Upload
doanlien
View
213
Download
1
Embed Size (px)
Citation preview
IIA & ISACA SeminarService organization control reports: SOC 2/SOC 3 common criteria and new requirements to consider for 2015
April 8, 2015
kpmg.com
1© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Contents
■ SOC overview
■ Summary of SOC 2/SOC 3 principles and criteria
■ Overview trust services principles – 2014 revision
■ Enhanced SOC 2 reporting – Alignment with relevant standards/frameworks
■ Scoping considerations
■ Industry activities – Recent KPMG Webcasts
■ Questions
SOC overview
3© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Service organization control (SOC) reports
Report Scope/focus Summary Applicability Standard
SOC 1 Internal control over financial reporting
Detailed report for customers and auditors
Focused on financial reporting risks and controls specified by the service provider.
Most applicable when the service provider performs financial transaction processing or supports transaction processing systems.
ISAE 3402 (or local equivalent) or SSAE 16
SOC 2 Security, availability, processing integrity, confidentiality and/or privacy
Detailed report for customers and specified parties
Focused on security, confidentiality, availability, processing integrity and/or privacy.
Applicable to a broad variety of systems.
AT101 under guidance of AAG-SOP March 2012
ISAE 3000
SOC 3 Short report that can be generally distributed, with the option of displaying a web site seal for engagement based on AT101 only
Same as above without disclosing detailed controls and testing.
Optionally, the service provider can post a Seal if they receive an unqualified opinion.
AT101 under the guidance of TSP100
ISAE 3000 (or local equivalent)
4© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Contrasting SOC 2/SOC 3 and SOC 1 report scope
Attribute SOC 2/SOC 3 SOC 1Required focus ■ Operational controls ■ ICOFR
Defined scope of system
■ Infrastructure■ Software■ Procedures■ People ■ Data
■ Classes of transactions■ Procedures for processing and
reporting transactions■ Accounting records of the system■ Handling of significant events and
conditions other than transactions■ Report preparation for users■ Other aspects relevant to processing
and reporting user transactions
Control domains covered
■ Security■ Availability■ Confidentiality■ Processing integrity, and/or privacy
■ Transaction processing controls■ Supporting IT general controls
Level of standardization
■ Principles selected by service provider■ Predefined criteria used rather than
control objectives
■ Control objectives defined by service provider and may vary depending on the type of service provided
5© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC reports for different scenarios
SOC 1 financial reporting controls
SOC 2/SOC 3operational controls
■ Financial services■ Asset management and custody
services■ Healthcare claims processing■ Payroll processing■ Payment processing
■ Cloud ERP service■ Data center co-location■ IT systems management
■ Cloud-based services (SaaS, PaaS, IaaS)
■ HR services■ Security services■ E-mail, collaboration, and
communications■ Any service where customers’
primary concern is security, availability, or privacy
Financial process and supporting system controls
Security
Availability
Confidentiality
Processing integrity
Privacy
Summary of SOC 2/ SOC 3 principles and criteria
7© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Principles and criteria topics
Principles vs. criteria?
■ Services principles are used to describe the overall objective
– The practitioner's opinion makes reference only to the criteria
■ Criteria are benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter
– The criteria are supported by controls that, if operating effectively, enable a system to meet the criteria
– TSP 100 requires the identification of risks that threaten the achievement of the criteria
– TSP 100 requires a linkage of the risk to criteria and controls to risks
8© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 Principles (overview)
■ May apply to any type of system, not just financial reporting systems
PrinciplesPrivacy
Processing integrity
Availability
Confidentiality
Security
9© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 Security principle
The system is protected against unauthorized access, use or modification.Trust
services principle
Most commonly requested area of coverage.
The security principle is made up of the common criteria only and does not have additional criteria.
Applicable to all outsourced environments, particularly where enterprise customers require assurance regarding the service provider’s security controls for any system, nonfinancial or financial.
Applicability
10© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 Availability principle
The system is available for operation and use as committed or agreed
Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering.
Most applicable where enterprise customers require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which could not be covered in a SSAE 16.
Trust services principle
Applicability
11© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 Confidentiality principle
Third most commonly requested area of coverage, particularly where customers want assurance over protecting information provided to the service provider.
Most applicable where the customer requires additional assurance regarding the service providers practices for protecting sensitive business information
Information designated as confidential is protected as committed or agreedTrust
services principle
Applicability
12© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 Processing Integrity principle
System processing is complete, valid, accurate, timely, and authorized
Potentially applicable for a wide variety of nonfinancial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing
Trust services principle
Applicability
13© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 Privacy principle
Most applicable where the service provider interacts directly with end customers and gathers their personal information.
Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program.
Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA. These principles and criteria were not affected by the TSP 100 update.
GAPP
Applicability
Overview trust services principles – 2014 revision
15© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Trust services principles – 2014 revision
■ The trust services principles and criteria were revised by the AICPA effective for SOC 2/3 reports with periods ending on or after December 15, 2014.
■ The criteria were revised to reduce duplication, improve consistency in reporting, and reduce errors.
■ Common criteria framework is used for security, availability, processing integrity, and confidentiality principles.
■ Unique, specific criteria are applicable for availability, processing integrity, and confidentiality principles
■ The criteria are arranged into seven (7) common criteria categories that apply to the security, availability, processing integrity, and confidentiality principles.
■ The privacy criteria are currently under revision by the AICPA, and additional guidance will be provided at a later date. Until then, the 2009 version of the generally accepted privacy principles should be used.
16© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2/SOC 3 report overview – 2014 revision
■ The common criteria constitute the complete set of criteria for the security principle, and set the foundation for the availability, processing integrity, and confidentiality principles
■ There are seven common criteria categories consistent with the COSO framework
Organization and management Communications
Risk management and design and
implementation of controls
Monitoring of controls
Logical and physical access
controlsSystem operations Change
management
17© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Significant changes – 2014 revision
2009 version of the criteria
Security
■ Security policies
■ Security awareness and communication
■ Risk assessment
■ Threat identification
■ Information classification
■ Logical access
■ Physical access
■ Security monitoring
■ Incident management
■ Encryption
■ Personnel
■ Systems development and maintenance
■ Configuration management
■ Change management
■ Monitoring/compliance
Availability Confidentiality Processing integrity
■ Availability policy
■ Backup and restoration
■ Environmental controls
■ Disaster recovery
■ Confidentiality policy
■ Confidentiality of inputs, data processing, and outputs
■ Information disclosures
■ Confidentiality of information in systems development
■ System processing integrity policies
■ Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs
■ Information tracing from source to disposition
Privacy
■ Management
■ Notice
■ Choice and consent
■ Collection
■ Use and retention
■ Access
■ Disclosure to third parties
■ Security for privacy
■ Quality
■ Monitoring and enforcement
18© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Significant changes – 2014 revision (continued)
2014 version of the criteria
Security Availability Confidentiality Processing integrity
Common criteria
■ Organization and management
■ Communications
■ Risk management and design and implementation of controls
■ Monitoring of controls
■ Logical and physical access controls
■ System operations
■ Change management
Additional criteria N/A ■ Specific incremental
availability criteria■ Specific incremental
confidentiality criteria
■ Specific incremental processing integrity criteria
The privacy criteria continue to maintain a separate criteria structure.
■ Management
■ Notice
■ Choice and consent
■ Collection
■ Use and retention
■ Access
■ Disclosure to third parties
■ Security for privacy
■ Quality
■ Monitoring and enforcement
19© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Significant changes – 2014 revision (continued)
Summary of major changes
Major topic Key changes
Reorganization of criteria for ease of use
■ Reorganized to simplify and remove redundancy between principles
Greater emphasis on risk assessment and internal monitoring
■ Added more specific risk assessment criteria
■ Added periodic evaluation of design/operating effectiveness of controls
■ Added monitoring of vendors for confidentiality
Clarification of various criteria ■ Removed listing of required policy topics
■ Clarified communication requirements – internal vs. external
■ Clarified intent of procedural criteria throughout
■ Clarified monitoring criteria
Enhanced SOC 2 reporting – Alignment with relevant standards/ frameworks
21© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
SOC 2 enhanced reporting
■ Where there are common customer requirements/requests, it may be beneficial for the service provider to include additional details in the SOC 2 report to demonstrate alignment with one or more relevant standards/frameworks (e.g., ISO 27001, Cloud Security Alliance Cloud Controls Matrix, PCI-DSS, etc.).
■ If the referenced standards/frameworks are more detailed than the SOC 2 Trust Services criteria, it may be necessary to include more granular controls within the SOC 2 report to enable a more complete mapping.
SAMPLE – Relation of service provider’s controls to <specify standard/framework>
Service provider has developed its controls to align with the <specify standard/framework>. Included below is a mapping of the <specify standard/framework> topics to related service provider controls covered in this report.
Specific topics/requirements from <specify standard/framework> SOC 2 criteria
Related service provider controls
Sec 1.1 1.01, 1.02 Control description included.Sec 1.2 1.03 Control description included.Sec 1.3 1.02 Control description included.
22© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Mapping to ISO 27001:2013 controls
Ref. Approx. # of requirements Domain
SOC 2/SOC 3 primary reference
A.5 2 Information security policies Common
A.6 7 Organization of information security Common
A.7 6 Human resources security Common
A.8 10 Asset management Common
A.9 14 Access control Common
A.10 2 Cryptography Common
A.11 15 Physical and environmental security Common
A.12 14 Operations security Common
A.13 7 Communications security Common
A.14 13 System acquisition, development, and maintenance Common
A.15 5 Supplier relationships Common
A.16 7 Information security incident management Common
A.17 4 Information security aspects of business continuity management Availability
A.18 8 Compliance Common
Total 114An enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common and availability criteria align with the ISO 27001:2013 control objective topics.
23© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Mapping to CSA cloud controls matrix (CCM) v3.0
Ref. Approx. # of requirements Domain
SOC 2/SOC 3 primary reference
AIS 4 Application & interface security Common/Integrity
AAC 3 Audit assurance & compliance Common
BCR 11 Business continuity management & operational resilience Availability
CCC 5 Change control & configuration management Common/Availability
DSI 7 Data security &information lifecycle management Common/Confidentiality/Integrity
DSC 9 Datacenter security Common/Confidentiality/ Availability
EKM 4 Encryption & key management Common/Confidentiality
GRM 11 Governance and risk management Common/Confidentiality
HRS 11 Human resources CommonAn enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements.
24© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Mapping to CSA cloud controls matrix (CCM) v3.0(continued)
Ref. Approx. # of requirements Domain
SOC 2/SOC 3 primary reference
IAM 13 Identity & access management Common
IVS 13 Infrastructure & virtualization security Common/Availability
IPY 5 Interoperability & portability None identified
MOS 20 Mobile security None identified
SEF 5 Security incident management, e-discovery & cloud forensics Common/Confidentiality/ Availability/Integrity
STA 9 Supply chain management, transparency and accountability Common/Confidentiality/ Availability
TVM 3 Threat and vulnerability management Common
Total 133
An enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements.
25© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Mapping to PCI data security standard (DSS) v3.0
Ref. Approx. # of requirements Domain
SOC 2/SOC 3 primary reference
1 23 Firewall Common
2 12 System passwords Common
3 22 Protect stored cardholder data Common
4 4 Encryption Common
5 6 Antivirus Common
6 28 Development and maintenance Common
7 10 Access restrictions Common
8 23 Unique IDs Common
9 27 Physical access Common
10 32 Monitoring Common
11 16 Testing Common
12 39 Security policy Common
Total 242An enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common criteria align with the PCI DSS v3.0 requirements.
Scoping considerations
27© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Typical SOC 2/SOC 3 scoping considerations
■ Services/applications provided
■ Supporting infrastructure
■ Locations
■ Subservice providers
■ Applicable principles
■ Enhanced reporting—inclusion of other information regarding alignment with other standards/frameworks
28© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Criteria approach
Criteria specific:
■ Each criterion should be treated like a SOC 1 control objective
– Identify the threats that may cause the criterion to not be met (while some will be similar for all clients, some may significantly vary based on service offered, customer agreements, and industry)
– Identify key controls that addresses those threats (some controls may be non-key across each criterion for the principle(s) and judgment should be applied to determine if removal of orphaned controls is needed)
– This requirement may result in material gaps in a service organization’s ability to meet the principle
– Perform this exercise early in the planning phase to avoid material gaps
29© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Engagement approach considerations
Concluding on criteria:
■ Suitability of design
– Appropriateness of controls based on service, industry, and customer commitments
■ Need to gain an understanding of the commitments to the users of the system
■ While many controls will apply to nearly all service providers, some will vary based on the service offered and the industry the service organization is serving
– Threat inventory and determination if a control is a key control
■ Key controls may work in tandem and require multiple key controls to adequately address the threat
■ Key controls should primarily be reported on, although some non-key controls may be included if determined appropriate (enhanced reporting)
■ Assess whether the risks are adequately addressed or if more controls are required
30© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Engagement approach considerations (continued)
Concluding on criteria:
■ Operating effectiveness
– Operational period of the control
■ Need to assess if the controls were in place throughout the entire examination period
– Periodic controls, need to demonstrate activity in all periods (sampling risk is generally greatest in the most recent period, however for first year reports with a control change, the earliest period has a significant risk)
– Event based controls should be in place from the period start (example change management, incident reporting)
31© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Engagement approach considerations (continued)
Exceptions
■ Similar treatment, however now we must consider the risk that the criteria may not be met.
– Tie back to the identified risks
– Assess whether sufficient compensating controls exists to mitigate the risks, including non-key controls
– Determine whether the non-key controls should be included in the scope of the report
– Assess whether something did go wrong as a result of the control exception
– Even if the exception sample didn’t have any impact, it doesn’t mean that the criteria was met
Industry activities –Recent KPMG Webcasts
33© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
Industry activities – Recent KPMG Webcasts
Webcast Link to playback
Effectively using SOC1, SOC 2 and SOC3 reports for increased assurance over outsourced operations (April 2012)
http://www.kpmginstitutes.com/advisory-institute/events/soc-reporting.aspx
SOC2 reports to address industry requirements for assurance over outsourced operations (October 2012)
http://www.kpmginstitutes.com/advisory-institute/events/webcast-soc2-assurance-over-outsourced-operations.aspx
SOC 2 frequently asked questions (November 2012)
http://www.kpmginstitutes.com/advisory-institute/events/soc-2-frequently-asked-questions.aspx
Enabling vendor risk and compliance management using SOC2 and SOC 3 reports (July 2013)
http://www.kpmginstitutes.com/advisory-institute/events/webcast-vendor-risk-compliance-soc2-soc3.aspx
SOC2, SOC3 in Europe – Virtual meeting (February 2014)
http://www.kpmg.com/NL/nl/IssuesAndInsights/ArticlesPublications/Documents/PDF/IT-Advisory/SOC2.pdf
Questions?Matt Tobey [email protected]
© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.