CSF to Support SOC 2 Repor(ng

Similar documents
HITRUST CSF: One Framework

Exploring Emerging Cyber Attest Requirements

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

The SOC 2 Compliance Handbook:

Transitioning from SAS 70 to SSAE 16

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC for cybersecurity

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Model Approach to Efficient and Cost-Effective Third-Party Assurance

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SOC Reporting / SSAE 18 Update July, 2017

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

ISACA Cincinnati Chapter March Meeting

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Evaluating SOC Reports and NEW Reporting Requirements

Credit Union Service Organization Compliance

Making trust evident Reporting on controls at Service Organizations

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

HITRUST Common Security Framework - Are you prepared?

Maryland Health Care Commission

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

Achieving third-party reporting proficiency with SOC 2+

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

SOC Lessons Learned and Reporting Changes

Understanding and Evaluating Service Organization Controls (SOC) Reports

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Information for entity management. April 2018

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Adopting SSAE 18 for SOC 1 reports

IT Attestation in the Cloud Era

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

SECURETexas Health Information Privacy & Security Certification Program

SOC 3 for Security and Availability

10 Considerations for a Cloud Procurement. March 2017

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Peer Collaboration The Next Best Practice for Third Party Risk Management

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Audit Considerations Relating to an Entity Using a Service Organization

Google Cloud & the General Data Protection Regulation (GDPR)

Optimising cloud security, trust and transparency

Welcome ControlCase Conference. Kishor Vaswani, CEO

Workday s Robust Privacy Program

Introduction to the HITRUST CSF. Version 8.1

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

REPORT OF THE INDEPENDENT ACCOUNTANT

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

IGNITING GROWTH. Why a SOC Report Makes All the Difference

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Demonstrating data privacy for GDPR and beyond

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Memphis Chapter. President s Message. This annual event is designed to provide students with a

ISO 27001:2013 certification

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

POSITION DESCRIPTION

All Aboard the HIPAA Omnibus An Auditor s Perspective

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

Certification vision, content and streamlining of PCI certification process

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

MyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

Cyber Security Reliability Standards CIP V5 Transition Guidance:

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Introduction to the HITRUST CSF. Version 9.1

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

DESCRIPTION OF AUDITING STANDARDS

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Addressing Cybersecurity Risk

Leveraging HITRUST CSF Assessment Reports

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

The value of visibility. Cybersecurity risk management examination

Independent Accountant s Report

SAS70 Type II Reports Use and Interpretation for SOX

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

CA/Browser Forum Meeting

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Management Assertion Logius 2013

Introduction to AWS GoldBase

Risk Analysis Guide for HITRUST Organizations & Assessors

Period from October 1, 2013 to September 30, 2014

IS Audit and Assurance Guideline 2002 Organisational Independence

Transcription:

CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net

Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and HITRUST Collaboration SOC 2 and HITRUST CSF Reporting Engagement Considerations Questions

Introduction to SOC Reporting Three Types SOC 1/SSAE 16 replaced SAS 70 SOC 2 restricted report based on AICPA Trust Services Principles and Criteria SOC 3 general distribution report SOC 2 is a reporting framework (HITRUST CSF is a security framework)

HITRUST CSF SOC 2 Owned by HITRUST Leverages and enhances existing standards and regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements Intended to be used by any and all organizations that create, access, store, or exchange protected health information (PHI) Two major components Information security implementation requirements Mapping and regulations Updated annually currently Version 7 https://hitrustalliance.net/hitrust-csf/ Owned by the American Institute of Certified Public Accountants (AICPA) Designed to provide information on processes and controls at a service organization, together with an independent service auditor s opinion Processes do not have to be related to financial statement processing unlike SOC1 (ISAE 3402 / SSAE 16) Criteria updated in early 2014 except for privacy which is currently being updated http://www.aicpa.org/interestareas/frc/ AssuranceAdvisoryServices/Pages/SORHome.aspx

HITRUST CSF SOC 2 CSF Framework 14 Control Categories, 46 Control Objectives 149 Control Specifications Risk factors drive control specification implementation requirements up to 3 levels Must meet all requirement specifications based on risk factors Assurance program Self Assessments Third-Party Assessments Certified Validated Trust Services Principles Security Availability Confidentiality Privacy Processing Integrity Select principles based on expected user needs Must then address ALL criteria for the selected principles Type 1 design Type 2 operating effectiveness

What Does SOC 2 / HITRUST Give Users? SOC 2 HITRUST CSF Management Assertion Independent service auditor s report Description fairly presents the in-scope services Controls suitable designed to meet in-scope criteria Controls have operated effectively to deliver criteria (Type 2) Description of System Description of Controls, Tests and Results of Tests Certified/validated report issued by HITRUST based on work of independent third party assessors Business/functional/organizational units that meet the associated criteria Assessment context and scope of systems included in assessment Breakdown of CSF control areas with a comparison to industry Includes maturity scores Testing summary, corrective action plans and completed questionnaire

Benefits of Combining SOC 2 & CSF Assurance Leverage the HITRUST CSF controls in SOC 2 engagements Realize significant time efficiencies and cost savings by synergies between the HITRUST CSF controls and Trust Services Principles and Criteria Reduce the inefficiencies and costs associated with multiple reporting requirements Increase transparency and communicate to stakeholders through a single deliverable Service organizations controls can be considered both from the SOC 2 criteria and HITRUST CSF

Press Release http://www.aicpa.org/press/pressreleases/2015/pages/newaicpaandhitrustillustrativereportwillhelpcpas.aspx

AICPA and HITRUST Collaboration Collaborated to develop and publish guidance to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting. Work products include: Mapping of CSF to Trust Services Principles and Criteria Security Confidentiality Availability SOC 2 + HITRUST Reporting Template Practitioner document with frequently asked questions

HITRUST CSF & Trust Services Criteria Mapping

Types of Reports HITRUST CSF Certification organizations can obtain a HITRUST CSF certification report through an assessment by a HITRUST approved assessor and issuance of the certification report by HITRUST SOC 2 only organizations that may have adopted the HITRUST CSF framework but NOT requested their service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF SOC 2 + HITRUST CSF - service auditor s report expresses an opinion on the fairness of presentation of description and suitability of design and operating effectiveness of controls based on 1) the Trust Services Principles and Criteria relevant to Security, Availability and Confidentiality, and, 2) the HITRUST CSF SOC 2 + HITRUST CSF + CSF Certification organizations that have engaged a service auditor to express a SOC 2 + HITRUST CSF opinion and have achieved HITRUST CSF certification can obtain one combined report HITRUST One Framework

HITRUST + SOC 2 Reporting Template Report Sections Management Assertion Independent Service Auditor s Report Entity s Description of its System Trust Services Principles/HITRUST CSF Controls Tested and Results of Tests Mapping of Applicable Trust Services Principles and Criteria to the HITRUST CSF, and HITRUST CSF certification report

Draft of Opinion Wording In our opinion, in all material respects, based on the description criteria identified in Example Health Service Organization s assertion and the applicable trust services criteria and CSF criteria, a. the description fairly presents the system that was designed and implemented throughout the period January 1, 20X1, to December 31, 20X1; b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria and CSF criteria would be met if the controls operated effectively throughout the period January 1, 20X1, to December 31, 20X1

Examples of FAQs Is inclusion of the mapping mandatory in a SOC 2 + HITRUST CSF report? One of the requirements of an attestation engagement under AT section 101 is that the criteria used to assess the subject matter be suitable. Does the HITRUST CSF meet the definition of suitable criteria as defined by the AICPA? Should the maturity of control attributes (for example, the HITRUST maturity characteristics of measured and managed) be assessed when performing a SOC 2 + HITRUST CSF engagement? In a SOC 2 + HITRUST CSF report, how does a modified opinion related to the applicable trust services criteria affect the opinion related to the HITRUST CSF requirements and vice versa? How are exceptions addressed in a SOC 2 + HITRUST CSF Report? Can any CPA issue a SOC 2 + HITRUST CSF report or a SOC 2 + HITRUST CSF + CSF certification report? Must the CPA also be an approved HITRUST CSF assessor to perform either a SOC 2 + HITRUST CSF engagement or a SOC 2 + HITRUST CSF + CSF certification engagement? Are there licensing considerations when a CPA uses the HITRUST CSF in an engagement, including a SOC 2 + HITRUST CSF engagement?

Engagement Considerations Performance of SOC 2 engagements by CPA firms Performance of HITRUST CSF certification engagements by approved HITRUST assessors Licensing considerations AICPA HITRUST CSF AICPA and HITRUST periodically issue new versions of Trust Services Principles and HITRUST CSF respectively For SOC 2 opinion on adoption of the HITRUST CSF, all control requirements must be addressed; HITRUST CSF certification is based on a subset of the controls

Downloadable Engagement Resources (1) Practitioner Guidance and FAQs https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/ downloadabledocuments/hitrust_faq.pdf SOC 2 + HITRUST CSF + CSF illustrative report https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/ downloadabledocuments/soc_2_hitrust_csf_report.pdf Mapping of HITRUST CSF to Trust Services Principles https://www.aicpa.org/interestareas/frc/assurance advisoryservices/downloadabledocuments/ soc_ii_to_hitrust_mapping.xlsx

Downloadable Engagement Resources (2) HITRUST CSF Version 7 https://www.hitrustalliance.net/csf-license-agreement/ HITRUST CSF Assurance and Related Program https://www.hitrustalliance.net/csf-assurance-related-programs/ HITRUST CSF Approved Assessors https://www.hitrustalliance.net/csf-assessors/

Visit www.hitrustalliance.net for more information To view our latest documents, visit the Content Spotlight

Thank You! QUESTIONS

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback