SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Similar documents
SOC Reporting / SSAE 18 Update July, 2017

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Transitioning from SAS 70 to SSAE 16

Exploring Emerging Cyber Attest Requirements

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

ISACA Cincinnati Chapter March Meeting

Evaluating SOC Reports and NEW Reporting Requirements

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Adopting SSAE 18 for SOC 1 reports

Understanding and Evaluating Service Organization Controls (SOC) Reports

CSF to Support SOC 2 Repor(ng

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SOC for cybersecurity

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Audit Considerations Relating to an Entity Using a Service Organization

SOC Lessons Learned and Reporting Changes

Making trust evident Reporting on controls at Service Organizations

Information for entity management. April 2018

IT Attestation in the Cloud Era

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Auditing IT General Controls

The SOC 2 Compliance Handbook:

Cyber Risk Emerging Trends and Regulatory Update

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

HITRUST CSF: One Framework

Healthcare HIPAA and Cybersecurity Update

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Credit Union Service Organization Compliance

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

COBIT 5 With COSO 2013

IGNITING GROWTH. Why a SOC Report Makes All the Difference

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Addressing Cybersecurity Risk

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

Business continuity management and cyber resiliency

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

COSO 2013: Implementing the Framework

NY DFS Cybersecurity Regulations August 8, 2017

Article I - Administrative Bylaws Section IV - Coordinator Assignments

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

_isms_27001_fnd_en_sample_set01_v2, Group A

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Period from October 1, 2013 to September 30, 2014

REPORT OF THE INDEPENDENT ACCOUNTANT

CITP Examination Content Specification Outline

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Cybersecurity & Privacy Enhancements

Cybersecurity and Data Protection Developments

Development Authority of the North Country Governance Policies

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

SAS70 Type II Reports Use and Interpretation for SOX

Management Assertion Logius 2013

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

Protecting your next investment: The importance of cybersecurity due diligence

General Framework for Secure IoT Systems

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

NW NATURAL CYBER SECURITY 2016.JUNE.16

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

The value of visibility. Cybersecurity risk management examination

Smart Lite User Guidance Pack

TAN Jenny Partner PwC Singapore

NZQA registered unit standard 8086 version 7 Page 1 of 5. Demonstrate knowledge required for quality auditing

Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

Tools & Techniques I: New Internal Auditor

EXAM PREPARATION GUIDE

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

NYDFS Cybersecurity Regulations

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

CONTINUOUS PROFESSIONAL DEVELOPMENT (CPD) POLICY

A sharper focus on internal controls

Predstavenie štandardu ISO/IEC 27005

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

EXAM PREPARATION GUIDE

Revision of the Strategic Development Plan for the INTOSAI Framework of Professional Pronouncements

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

Comment on Exposure Draft, IFRS Practice Statement: Application of Materiality to Financial Statements

Transcription:

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Agenda 01 Learning objectives 02 NEW SOC terminology 03 SOC for Cybersecurity 04 05 06 Revised Trust Services Criteria SSAE 18 updates and execution Scoping and SOC 2+ 2 Baker Tilly Virchow Krause, LLP. All rights reserved.

Learning objectives 1 SOC for Cybersecurity: Understand the new cybersecurity guidelines including the description criteria for an organization s cybersecurity risk management program and the revisions to the Trust Services Criteria. 2 SSAE 18 updates and execution: SSAE 18 took effect on May 1, 2017. Understand the impact of SSAE 18 on SOC execution and reporting. 3 Scoping: Focus on key risk areas and incorporate industry trends to efficiently and effectively meet users vendor management requirements and reporting needs. Understand what SOC 2 + is and how it can aid your organization s regulatory requirements. 3 Baker Tilly Virchow Krause, LLP. All rights reserved.

4 New SOC terminology

New SOC terminology > SOC has been redefined Formerly Service Organization Controls Now System and Organization Controls > SOC reports now include: SOC 1 SOC for Service Organizations: ICFR SOC 2 SOC for Service Organizations: Trust Services Criteria and SOC 2+ SOC 3 SOC for Service Organizations: Trust Services Criteria SOC for Cybersecurity 5 Baker Tilly Virchow Krause, LLP. All rights reserved.

6 SOC for Cybersecurity

SOC for Cybersecurity Key elements of SOC for Cybersecurity Whether management s description of it s cybersecurity risk management program meets the Description Criteria for Management s Description of an Entity s Cybersecurity Risk Management Program Whether controls are effective to criteria for security, availability and confidentiality 2017 Trust Services Criteria 7 Baker Tilly Virchow Krause, LLP. All rights reserved.

SOC for Cybersecurity Nine categories are included in the Description Criteria for Management s Description of an Entity s Cybersecurity Risk Management Program 1 6 Nature of the business and operations Cybersecurity risk assessment process 2 7 Nature of information at risk Cybersecurity communications and quality of cybersecurity information 3 8 Cybersecurity risk management program objectives Monitoring the cybersecurity risk management program 4 9 Factors that have a significant effect on inherent risk related technology Cybersecurity control processes 5 Cybersecurity risk governance structure 8 Baker Tilly Virchow Krause, LLP. All rights reserved.

SOC for Cybersecurity Major Differences between SOC 2 and SOC for Cybersecurity Scoping Reporting formats SOC 2 Focused on the customer facing/supporting system Test procedures included SOC for Cybersecurity Typically focuses on the whole organization Test procedures not included 9 Baker Tilly Virchow Krause, LLP. All rights reserved.

SOC for Cybersecurity Key questions?» Who is the intended audience of a SOC for Cybersecurity?» Should I be switching from a SOC 2 to SOC for Cybersecurity?» What should I be doing now to prepare? 10 Baker Tilly Virchow Krause, LLP. All rights reserved.

Revised Trust Services Criteria 11

Revised Trust Services Criteria Revised Trust Services Criteria Can be used for SOC 2 or SOC for Cybersecurity Effective periods ending on or after Dec. 15, 2018 Transition guidance on making it clear which criteria are used? Didn t we just revise them effective Dec. 15, 2016? 12 Baker Tilly Virchow Krause, LLP. All rights reserved.

Revised Trust Services Criteria Major Difference Between 2016 and 2017 Trust Services Criteria - TSC 2017 now includes 17 criteria from COSO 2013 This may cause more governance controls to be incorporated - Many of the other criteria are similar, but may have more detailed elements that need to be evaluated 13 Baker Tilly Virchow Krause, LLP. All rights reserved.

Revised Trust Services Criteria Scenario SOC for Cybersecurity Existing SOC 2 that has already adopted 2016 TSC Existing SOC 2 that has not already adopted 2016 TSC New SOC 2 Which Trust Services Criteria (TSC) will an organization use for periods prior to December 15, 2018? (typical individual facts and circumstances may change) 2017 TSC Continue using 2016 for current year and begin readiness for adopting 2017 TSC in 2018 Most likely transition first to 2016 TSC and begin readiness for adopting 2017 TSC in 2018 2017 TSC 14 Baker Tilly Virchow Krause, LLP. All rights reserved.

SSAE 18 updates and execution 15

SSAE 18 updates and execution SSAE 18 is effective for auditors reports on or after May 1, 2017 - Superseded and replaced SSAE 16 - Applies to all SOC reports, and some other types of reports - SOC 1 guide incorporating SSAE 18 has been updated and released May 1, 2017 16 Baker Tilly Virchow Krause, LLP. All rights reserved.

SSAE 18 updates and execution Key changes that may be more significant to service organizations - Focus on Information Provided by the Entity (IPE) - Monitoring the Effectiveness of Controls at Subservice Organizations Other Key Changes for Service Auditors - Auditor report dating Limited impact, but may cause slight delays in report issuances - Updated engagement assertions and rep letters 17 Baker Tilly Virchow Krause, LLP. All rights reserved.

SSAE 18 updates and execution Types of IPE as defined in the SOC 1 guide Will this be audited differently than before? How will these procedures be disclosed What to do for SOC 2 absent the guide? Information provided by the service organization in response to ad hoc requests from the service auditor Probably not - the service auditor already likely performed procedures around this type of IPE. Probably not unless issues exist with verifying completeness of the populations Typically follow same approach as SOC 1 Information used in the execution of a control Maybe some controls the service auditor may identify additional tests to perform, for some the tests may be embedded already These specific test procedures may be listed in the SOC report test procedures Typically follow same approach as SOC 1 Information prepared for user entities, for example, a reporting package provided to user entities Maybe management should prepare this listing and discuss with the service auditor if additional procedures need to be performed to validate the IPE Typically these key reports would now be included as a listing in Section 3. Most likely do not adopt at this point these concepts are more relevant to ICFR 18 Baker Tilly Virchow Krause, LLP. All rights reserved.

SSAE 18 updates and execution Monitoring the Effectiveness of Controls at Subservice Organizations (under carve-out method) - Service organizations should have controls to monitor the controls of subservice organizations. - There are two typical approaches: Detailed monitoring and visits to the subservice to test controls are working Reviewing SOC reports from the subservice providers 19 Baker Tilly Virchow Krause, LLP. All rights reserved.

SSAE 18 updates and execution > When service organizations take the approach of reviewing SOC reports from subservice organizations, the service organization should map which complementary user entity control considerations also apply to the service organization and it s users > Judgment will apply! > Using the same process, service organizations should identify which complimentary subservice controls need to exist at the subservice organizations to meet the objectives in the service organizations control objectives. 20 Baker Tilly Virchow Krause, LLP. All rights reserved.

SSAE 18 updates and execution This subservice organization topic sounds confusing! Editorial comment - it s not as complex as it seems when first describing it, the guide has some fairly straightforward examples If that s all from the SOC 1 guide, what part of the subservice organization concepts applies to SOC 2? 21 Baker Tilly Virchow Krause, LLP. All rights reserved.

22 Scoping and SOC 2+

Scoping and SOC 2+ System boundaries challenges Definition of suitable criteria How do you incorporate other frameworks into SOC 2? What are some of the scoping challenges? What is SOC 2+? 23 Baker Tilly Virchow Krause, LLP. All rights reserved.

Required disclosure > The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. > Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2017 Baker Tilly Virchow Krause, LLP. 24 Baker Tilly Virchow Krause, LLP. All rights reserved.

Thank you! Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback