The Death of SAS 70: SOC It to Me

March 2011IAPP Global Summit 2011

Washington D.C.

Presented by:Rena Mears, CIPP

Doron Rotman, CIPP

2

Objectives of Today’s Session

– Identify Third Party Service Provider’s privacy risks– Discuss how utilizing privacy audits and/or

assessments of service organizations is considered a good business practice

– Identify the different types of reports available under the new attestation standard, SSAE No. 16 and the impact from a privacy perspective

– Identify which reports are more useful for your organization based on different criteria

3

General Introduction

• The audience – tell us about yourself:– Your name– Company name and location– Position– Involvement in your organization’s

privacy program– What would you like to take away from

this presentation today

4

Agenda

– Top 8 Privacy Concerns with Third Party Service Providers

– How to Mitigate Privacy Concerns– Overview of Service Organization Control

(SOC) reports– Why there was a change from SAS 70 reports– Types of SOC reports– Control Requirements– Steps to Alleviate Privacy Concerns

5

Privacy Concerns with Third Party Service Providers• Accountability of Data• Data Security / Safeguarding Data• Utilizing Other Third Parties – Subsequent Use

and Onward Transfer• Breach Management• Contract Management• Use and Retention of Personal Information• Data Integrity• Monitoring and enforcement of laws and

regulations

6

Building Trust with Third Party Service Providers• You can outsource data, you can’t outsource

accountability!• Due to prominent internal-control breakdowns

(security, privacy breaches, and fraud) and increasing regulatory focus on internal control (Sarbanes-Oxley Act, Basel II, HITECH and HIPAA), there is an increase in due diligence and governance oversight.

• Technological, regulatory and other changes have heightened the need for information and assurance.

• The Cloud!

Steps to Alleviate Privacy Concerns of Third Parties

It is critical when organization’s utilize a third party service provider to create a strategy to help ensure that privacy concerns are addressed through a strategy:

• Examine Applicable Privacy Laws • Due Diligence• Monitoring• Data Control• Contractual Agreements• Compliance Monitoring

7

Privacy Assessments and Audits – A Necessity

• When companies outsource their data processing or services to third-party service providers, they do not release ownership and responsibility for internal controls.

• The controls of the service provider effectively become the controls of the user organization, and must fit into the user organization’s internal control framework.

• Companies need assurance that the controls specified agree to the framework.

8

Mitigate Privacy Concerns

• To mitigate risks, third-party service providers need to provide a description of their internal control activities surrounding data processing, including input, processing, output, and security. This documentation or assessment is necessary to provide assurance to the user that data integrity, availability, and confidentiality is secure.

• This can be achieved through utilization of a service organization control report.

9

Service Organization Privacy Audits –Risk Based Approach

• Questionnaires• Self Certification• Self Regulatory Programs (TRUSTe, IAB, Safe

Harbor) and Assessments (PCI)• User organization internal audits• Independent 3rd Party Assurance

– Agreed upon procedures (Shared Assessment)– SOC 2/3

10

11

Service Organization Control (SOC) Reports Replace SAS 70• With the retirement of the SAS 70 standard, traditional

SAS 70 reports are being replaced by Service Organization Control Reports (or “SOC” reports.)

• In the past, the SAS 70 report was intended to assist service organizations’ customers and their auditors in the context of a financial statement audit.

• Now, three types of SOC reports have been defined to replace SAS 70 and help service organizations meet a broader set of specific user needs – including addressing security, privacy and availability concerns related to the cloud.

12

Reason for the Change

• Mis-understandings• Mis-applications• Mis-uses of SAS70

Clarity of Purpose

New Technologies

Global Implications

• Need for greater international consistency

• SAAS• Cloud Computing• Privacy issues for emerging

technologies

16

13

Reason for the ChangeSAS 70 reports often were misinterpreted as a means to obtain assurance regarding controls over compliance and operations (which included privacy controls).

16

14

Reason for the Change

16

Statement on Auditing Standards #70 (SAS70)

SOC1(Financial Reporting)

Trust Principles: SysTrust, WebTrust

SOC2 & SOC3(Non-Financial

Reporting)SSAE16

AT101

Service Organization

Controls (SOC)

15

Types of SOC ReportsReport Scope/Focus Summary Applicability

SOC1 Internal Control Over Financial Reporting

Detailed report for customers and their auditors

• Focused on financial reporting risks and controls specified by the service provider.

• Most applicable when the service provider performs financial transaction processing or supports transaction processing systems.

SOC2 Security, Availability, Processing Integrity, Confidentiality and/or Privacy

Detailed report for customers and prospective customers

• Pre-defined security criteria form the baseline.

• Can also include Confidentiality, Availability, Processing Integrity and/or Privacy criteria.

• Financial reporting is not the primary concern.

SOC3 Same as SOC2 Short report that can be generally distributed, with the option of displaying a web site seal

• Same as above without disclosing detailed controls and testing.

• Optionally, the service provider can post a Seal if they receive an unqualified opinion.

Which Report is the Right Report?

16

SOC 1

• Focus on internal control over financial reporting.

• Need detail about systems and processes.

SOC 2

• Primary interest on key compliance and operational controls (security, availability, processing integrity, confidentiality or privacy) of primary.

• Need detail about systems and processes.

SOC 3

• Primary interest on key compliance and operational controls (security, availability, processing integrity, confidentiality or privacy) of primary

• Only provide summary report/seal.

17

Privacy Control RequirementsGenerally Accepted Privacy Principles (GAPP)

1. Management2. Notice3. Choice & Consent4. Collection5. Use, Retention and Disposal6. Access7. Disclosure to Third Parties8. Security for Privacy9. Quality10. Monitoring & Enforcement

Requirements

• Address all 74 criteria

• Service Provider only

• User Organization Only/ NA

• Shared

• Disclose controls that support the criteria

18

Control RequirementsInformation Security Management System

• Security Policy• Organization of Information Security• Asset Management• Human Resources Security• Physical and Environmental Security• Communications and Operations

Management• Access Control• Information Systems Acquisition,

Development, and Maintenance• Information Security Incident

Management• Business Continuity Management• Compliance

Areas of Added Emphasis for Emerging Technologies

• Data Protection/Segregation

• Privacy

• Encryption Standards

• Logging

• Authentication

• Configuration Management

• Monitoring/Compliance Function

The SOC2 and SOC3 assurance framework can be used to demonstrate the

effectiveness privacy related controls within different frameworks.

19

Take Away• The SOC reports will increase your trust and

helping your organization address risk and governance concerns with your third party service provider.

• Utilizing a SOC report is beneficial, however your organization must have a strong governance structure, which incorporates party service providers.

Questions

21

Contact Information

Rena Mears, PartnerUS and Global Privacy and Data Protection LeaderDeloitte & Touche LLPrenamears@deloitte.com

Doron Rotman, CIPPNational Privacy Service LeaderAdvisoryKPMG LLPdrotman@kpmg.com