Which External Assurance Options and Control Frameworks are Best?

Presented by:Andrew Demski, Technology Director

Alex Getz, Consultant

Moderated by:Tonya Preston

TODAY’S PRESENTERS

Andrew Demski Technology Director

Cincinnati, OH

Alex GetzConsultant

Cincinnati, OH

Agenda

• IT-related control and security frameworks

• Industry-specific standards

• External assurance options

• External assurance value

• SOC Reporting

Current Industry and Regulatory Environment

What are the frameworks governing IT/security?

Established by:• Information Systems Audit and Control Association (ISACA).Designed to: • Be a framework intended for IT governance and management• Allows organization to ensure quality, control and reliability of information

systemsOverview:• A structure for organizations to implement in which business processes

play a key role in the company model.• COBIT is a process-based model that includes Planning and Organization,

Delivering and Support, Acquiring and Implementation, and Monitoringand Evaluating.

• Objectives include Evaluate, Direct and Monitor; Align, Plan and Organize;Build, Acquire and Implement; Deliver, Service and Support; and Monitor,Evaluate and Assess.

COBIT Framework

COBIT(Control Objectives for Information and Related Technology)

What are the frameworks governing IT/security?

NISTEstablished by:• The National Institute of Standards

and Technology (NIST).Designed to: • Be a US government-ordered,

cybersecurity framework.Overview:• A structure for the nation’s financial, energy, healthcare, and other critical systems to

better protect their information and physical assets from cyber attack. NIST provides acommon language with which to address and manage cyber risk in a cost-effective waybased on business needs, without additional regulatory requirements.

What are the frameworks governing IT/security?

COSOEstablished by:• Committee of Sponsoring Organizations of the Treadway

Commission (sponsored by AAA, AICPA, FEI, IIA, IMA).Designed to: • Serve as an integrate framework on internal controls to design,

implement, and evaluate internal controls within organizations.Overview:• Designed for businesses to establish, assess, and enhance their Internal controls. • Consist of five major areas: Governance & Culture, Strategy & Objective-Setting,

Performance, Review & Revision and Information, Communication, & Reporting. • Newly-issued Principle 11 offers specific guidance for assessing effectiveness of

controls over IT.

Committee of Sponsoring Organizations (COSO)

What are the frameworks governing IT/security?

ISO/IECEstablished by:

• The International Organization for Standardization (ISO).and the International Electrotechnical Commission (IEC).

Designed to:

• Provide requirements for an information security management system (ISMS).

Overview:

• Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization.

• It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements are intended to be applicable to all organizations, regardless of type, size, or nature.

What are the frameworks governing IT/security?

ITIL (Information Technology Infrastructure Library)Established by:• UK Government’s Central Computer and Telecommunications

Agency (CCTA).Designed to: • Serves as a detailed set of IT practices for IT service

management that focuses on aligning IT services with the needs of businesses.

Overview:• ITIL as a framework describes processes, procedures, tasks and

checklists that can be applied by any organization. Establishes a baseline for organizations to plan, implement, and measure. No current form of third party compliance assessment. Some overlap with ISO/IEC.

Industry-Specific Standards : PCI

PCI DSS (Payment Card Industry Data Security Standards)

• Created by PCI Security Standard Council (formed by MasterCard, American Express, Visa, JCB and Discover).

• Provides a framework for payment card data security processes: prevention, detection and reaction to security incidents.

Industry-Specific Standards : PCI

PCI DSS (Payment Card Industry Data Security Standards)

• Failure to comply = Processing charges.

• Basic objectives: Build and maintain a secure network and systems; Protect cardholder data; Maintain a vulnerability management program; Implement strong access control measures; Regularly monitor and test networks; and Maintain an IS policy.

Industry-Specific Standards: HIPAA

HIPAA (Health Insurance Portability and Accountability Act)

• Created in 1996 to improve efficiency and effectiveness in the American health care system.

• Who does it affect: Users of health care/health insurance, health insurers, doctors, hospitals, life insurers, public health authorities, billing agencies, information system vendors, and health service organizations.

Industry-Specific Standards : HIPAA

HIPAA (Health Insurance Portability and Accountability Act)• Five main titles:

• Title I, “Health care access, portability and renewability”• Title II, “Preventing health care fraud and abuse; administrative simplification;

medical liability reform”• Title II, “Administrative simplification” (subtitle F)• Title III, “Tax-related health provisions”• Title IV, “Application and enforcement of group health plan requirements”• Title V, “Revenue offsets”

Industry-Specific Standards : GDPR

European GDPR

• The European Parliament adopted GDPR in April 2016, replacing an outdated data protection directive from 1995.

• Relies on interpretation and not on specific standards and a “reasonable” protection of data.

Industry-Specific Standards : GDPR

European GDPR

• Places equal liability on data controllers (data owners) and data processers (3rd party data management).

• 3rd party processor not in compliance means you are not in compliance.

External Assurance Options

Risk Consulting• Internal Controls Consulting

− Tests of design/effectiveness, gap analysis, implementation

• Regulatory Compliance− PCI DSS, HIPAA, GDPR, ISO/IEC

• Risk Assessments − Vulnerability assessments, risk modeling/ranking

• Internal Audit/IT Audit Training

External Assurance Options

Third-Party Assurance

SOC 1 (Readiness/Type I/Type II)• Report on Controls Relevant to User Entities’ Internal Control

over Financial Reporting

SOC 2 (Readiness/Type I/Type II)• Report on Controls at a Service Organization Relevant to

Security, Availability, Processing Integrity, Confidentiality or Privacy

External Assurance Options

Third-Party Assurance, continued

SOC 3 (Trust Services Criteria for General Use)

SOC for Cybersecurity (Readiness)• Report on Controls at a Service Organization Relevant to Security,

Confidentiality & Availability, as well as a Cybersecurity Risk Management Program

SOC for Vendor Supply Chain (Readiness)

System & Organization Controls (SOC)

Overall Subject Matter

• Controls at a service organization relevant to user entities internal control overfinancial reporting.

• Auditors of the user entity’s financial statements, management of the user entities,management of the service organization.

Type 1 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design of the controls to achieve the relatedcontrol objectives included in the description as of a specified date.

Type 2 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design and operating effectiveness of thecontrols to achieve the related control objectives included in the description throughout a specifiedperiod.

SOC 1 (Internal Control over Financial Reporting)

Overall Subject Matter

• Controls at a service organization relevant to security, availability, processingintegrity, confidentiality or privacy.

Intended Users of the Report

• Parties knowledgeable about: nature of services provided, how serviceorganization’s systems interact with user entities, subservice organizations andother parties, management.

Type 1 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design of the controls to achieve the relatedcontrol objectives included in the description as of a specified date.

Type 2 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design and operating effectiveness of thecontrols to achieve the related control objectives included in the description throughout a specifiedperiod.

SOC 2 (Trust Services Criteria)

Overall Subject Matter

• Controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy

Intended Users of the Report

• Anyone (Marketing / Limited Information provided)

No Type 1/Type 2 report; is intended for general use

SOC 3 (Trust Services Criteria for General Use)

SOC for Cybersecurity

Report Purpose

Intended Users

Professional Standards

Responsible Party

Distribution

Subject Matter

Engagement Criteria

SOC for Vendor Supply Chain (Upcoming)

Overall Subject Matter

• Controls at a service organization relevant to the organization’s production, manufacturing or distribution system(s).

Intended Users of the Report

• Business customers, business partners, non-regulatory standard-setting bodies, prospective customers or business partners.

No Type 1/Type 2 report; is intended for general use.

SOC Report Components

SOC 1 SOC 2 SOC 3 SOC for Cyber SOC for Vendor

• System Description• Management

Assertion• Auditor’s report

with opinion on the design and effectiveness (type 2) of controls

• In a type 2, description of tests of controls and results

• System Description• Management

Assertion• Auditor’s report

with opinion on the design and effectiveness (type 2) of controls

• In a type 2, description of tests of controls and results

• Auditor’s report on if the entity maintained effective controls over its system as it relates to security, availability, confidentiality or privacy

• System Description• Management

Assertion• Auditor’s report

with opinion on the design and effectiveness of controls

• System Description• Management

Assertion• Auditor’s report

with opinion on the design and effectiveness of controls

Questions?

Andrew DemskiTechnology Director

Cincinnati, OH

Alex GetzConsultant

Cincinnati, OH