSF: One Framework

Security and Privacy Governance Program Guidelines

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

SOC 3 for Security and Availability

Information for entity management. April 2018

Introduction to AWS GoldBase

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Risk Advisory Academy Training Brochure

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

GDPR: A QUICK OVERVIEW

Google Cloud & the General Data Protection Regulation (GDPR)

Credit Union Service Organization Compliance

Business Assurance for the 21st Century

COBIT 5 With COSO 2013

INTELLIGENCE DRIVEN GRC FOR SECURITY

Demonstrating data privacy for GDPR and beyond

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Real estate predictions 2017 What changes lie ahead?

Cyber Espionage A proactive approach to cyber security

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

CSF to Support SOC 2 Repor(ng

SOC Reporting / SSAE 18 Update July, 2017

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

ISO 27001:2013 certification

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Compliance with CloudCheckr

The Role of the Data Protection Officer

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

ISO/IEC INTERNATIONAL STANDARD

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Autobot - IoT enabled security. For Private circulation only October Risk Advisory

DeMystifying Data Breaches and Information Security Compliance

EU General Data Protection Regulation (GDPR) Achieving compliance

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

locuz.com SOC Services

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Modern Database Architectures Demand Modern Data Security Measures

Big data privacy in Australia

Cyber Risks in the Boardroom Conference

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Oracle Database Vault

THE POWER OF TECH-SAVVY BOARDS:

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Peer Collaboration The Next Best Practice for Third Party Risk Management

Creating your own payment card Joost Kremers MSc CEH

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Is Your Compliance Strategy Putting Your Business at Risk?

CIPP/E CIPT. Data Protection Technologist (DPT) Training Bundle Official IAPP Training and Certification

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Anticipating the wider business impact of a cyber breach in the health care industry

Workday s Robust Privacy Program

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

GDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

#DeloitteInnovation: In-Time How efficiently do you use your SAP HANA?

Audit Considerations Relating to an Entity Using a Service Organization

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Transcription:

Achieving third-party reporting proficiency with SOC 2+

Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents, affiliates, vendors, and service providers make up an extended enterprise of third parties, many with operations around the world. The extended enterprise gives companies access to a broad range of capabilities, creating new and exciting market opportunities. At the same time, it has altered how organizations must assess and manage enterprise risk. The growing use of outsource service providers (OSPs) to carry out a wide array of functions, many of them mission-critical, has fueled concern over greater enterprise risk exposure. Increased reliance on OSPs exposes organizations to risks that are difficult to identify, manage, and monitor. This has prompted organizations to demand that OSPs provide them with Service Organization Control (SOC) reports. These third-party assurance (TPA) reports help OSPs build trust and confidence in their service delivery processes and controls through the attestation of an independent certified public accountant. Most organizations that work with OSPs are familiar with SOC 1 reports, which cover internal controls over financial reporting (ICFR) and support a customer s financial audit. SOC 2 reports, on the other hand, enter a more expansive territory (see Figure 1), focusing on the OSP s controls that are relevant to American Institute of Certified Public Accountants (AICPA) Trust Service Principles (TSPs): Security: The system is protected against unauthorized access (both physical and logical). The security TSP serves as the basis for all SOC 2 reports and is commonly referred to as the Common Criteria. Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice. As organizations outsource more of their core operational functions, they re building requirements for SOC 2 reporting directly into their OSP contracts. As a result, we ve seen a large increase in demand for SOC 2 reports: they now comprise approximately one-third of all TPA reports requested by OSPs. In particular demand are enhanced SOC 2 reports, also called SOC 2+ reports. These reports can be used to demonstrate assurance in areas that go beyond the TSPs to include compliance with a wide range of regulatory and industry frameworks such as the National Institute of Standards and Technology (NIST), the International Standardization Organization (ISO), etc. Figure 1. SOC 2: Entering a more expansive territory for reporting Key test once, satisfy many opportunities NIST Control granularity SOC1 SOX SOC2 ISO Physical/ logical security Change mgmt. Security operations Asset mgmt. Control areas HR Business Compliance continuity mgmt. 2

SOC 2+ reports: A way for OSPs to highlight their integrated controls Achieving third-party reporting proficiency with SOC 2+ Providing assurance with regard to the TSPs may be sufficient for some OSPs customers. But others may require greater detail. In particular, those in industries such as health care and financial services have additional industry-specific regulations and requirements. For this reason, the AICPA has created SOC 2+. This extensible framework allows OSPs auditors ( service auditors ) to incorporate various industry standards into a SOC 2 report. For example, the AICPA collaborated with the Health Information Trust Alliance (HITRUST) to develop an illustrative SOC 2+ that incorporates criteria from the HITRUST Common Security Framework (CSF). The AICPA also collaborated with the Cloud Security Alliance (CSA) to develop a third-party assessment program for cloud providers. Called the Security Trust & Assurance Registry (STAR) Attestation, this framework combines SOC 2 attestation with the CSA s Cloud Controls Matrix. 1 SOC 2+ reports are highly flexible tools that can incorporate multiple frameworks and industry standards into third-party assurance reporting (see Figure 2). SOC 2+ reports create substantial efficiencies for organizations. These reports are based on a common control framework and address various industry standards. Therefore, organizations are able to spend less time and fewer resources conducting performance reviews at their OSPs. Both OSPs and customers are also less likely to be exposed to compliance violations that can result in various forms of liability, including fines. This can pave the way for contracts to start specifying integrated framework demands as a way for providing organizations with assurance. For OSPs, the benefits are even more significant. Consider that these businesses must often respond annually to hundreds of individual audit requests, customer questionnaires, and requests for proposals. Many of these requests require a separate analysis and response to the same or overlapping questions. Throw regulatory and industry-specific requirements into the mix, and things get even more complicated and onerous. SOC 2+ reports are a multifaceted and adaptable tool that allow OSPs to demonstrate to organizations and other stakeholders that effective internal controls are in place. These controls pertain to the criteria covered in the TSPs of security, availability, processing integrity, confidentiality, and privacy, as well as many of the more detailed requirements covered in other regulatory and industry-specific frameworks. They offer a standardized format for meeting a broad range of regulatory and non-regulatory control requirements, eliminating the need for redundant activities and one-off responses. They re also flexible enough that they can be tailored to meet the specific needs of organizations. Table 1 lists some example frameworks that could be incorporated into a SOC 2+ and the type of OSPs that could benefit from adding these to their SOC 2 examinations. Figure 2: SOC 2+ reports can incorporate multiple frameworks SOC 2 TSPs HITRUST ISO27001 NIST SOC 2+ One integrated internal control report addressing key regulatory risks CSA 3

Achieving third-party reporting proficiency with SOC 2+ Table 1: Incorporating multiple frameworks into SOC 2+ Framework Description SOC 2 + example HITRUST (Health Information Trust Alliance) NIST (National Institute of Standards and Technology) PCI-DSS (Payment Card Industry Data Security Standard) Cloud Security Alliance (CSA) ISO27001 This framework supports the Health Insurance Portability and Accountability Act (HIPAA), the US government s security standards that all health plans, clearinghouses, and providers must follow. Standards are required at all stages of transmission and storage of health care information to ensure integrity and confidentiality. The NIST Framework focuses on improving critical infrastructure cybersecurity. This is a proprietary standard for organizations involved in the storage, processing, and/or transmission of cardholder data (CHD). CSA, in collaboration with the AICPA, developed a third-party assessment program of cloud providers officially known as CSA Security Trust & Assurance Registry (STAR) Attestation. ISO 27001 is the international standard for securing information assets from threats and provides requirements for broader information security management. An OSP claims processor must have access to HIPAA data in order to execute its responsibilities. To demonstrate that it is adequately safeguarding personal health information, it maps its controls to the HITRUST framework. A company that maintains governmental contracts for building roads and bridges has contractual obligations to demonstrate how it meets the latest revision of NIST. An OSP payment processor stores credit card information for future payments. Its customers want to know the details of the OSP s controls beyond the PCI certification. In situations where there is no PCI certification, there is a need to demonstrate what controls are in place. A data center provider possesses its clients information in both public and private clouds. Due to the unique security configurations, its clients have required a SOC 2+ with STAR. A data center provider has data centers and clients around the world. It continues to get security questionnaires and requests for understanding how it manages security. Rather than addressing each questionnaire individually, the center chooses to compile a SOC 2+ mapped with ISO 27001 to demonstrate its information security controls. 4

Achieving third-party reporting proficiency with SOC 2+ Journeying from SOC 2 to SOC 2+ SOC 2+ reports call for a different way of organizing requirements and testing controls. Therefore, moving from issuing SOC 2 to the more versatile SOC 2+ reports may take some getting used to. Yet any business that wants to become truly proficient in its approach to thirdparty reporting should look at ways to demonstrate compliance with a wide variety of frameworks within a single document. There are a number of guiding principles that will make the journey from SOC 2 to SOC 2+ easier and more effective. Start small Nailing down the basic SOC 2 report is an important first step. Generally, OSPs have a certain degree of leeway when it comes to designing their SOC 2 reports. In fact, most contracts are somewhat vague they don t specify which TSPs, or which systems, should be tested. We therefore recommend focusing initial reporting scope on a subset of environments or a subset of TSPs the principle or principles that are most important to customers. Once you re confident about the controls surrounding a limited set of TSPs and environments, you can then branch out, mapping and testing the controls relevant to a broader set of customer needs. Assurance with regard to the security TSP is more or less a given, so this is the optimal starting point. Furthermore, as cybersecurity becomes increasingly critical, this TSP is likely to become even more important to customers. The most complex of the five is the privacy TSP. Yet with the increase in data breaches, privacy has moved front and center as a concern for many customer organizations. While saving privacy for last may make sense, ultimately it needs to be addressed if an OSP interacts directly with end users and gathers their personal information. SOC 2 privacy reports do require more effort, and OSPs may require outside assistance to complete them. Know your customer Every customer has different requirements. While contracts may be somewhat vague when it comes to the specifics of SOC 2 reporting, don t assume you know what a customer is looking for without first confirming it. For example, issuing a SOC 2 report on Application A and its associated processes, when your customer had really wanted you to be testing Application B, will only result in wasted resources and a lot of rework. Understanding customer needs ultimately comes down to educating your salesforce and other customer touchpoints. When they understand SOC reporting, they can both communicate the benefits and ask customers the right questions to help scope and define their requirements. Taking the time up front to probe customer requirements not only the what, but the why will save you time in the long run and increase customer confidence and trust. Many customers may be unaware that it s possible to combine SOC 2 with other compliance initiatives, such as HIPAA or NIST, when requirements overlap. This gives you an opportunity to show customers how to achieve greater reporting efficiencies. Start with a list of requirements for each of the TSPs and those for other frameworks with which your customers must comply. At the beginning of the engagement, identify areas where similar operational controls will meet both SOC 2 and other requirements and create a master list of the integrated requirements by mapping them to one another. This will allow you to test each control once and then check the box for all the requirements to which it applies. 5

Achieving third-party reporting proficiency with SOC 2+ Organize and plan If this is your first time compiling a SOC 2+ report, then most likely compliance controls haven t been tested by external or independent auditors in the past. It s not uncommon for OSPs, particularly those subject to Sarbanes-Oxley Section 404 (SOX), to focus their control efforts primarily on ICFR. If so, they may not have applied that same level of rigor to the controls for their operational systems. Figure 3: Steps to third-party profiiciency SOC 2 Common Criteria SOC 2 Common Criteria & additional TSPs SOC 2+ We therefore recommend performing readiness testing on these systems to determine whether controls are robust enough to meet the appropriate TSPs or various SOC 2+ framework requirements during an actual examination. In our experience, OSPs that don t prepare in advance tend to have more issues with controls during actual testing. Readiness consists of having an external auditor come in and perform an assessment of the control environment. This includes identifying the controls that are already designed and implemented, as well as any control gaps or deficiencies that will need to be addressed. A readiness assessment can ultimately save time and effort by: Identifying problems before they need to be reported Leveraging subject matter experts to document controls Defining the correct scope and boundaries of the system up front Build on your success Once you feel that you have the necessary controls and procedures in place for SOC 2, you can begin to integrate other frameworks. Individual controls invariably fulfill multiple requirements. For example, a control that meets one of the requirements of a SOC 2 Security TSP may also meet a particular NIST and ISO27001 security requirement (see Table 2). When organizations need OSPs to demonstrate compliance with various industry-specific or regulatory requirements, in addition to general compliance with the TSPs, mapping redundant requirements will greatly faciliate testing efficiences (see Figure 3). Table 2: Example of SOC 2+ control mapping NIST Activity ISO 27001 control # Trust Services Principle criteria Control activity Test procedures Test result The organization: Separates Assignment: organization defined duties of individuals]. Documents separation of duties (SoD) of individuals. Defines information system access authorizations to support separation of duties. A.10.1.3 Common Criteria 5.1: Common Criteria 5.4: A documented security policy outlines SoD among various key business groups. Access requests are run through a GRC system to validate that SoD isn t violated, and results of that validation are maintained within the user s access request ticket. Obtained the access control policy and procedures to ascertain if the policies were updated on a periodic basis and included defined processes for SoD. Inspected a sample of user access additions and changes and ascertained that their access requests were run through the GRC tool to document that SoDs were evaluated. No exceptions noted. 6

Forging into new territory Achieving third-party reporting proficiency with SOC 2+ The complexity of the extended enterprise has exposed organizations to many risks that are outside their control. Organizations that rely on OSPs for important and missioncritical functions need assurance that OSPs have rigorous control processes in place. Furthermore, as regulations proliferate, OSPs and their customers alike must be able to utilize an integrated internal control report with a wide range of industry-specific and other requirements. SOC 2+ reports are an efficient approach to organizing, testing, and reporting on controls for multiple frameworks simultaneously. Outsourcers that have a streamlined process for delivering these reports to customers may find themselves with a significant advantage in demonstrating their third-party proficiency. When OSPs and organizations work together, SOC 2+ reports can become an efficient exchange of information in the marketplace. 7

Contact us Johan Van Grieken Partner Risk Advisory Deloitte Belgium +32 2 800 24 53 jovangrieken@deloitte.com Bert Truyman Director Risk Advisory Deloitte Belgium +32 2 800 23 20 btruyman@deloitte.com Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication. May 2017 Deloitte Belgium. 4258

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback