Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Which External Assurance Options and Control Frameworks are Best?
Presented by:Andrew Demski, Technology Director
Alex Getz, Consultant
Moderated by:Tonya Preston
TODAY’S PRESENTERS
Andrew Demski Technology Director
Cincinnati, OH
Alex GetzConsultant
Cincinnati, OH
Agenda
• IT-related control and security frameworks
• Industry-specific standards
• External assurance options
• External assurance value
• SOC Reporting
Current Industry and Regulatory Environment
What are the frameworks governing IT/security?
Established by:• Information Systems Audit and Control Association (ISACA).Designed to: • Be a framework intended for IT governance and management• Allows organization to ensure quality, control and reliability of information
systemsOverview:• A structure for organizations to implement in which business processes
play a key role in the company model.• COBIT is a process-based model that includes Planning and Organization,
Delivering and Support, Acquiring and Implementation, and Monitoringand Evaluating.
• Objectives include Evaluate, Direct and Monitor; Align, Plan and Organize;Build, Acquire and Implement; Deliver, Service and Support; and Monitor,Evaluate and Assess.
COBIT Framework
COBIT(Control Objectives for Information and Related Technology)
What are the frameworks governing IT/security?
NISTEstablished by:• The National Institute of Standards
and Technology (NIST).Designed to: • Be a US government-ordered,
cybersecurity framework.Overview:• A structure for the nation’s financial, energy, healthcare, and other critical systems to
better protect their information and physical assets from cyber attack. NIST provides acommon language with which to address and manage cyber risk in a cost-effective waybased on business needs, without additional regulatory requirements.
What are the frameworks governing IT/security?
COSOEstablished by:• Committee of Sponsoring Organizations of the Treadway
Commission (sponsored by AAA, AICPA, FEI, IIA, IMA).Designed to: • Serve as an integrate framework on internal controls to design,
implement, and evaluate internal controls within organizations.Overview:• Designed for businesses to establish, assess, and enhance their Internal controls. • Consist of five major areas: Governance & Culture, Strategy & Objective-Setting,
Performance, Review & Revision and Information, Communication, & Reporting. • Newly-issued Principle 11 offers specific guidance for assessing effectiveness of
controls over IT.
Committee of Sponsoring Organizations (COSO)
What are the frameworks governing IT/security?
ISO/IECEstablished by:
• The International Organization for Standardization (ISO).and the International Electrotechnical Commission (IEC).
Designed to:
• Provide requirements for an information security management system (ISMS).
Overview:
• Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization.
• It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements are intended to be applicable to all organizations, regardless of type, size, or nature.
What are the frameworks governing IT/security?
ITIL (Information Technology Infrastructure Library)Established by:• UK Government’s Central Computer and Telecommunications
Agency (CCTA).Designed to: • Serves as a detailed set of IT practices for IT service
management that focuses on aligning IT services with the needs of businesses.
Overview:• ITIL as a framework describes processes, procedures, tasks and
checklists that can be applied by any organization. Establishes a baseline for organizations to plan, implement, and measure. No current form of third party compliance assessment. Some overlap with ISO/IEC.
Industry-Specific Standards : PCI
PCI DSS (Payment Card Industry Data Security Standards)
• Created by PCI Security Standard Council (formed by MasterCard, American Express, Visa, JCB and Discover).
• Provides a framework for payment card data security processes: prevention, detection and reaction to security incidents.
Industry-Specific Standards : PCI
PCI DSS (Payment Card Industry Data Security Standards)
• Failure to comply = Processing charges.
• Basic objectives: Build and maintain a secure network and systems; Protect cardholder data; Maintain a vulnerability management program; Implement strong access control measures; Regularly monitor and test networks; and Maintain an IS policy.
Industry-Specific Standards: HIPAA
HIPAA (Health Insurance Portability and Accountability Act)
• Created in 1996 to improve efficiency and effectiveness in the American health care system.
• Who does it affect: Users of health care/health insurance, health insurers, doctors, hospitals, life insurers, public health authorities, billing agencies, information system vendors, and health service organizations.
Industry-Specific Standards : HIPAA
HIPAA (Health Insurance Portability and Accountability Act)• Five main titles:
• Title I, “Health care access, portability and renewability”• Title II, “Preventing health care fraud and abuse; administrative simplification;
medical liability reform”• Title II, “Administrative simplification” (subtitle F)• Title III, “Tax-related health provisions”• Title IV, “Application and enforcement of group health plan requirements”• Title V, “Revenue offsets”
Industry-Specific Standards : GDPR
European GDPR
• The European Parliament adopted GDPR in April 2016, replacing an outdated data protection directive from 1995.
• Relies on interpretation and not on specific standards and a “reasonable” protection of data.
Industry-Specific Standards : GDPR
European GDPR
• Places equal liability on data controllers (data owners) and data processers (3rd party data management).
• 3rd party processor not in compliance means you are not in compliance.
External Assurance Options
Risk Consulting• Internal Controls Consulting
− Tests of design/effectiveness, gap analysis, implementation
• Regulatory Compliance− PCI DSS, HIPAA, GDPR, ISO/IEC
• Risk Assessments − Vulnerability assessments, risk modeling/ranking
• Internal Audit/IT Audit Training
External Assurance Options
Third-Party Assurance
SOC 1 (Readiness/Type I/Type II)• Report on Controls Relevant to User Entities’ Internal Control
over Financial Reporting
SOC 2 (Readiness/Type I/Type II)• Report on Controls at a Service Organization Relevant to
Security, Availability, Processing Integrity, Confidentiality or Privacy
External Assurance Options
Third-Party Assurance, continued
SOC 3 (Trust Services Criteria for General Use)
SOC for Cybersecurity (Readiness)• Report on Controls at a Service Organization Relevant to Security,
Confidentiality & Availability, as well as a Cybersecurity Risk Management Program
SOC for Vendor Supply Chain (Readiness)
System & Organization Controls (SOC)
Overall Subject Matter
• Controls at a service organization relevant to user entities internal control overfinancial reporting.
• Auditors of the user entity’s financial statements, management of the user entities,management of the service organization.
Type 1 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design of the controls to achieve the relatedcontrol objectives included in the description as of a specified date.
Type 2 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design and operating effectiveness of thecontrols to achieve the related control objectives included in the description throughout a specifiedperiod.
SOC 1 (Internal Control over Financial Reporting)
Overall Subject Matter
• Controls at a service organization relevant to security, availability, processingintegrity, confidentiality or privacy.
Intended Users of the Report
• Parties knowledgeable about: nature of services provided, how serviceorganization’s systems interact with user entities, subservice organizations andother parties, management.
Type 1 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design of the controls to achieve the relatedcontrol objectives included in the description as of a specified date.
Type 2 Report - report on the fairness of the presentation of management’s description of theservice organization’s system and the suitability of the design and operating effectiveness of thecontrols to achieve the related control objectives included in the description throughout a specifiedperiod.
SOC 2 (Trust Services Criteria)
Overall Subject Matter
• Controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy
Intended Users of the Report
• Anyone (Marketing / Limited Information provided)
No Type 1/Type 2 report; is intended for general use
SOC 3 (Trust Services Criteria for General Use)
SOC for Cybersecurity
Report Purpose
Intended Users
Professional Standards
Responsible Party
Distribution
Subject Matter
Engagement Criteria
SOC for Vendor Supply Chain (Upcoming)
Overall Subject Matter
• Controls at a service organization relevant to the organization’s production, manufacturing or distribution system(s).
Intended Users of the Report
• Business customers, business partners, non-regulatory standard-setting bodies, prospective customers or business partners.
No Type 1/Type 2 report; is intended for general use.
SOC Report Components
SOC 1 SOC 2 SOC 3 SOC for Cyber SOC for Vendor
• System Description• Management
Assertion• Auditor’s report
with opinion on the design and effectiveness (type 2) of controls
• In a type 2, description of tests of controls and results
• System Description• Management
Assertion• Auditor’s report
with opinion on the design and effectiveness (type 2) of controls
• In a type 2, description of tests of controls and results
• Auditor’s report on if the entity maintained effective controls over its system as it relates to security, availability, confidentiality or privacy
• System Description• Management
Assertion• Auditor’s report
with opinion on the design and effectiveness of controls
• System Description• Management
Assertion• Auditor’s report
with opinion on the design and effectiveness of controls
Questions?
Andrew DemskiTechnology Director
Cincinnati, OH
Alex GetzConsultant
Cincinnati, OH