The SOC 2 Compliance Handbook:

Similar documents
SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

CSF to Support SOC 2 Repor(ng

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

SOC Reporting / SSAE 18 Update July, 2017

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Transitioning from SAS 70 to SSAE 16

Achieving third-party reporting proficiency with SOC 2+

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

ISACA Cincinnati Chapter March Meeting

Exploring Emerging Cyber Attest Requirements

Making trust evident Reporting on controls at Service Organizations

IT Attestation in the Cloud Era

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Evaluating SOC Reports and NEW Reporting Requirements

Credit Union Service Organization Compliance

Understanding and Evaluating Service Organization Controls (SOC) Reports

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

HITRUST CSF: One Framework

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

Google Cloud & the General Data Protection Regulation (GDPR)

SOC 3 for Security and Availability

Information for entity management. April 2018

SOC for cybersecurity

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Workday s Robust Privacy Program

SOC Lessons Learned and Reporting Changes

DeMystifying Data Breaches and Information Security Compliance

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

10 Considerations for a Cloud Procurement. March 2017

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

CITP Mentoring Program Guidelines

Cloud & Managed Server Hosting for Healthcare Professionals

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

The value of visibility. Cybersecurity risk management examination

SERVICE ORGANIZATION CONTROL 3 REPORT

Maryland Health Care Commission

Optimising cloud security, trust and transparency

IGNITING GROWTH. Why a SOC Report Makes All the Difference

HITRUST Common Security Framework - Are you prepared?

Illustrative cybersecurity risk management report. April 2018

WHITE PAPER. Title. Managed Services for SAS Technology

Demonstrating data privacy for GDPR and beyond

Contracting for an IT General Controls Audit

Addressing Cybersecurity Risk

American Academy of Audiology Responses to Questions from HIPAA Webinar

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

PeopleSoft Finance Access and Security Audit

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

The Honest Advantage

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Audit Considerations Relating to an Entity Using a Service Organization

Business Assurance for the 21st Century

SAS70 Type II Reports Use and Interpretation for SOX

CITP Examination Content Specification Outline

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

EU mhealth Working Group

How to Write an MSSP RFP. White Paper

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Protecting your data. EY s approach to data privacy and information security

Adopting SSAE 18 for SOC 1 reports

OVH Service Organization Controls (SOC SM ) 3 Report-Type II. Trisotech Inc OVH

White Paper. How to Write an MSSP RFP

Peer Collaboration The Next Best Practice for Third Party Risk Management

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Data Security: Public Contracts and the Cloud

WELCOME ISO/IEC 27001:2017 Information Briefing

Auditing IT General Controls

Effective Strategies for Managing Cybersecurity Risks

COBIT 5 With COSO 2013

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Please the completed POL to the following address:

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Security Architecture

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

ISO 27001:2013 certification

Get to know the CPA Exam Blueprints. Presented by: Joseph Maslott, CPA, Senior Manager, AICPA Lori Kelly, CPA, Lead Manager, AICPA

CASA External Peer Review Program Guidelines. Table of Contents

Bandwidth Service Overview

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Transcription:

The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success

The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between a SOC 1 and SOC 2? 5 SOC 1 Audits 5 SOC 2 Audits 5 History of the SOC 2 5 Understanding the Trust Services Principles 6 Type I vs. Type II 7 Who can issue a SOC 2 audit report? 8 Why should I get a SOC 2 audit? 8

The SOC 2 Compliance Handbook Page 3 Abstract Organizations don t want to do business with at-risk vendors. That s why many service organizations are being asked for a SOC 2 audit report. SOC 2 compliance helps to address any and all third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the security at a service organization. This white paper will help familiarize you with an overview of SOC 2 compliance and reporting. We will discuss reasons why you may have been asked by a client to receive a SOC 2 audit, the history of SOC 2 reports, understanding the different Trust Services Principles and how they may apply to your organization, and reasons why your organization will benefit from SOC 2 compliance.

The SOC 2 Compliance Handbook Page 4 Why am I being asked about SOC Compliance? It s another busy day in the office. Your time is consumed by overseeing a multitude of responsibilities, conference calls, and customer service. On top of your regular duties, you ve just been asked by a client to get a SOC audit. A what?!, you think. As you scramble to research what a SOC audit is, you may be wondering why you re being asked about SOC compliance in the first place. Service organizations are often required to produce, for their clients and prospects, independent third-party reviews. For companies to be certain their vendors are protecting the confidentiality, integrity, and availability of their sensitive information, they must validate that the internal controls and processes they have in place are protecting key systems and data. demonstrate a commitment to privacy & security SOC2 My client is asking for what??! Service Organization Control reports are reports based on the assessment of the internal controls of the services provided by a service organization, and thusly are a common method for demonstrating a commitment to privacy and security.

The SOC 2 Compliance Handbook Page 5 What s the difference between a SOC 1 and SOC 2? SOC compliance comes in a few different shapes and sizes. Do you need SOC 1 or SOC 2 compliance? What s the difference? Do you need both? SOC 1 Audits A Service Organization Control 1 report, or SOC 1, is based on an audit of the internal controls at a service organization that are relevant to internal control over financial reporting (ICFR). If you handle information that could potentially affect your client s financial reporting, you will most likely be asked for a SOC 1. SOC1 vs. SOC2 History of the SOC 2 The SOC 2 came into existence as a way for service organizations to manage the risks that are associated with outsourcing business operations. The original standard, SAS 70, was a new way for organizations to demonstrate the effectiveness of the internal controls at their organization. When the SOC 1 replaced SAS 70 as a way to report on controls that may affect a client s financial statements, the SOC 2 was introduced as an assessment that specifically addressed security. The SOC 2 is intended to give a broader range of organizations the information security assurance they need to demonstrate that their internal controls related to security, availability, processing integrity, confidentiality, and/or privacy are appropriate and operating effectively. SOC 2 Audits A Service Organization Control 2 report, or SOC 2, is similar to a SOC 1 in that it evaluates internal controls, policies, and procedures. However, the difference is that a SOC 2 reports on controls that are directly related to the security, availability, processing integrity, confidentiality, and privacy. These five criteria are also referred to as the Trust Services Principles, or TSP s.

The SOC 2 Compliance Handbook Page 6 Understanding the Trust Services Principles The SOC 2 audit is based on a predefined set of criteria known as the Trust Services Principles (TSPs). Understanding the Trust Services Principles is a critical part of determining the scope of your SOC 2 audit, deciding how the principles apply to the services you provide, and selecting which Trust Services Principles you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, and/or Privacy. The AICPA has defined the Trust Services Principles to address the following: Availability The Availability principle typically applies to companies providing colocation, data center, or hosting services to their clients. It ensures that the system you provide to your clients is available for operation and use as agreed upon. It also addresses whether the services you provide are operating with the type of availability your clients expect. Security In a non-privacy SOC 2 engagement, the Security principle must be included. Security is the common criteria that applies to all engagements, and is what the remaining Trust Services Principles are based on. The Security principle addresses whether a system is protected (both physically and logically) against unauthorized access. Processing Integrity If the services you provide are financial services or e-commerce services and you are concerned with transactional integrity, include Processing Integrity in your SOC 2 report. The Processing Integrity principle attests that the services you provide to our clients are provided in a complete, accurate, authorized, and timely manner.

The SOC 2 Compliance Handbook Page 7 Confidentiality If your organization is responsible for handling sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the Confidentiality principle should be present in your SOC 2 audit report. The Confidentiality principle addresses the agreements that you have in place with your clients in regards to how you use their information, who has access to it, and how you protect that information. It verifies whether you are following your contractual obligations by properly protecting client information. Privacy The Privacy principle stands on its own and specifically addresses how you collect and use consumers personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity s privacy notice as committed or agreed, and with criteria defined in the generally accepted privacy principles issued by the AICPA.

The SOC 2 Compliance Handbook Page 8 Type I vs. Type II There are similarities and differences between a SOC 2 Type I and a SOC 2 Type II. Most organizations eventually undergo a SOC 2 Type II audit, however, it is often recommended that service organizations begin with a SOC 2 Type I as a good starting point and then move to a SOC 2 Type II. A SOC 1 Type I and Type II are both service organization control reports, reporting on the controls and processes at a service organization. A SOC 2 Type I report is an attestation of controls at a service organization at a specific point in time. A SOC 2 Type II report is an attestation of controls at a service organization over a minimum six-month period and reports on the suitability of the design and operating effectiveness of controls whereas with a SOC 2 Type I, there is no testing. Contents Type I Type II Independent Service Auditor s Report Service Organization s description of controls Offers opinion on management s presentation of the Service Organization s current controls Evaluates the suitability of design of management s description of the Service Organization s systems Evaluates the Services Organization s control systems Offers a description of the Service Auditor s tests of the operating effectiveness of controls and the results of each test

The SOC 2 Compliance Handbook Page 9 Who can issue a SOC 2 audit report? Why should I get a SOC 2 audit? A SOC audit can only be performed by an independent Certified Public Accountant (CPA). CPAs must adhere to the specific standards that have been established by the American Institute of Public Accountants (AICPA) and have the technical expertise to perform such engagements. This third-party opinion verifies the suitability of the design and operating effectiveness of the service organization s controls to meet the criteria for the selected principles. Many organizations are required to undergo a third-party audit. If this is the case, you should have a SOC 2 audit performed. By being able to produce a SOC report, you may be a better contender for RFP s. Having a SOC 2 audit report can give you a competitive advantage by demonstrating to your clients, and prospective clients, that you are dedication to security and delivering high-quality services. Lastly, knowing that your internal controls are validated and operating effectively can give you the peace of mind you need to be confident in your security posture. SOC2 Service Org. Control Report

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback