View
219
Download
3
Category
Preview:
Citation preview
www.eidebai l ly.com
Anders EricksonRisk Advisory Senior Manager
April 2015
Service Organization Controls (SOC) 2
www.eidebai l ly.com
Objectives
• Gain a understanding of AICPA’s Service Organization Control Guidance, specifically as it relates to SOC 2.
• Introduce the criteria and principles that form the foundation of the SOC 2.
• Discuss challenges and best practices for undergoing a SOC 2 assessment .
www.eidebai l ly.com
SOC Report - Purpose
SOC reports are examination engagements undertaken by a service auditor to report on controls at a service organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal controls.
Service Organization
Service Auditor
UserEntity
SOC Report
www.eidebai l ly.com
Origins of SOC Reports
SAS 70 was an audit engagement, and Trust Services Principles & Criteria an attestation engagement. The new guidance established two service organization control reporting options (SOC1 and SOC 2 reports).
SAS 70
SOC 1
Trust Principles:SysTrust, WebTrust
SSAE 16
SOC 2AT 101
www.eidebai l ly.com
SOC 1 vs. SOC 2
SOC 1 ReportRelates to a service
organization’s internal controls that are
relevant to its customers’ financial
reporting – also referred to a internal
controls over financial reporting (ICFR).
SOC 2 ReportRelates to a service
organization’s internal controls that ensure the
security, availability, processing integrity,
confidentiality and/ or privacy of its
customer’s data.
www.eidebai l ly.com
Types of Service Auditor Reports
There are two types of reports for SOC 1 and 2:
A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Type 1
Type 2
www.eidebai l ly.com
Use of SOC Reports
SOC reports are restricted use reports (not for potential customers) to be used by the following:
• User entities that outsource to service organizations (e.g., cloud computing)
• Financial Statement auditors (user auditors) of those user entities
• Management of the service organization
www.eidebai l ly.com
SOC 2 Report - Purpose
To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization relevant to one or more of the Trust Services Principles and Criteria(TSP&C).
www.eidebai l ly.com
SOC Report Components
SOC Report Components
• Section I Auditor’s Opinion
• Section II Management’s Assertion
• Section III Description of System
• Section IV Description of Tests and the Results of Tests
• Section V Other information Provided by the Service Organization
www.eidebai l ly.com
Auditor’s Opinion
• Contains the service auditor’s opinion about whether:• M anagement’s description of the service
organization’s system is fairly presented(Unqualified, Qualified, Adverse, Disclaimer)
• Type 1 - The controls in the description are suitably designed to meet the applicable TSP&C
• Type 2 - The controls were operating effectively to meet applicable TSP&C
• For SOC 2 reports that address the privacy principle, management complied with commitments
www.eidebai l ly.com
Management’s Assertion
• Management’s description fairly presents the service organization’s system.
• Management’s description does not omit or distort relevant information.
• Controls were suitably designed and operating effectively.
www.eidebai l ly.com
Management’s System Description
A system consists of five key components organized to achieve a specified objective. The five components are categorized as follows:
Infrastructure – The physical and hardware components of a system (facilities, equipment, and networks)
Softw are – The programs and operating software of a system (systems, applications, and utilities)
People – The personnel involved in the operation and use of a system (developers, operators, users, and managers )
Procedures – The automated and manual procedures involved in the operation of a system
Data – The information used and supported by a system (transaction streams, files, databases and tables)
www.eidebai l ly.com
Subservice Organiza tion
“X”
Subservice Organizations
Service Organization
Service Auditor
UserEntity
SOC Report
Subservice Organiza tion
“Y”
Carve-Out Method
Inclusive Method
www.eidebai l ly.com
Complementary User Entity Controls
• The service organization may design its service with the assumption that certa in controls w ill be implemented by the user entities.
Service Organization
Service Auditor
SOC Report
Complementary User Entity ControlsUser
Entity
www.eidebai l ly.com
Overview of Trust Services Principles
Common Criteria *
SecurityOrganization and
ManagementCommunications
Risk ManagementMonitoring of Controls
Logical and Physical Access Controls
System OperationsChange Management
* Criteria for the privacy Trust Principle do not include the common criteria but are set forth in generally accepted privacy principles (GAPP).
Additiona l Principles & Criteria
AvailabilityCapacity and Usage
Environmental ControlsData Backup and RecoveryTesting of Recovery Plans
Processing IntegrityHandling Processing ErrorsControlling System Inputs
Data Processing and Storage System Output and Data Modifications
Confidentia lityChange Management
Access ControlInternal & External Information Disclosure
Confidentiality Agreements
www.eidebai l ly.com
Example TSP&C
Criteria Risks Illustra tive Controls
CC1.0 Common Criteria Related to Organization and Management
CC1.1 The entity has defined organizational
structures, reporting lines, authorities, and
responsibilities for the design, development,
implementation, operation, maintenance,
and monitoring of the system enabling it to
meet its commitments and requirements as
they relate to [insert the principle(s) being
reported on: security, availability, processing
integrity, or confidentiality or any
combination thereof].
The entity's
organizational structure
does not provide the
necessary information
flow to manage
[security, availability,
processing integrity, or
confidentiality]
activities.
The entity evaluates its organizational
structure, reporting lines, authorities,
and responsibilities as part of its
business planning process and as
part of its ongoing risk assessment
and management process and revises
these when necessary to help meet
changing commitments and
requirements.
www.eidebai l ly.com
TSP&C – Overview
CC1.1 Organizational structures, reporting lines, authorities, and responsibilities
CC1.2 Responsibility and accountability
CC1.3 Qualifications and resources
CC1.4 Workforce conduct standardsCandidate background screening proceduresEnforcement procedures
1 .0 Organization and M anagement
CC2.1 System and its boundaries
CC2.2 Commitments communicated to internal and external users
CC2.3 Communicating responsibilities of internal and external users
CC2.4 Internal and external personnel have information necessary to carry out responsibilities
CC2.5 Reporting failures, incidents, concerns, and other complaints to appropriate personnel
CC2.6 System changes communicated to users in a timely manner
2 .0 Communications
www.eidebai l ly.com
TSP&C – Overview
CC3.1 Identifying potential threats that would impair systemAnalyzing identified threatsDetermining mitigation strategies
CC3.2 Implement its risk mitigation strategy
CC3.3 Identifying and assesses changes that could impact the system of internal controlReassesses the suitability of control activities
3 .0 Risk M anagement & Interna l Controls
CC4.1 Design and operating effectiveness of controls are periodically evaluated
4 .0 M onitoring of Controls
www.eidebai l ly.com
TSP&C – Overview
CC5.1 Restriction of authorized user accessPrevention and detection of unauthorized access.
CC5.2 New internal and external system users are registered and authorizedUser system credentials are removed when user access is no longer authorized.
CC5.3 Internal and external system users are identified and authenticated
CC5.4 Access to data, software, functions, and other IT resources granted based on principle of least privileged
CC5.5 Physical access to facilities housing the system
CC5.6 Threats from sources outside the boundaries of the system.
CC5.7 Transmission, movement, and removal of information
CC5.8 Introduction of unauthorized or malicious software.
5 .0 Logica l and Physica l Access Control
www.eidebai l ly.com
TSP&C – Overview
CC6.1 Vulnerabilities of system components to breaches and incidents monitored & countermeasures
CC6.2 Incident response procedures
CC7.1 System development lifecycle
CC7.2 Infrastructure, data, software, and procedures are updated
CC7.3 Change management initiated when deficiencies in controls are identified
CC7.4 Changes are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with commitments
6 .0 System Operations
7 .0 Change M anagement
A1.1 Processing capacity and usage
A1.2 Environmental protections, software, data backup processes, and recovery infrastructure
A1.3 Recovery plans are periodically tested
A1 Availability
www.eidebai l ly.com
TSP&C – Overview
P1.1 Procedures to prevent, detect, and correct processing errors
P1.2 Input controls
P1.3 Processing controls
P1.4 Data storage and maintenance
P1.5 System output
P1.6 Modification of data
C1.1 During the system development and change processes
C1.2 Within the boundaries of the system
C1.3 From outside the boundaries of the system
C1.4 Confidentiality commitments from vendors and other third parties
C1.5 Compliance with confidentiality commitments
C1.6 Changes to confidentiality commitments
P1 Processing Integrity
C1 Confidentia lity
www.eidebai l ly.com
Generally Accepted Privacy Principles (GAPP)
GAPP contain ten (10) privacy principles and related criteria that are essential for the proper protection and management of personal information.
These privacy principles and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and in common and leading practices.
www.eidebai l ly.com
GAPP Principles
Ten GAPP Principles
M anagement Access
N otice Disclosure to third parties
Choice and consent Security for privacy
Collection Quality
Use, retention, and disposal M onitoring and enforcement
www.eidebai l ly.com
SOC 2 Challenges
• TSP&C are NOT an internal control framework• However, any internal control framework implemented
by the Service Provider should be leveraged• Management & organizational commitment• Lack of external requirements/ deadlines• Size and scope of the TSP&C
www.eidebai l ly.com
SOC Readiness Review
The purpose of a readiness review is to prepare an organization for a SOC Engagement
Engage an ex perienced professional to assist w ith the follow ing:• Document control activities• Identify any potential control deficiencies• Provide a gap analysis to facilitate remediation efforts• Assist in developing the system description
www.eidebai l ly.com
SOC Reporting – Displaying the SOC Logo
• Service organizations that have had a SOC 2 engagement w ithin the past year may register w ith the AICPA for the use of this logo to be displayed.
• Service organizations searching for CPA firms that perform SOC engagements, should look for firms with the SOC logo displayed on their website.
For use by CPAs For use by Service Orgs
www.eidebai l ly.com
Anders EricksonEide Bailly, Risk Advisory Senior Manager
208-383-4731aerickson@eidebailly.com
Questions?
www.eidebai l ly.com
Modifications of Service Auditor’s Report
Service auditor’s opinion should be modified, and the service auditor’s report should contain a clear description of all reasons for modification if service auditor concludes that…
Points to Consider
• Managements description not fairly presented, in all material respects;• Controls not suitably designed• Controls did not operate effectively throughout specified period• A scope limitation exists, resulting in service auditor’s inability to obtain sufficient appropriate evidence• the case of a type 2 report that addresses the privacy principle, the serviceorganization did not comply with the commitments in its statement of privacypractices.
www.eidebai l ly.com
Quantita tive and Qualita tive Factors• Nature and cause of the exceptions• Tolerable rate of exceptions that the service auditor has established• Pervasiveness of exceptions• Likelihood that exceptions are indicators of control deficiencies that will result in failure to meet the control objective or TSP&C• Magnitude of such failures that could occur as a result of controldeficiencies• W hether users could be misled if service auditor’s opinion was not modified
Modifications of Service Auditor’s Report
W hen determining whether to modify the service auditor’s report, the service auditor considers quantitative and qualitative factors, such as:
www.eidebai l ly.com
TSP&C – Common Criteria 1.0 Organization and Management
CC1.1 The entity has defined organiza tiona l structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].
CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity's system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation.
CC1.3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] have the qualifica tions and resources to fulfill their responsibilities.
CC1.4 The entity has established w orkforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].
www.eidebai l ly.com
TSP&C – Common Criteria 2.0 Communications
CC2.1 Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external system users to permit users to understand their role in the system and the results of system operation.
CC2.2 The entity's [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments are communicated to ex terna l users, as appropriate, and those commitments and the associated system requirements are communicated to interna l system users to enable them to carry out their responsibilities.
CC2.3 The entity communicates the responsibilities of interna l and ex terna l users and others whose roles affect system operation.
CC2.4 Interna l and ex terna l personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] of the system, have the information necessary to carry out those responsibilities.
CC2.5 Internal and external system users have been provided with information on how to report [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] fa ilures, incidents, concerns, and other compla ints to appropria te personnel.
CC2.6 System changes that affect internal and external system user responsibilities or the entity's commitments and requirements relevant to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] are communicated to those users in a timely manner.
www.eidebai l ly.com
TSP&C – Common Criteria 3.0 Risk Management & Internal Controls
CC3.1 The entity (1) identifies potentia l threats that w ould impair system [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, (2) ana lyzes the significance of risks associated with the identified threats, and (3) determines mitigation stra tegies for those risks (including controls and other mitigation strategies).
CC3.2 The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitiga tion stra tegy .
CC3.3 The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could significantly a ffect the system of interna l control for [insert the principle( s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary.
www.eidebai l ly.com
TSP&C – Common Criteria 4.0 Monitoring of Controls
CC4.1 The design and opera ting effectiveness of controls are periodica lly eva luatedagainst [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.
www.eidebai l ly.com
TSP&C – Common Criteria 5.0 Logical and Physical Access Control
CC5.1 Logica l access security softw are, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access.
CC5.2 N ew interna l and ex terna l system users are registered and authorized prior to being issued system credentials, and granted the ability to access the system. User system credentials are removed when user access is no longer authorized.
CC5.3 Interna l and ex terna l system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data).
CC5.4 Access to data , softw are, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them.
CC5.5 Physica l access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel.
CC5.6 Logical access security measures have been implemented to protect against [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] threats from sources outside the boundaries of the system .
CC5.7 The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement, or removal enabling the entity to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].
CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious softw are.
www.eidebai l ly.com
TSP&C – Common Criteria 6.0 System Operations
CC6.1 Vulnerabilities of system components to [insert the principle (s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities.
CC6.2 [Insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures.
www.eidebai l ly.com
TSP&C – Common Criteria 7.0 Change Management
CC7.1 [Insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.
CC7.2 Infrastructure, da ta , softw are, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].
CC7.3 Change management processes are initiated when deficiencies in the design or opera ting effectiveness of controls are identified during system operation and monitoring.
CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements.
www.eidebai l ly.com
TSP&C – Common Criteria A1 Availability
A1.1 Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements.
A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements.
A1.3 Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.
www.eidebai l ly.com
TSP&C – Common Criteria P1 Processing Integrity
P1.1 Procedures ex ist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements.
P1.2 System inputs are measured and recorded completely, accurately, and timely in accordance with processing integrity commitments and requirements.
P1.3 Data is processed completely, accurately, and timely as authorized in accordance with processing integrity commitments and requirements.
P1.4 Data is stored and mainta ined completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.
P1.5 System output is complete, accurate, distributed, and retained in accordance with processing integrity commitments and requirements.
P1.6 M odifica tion of da ta is authorized, using authorized procedures in accordance with processing integrity commitments and requirements.
www.eidebai l ly.com
TSP&C – Common Criteria C1 Confidentiality
C1.1 Confidential information is protected during the system design, development, testing, implementa tion, and change processes in accordance with confidentiality commitments and requirements.
C1.2 Confidential information w ithin the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements.
C1.3 Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements.
C1.4 The entity obtains confidentia lity commitments that are consistent with the entity's confidentiality requirements from vendors and other third parties whose products and services comprise part of the system and have access to confidential information.
C1.5 Compliance w ith confidentia lity commitments and requirements by vendors and others third parties whose products and services comprise part of the system is assessed on a periodic and as-needed basis and corrective action is taken, if necessary.
C1.6 Changes to confidentia lity commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system.
Recommended