service organization controls (soc) 2 - chapters site - … 2... · service organization controls...

www.eidebai l ly.com

Anders EricksonRisk Advisory Senior Manager

April 2015

Service Organization Controls (SOC) 2


Objectives

• Gain a understanding of AICPA’s Service Organization Control Guidance, specifically as it relates to SOC 2.

• Introduce the criteria and principles that form the foundation of the SOC 2.

• Discuss challenges and best practices for undergoing a SOC 2 assessment .


SOC Report - Purpose

SOC reports are examination engagements undertaken by a service auditor to report on controls at a service organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal controls.

Service Organization

Service Auditor

UserEntity

SOC Report


Origins of SOC Reports

SAS 70 was an audit engagement, and Trust Services Principles & Criteria an attestation engagement. The new guidance established two service organization control reporting options (SOC1 and SOC 2 reports).

SAS 70

SOC 1

Trust Principles:SysTrust, WebTrust

SSAE 16

SOC 2AT 101


SOC 1 vs. SOC 2

SOC 1 ReportRelates to a service

organization’s internal controls that are

relevant to its customers’ financial

reporting – also referred to a internal

controls over financial reporting (ICFR).

SOC 2 ReportRelates to a service

organization’s internal controls that ensure the

security, availability, processing integrity,

confidentiality and/ or privacy of its

customer’s data.


Types of Service Auditor Reports

There are two types of reports for SOC 1 and 2:

A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Type 1

Type 2


Use of SOC Reports

SOC reports are restricted use reports (not for potential customers) to be used by the following:

• User entities that outsource to service organizations (e.g., cloud computing)

• Financial Statement auditors (user auditors) of those user entities

• Management of the service organization


SOC 2 Report - Purpose

To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization relevant to one or more of the Trust Services Principles and Criteria(TSP&C).


SOC Report Components

SOC Report Components

• Section I Auditor’s Opinion

• Section II Management’s Assertion

• Section III Description of System

• Section IV Description of Tests and the Results of Tests

• Section V Other information Provided by the Service Organization


Auditor’s Opinion

• Contains the service auditor’s opinion about whether:• M anagement’s description of the service

organization’s system is fairly presented(Unqualified, Qualified, Adverse, Disclaimer)

• Type 1 - The controls in the description are suitably designed to meet the applicable TSP&C

• Type 2 - The controls were operating effectively to meet applicable TSP&C

• For SOC 2 reports that address the privacy principle, management complied with commitments


Management’s Assertion

• Management’s description fairly presents the service organization’s system.

• Management’s description does not omit or distort relevant information.

• Controls were suitably designed and operating effectively.


Management’s System Description

A system consists of five key components organized to achieve a specified objective. The five components are categorized as follows:

Infrastructure – The physical and hardware components of a system (facilities, equipment, and networks)

Softw are – The programs and operating software of a system (systems, applications, and utilities)

People – The personnel involved in the operation and use of a system (developers, operators, users, and managers )

Procedures – The automated and manual procedures involved in the operation of a system

Data – The information used and supported by a system (transaction streams, files, databases and tables)


Subservice Organiza tion

“X”

Subservice Organizations


Service Auditor

UserEntity

SOC Report

Subservice Organiza tion

“Y”

Carve-Out Method

Inclusive Method


Complementary User Entity Controls

• The service organization may design its service with the assumption that certa in controls w ill be implemented by the user entities.


Service Auditor

SOC Report

Complementary User Entity ControlsUser

Entity


Overview of Trust Services Principles

Common Criteria *

SecurityOrganization and

ManagementCommunications

Risk ManagementMonitoring of Controls

Logical and Physical Access Controls

System OperationsChange Management

* Criteria for the privacy Trust Principle do not include the common criteria but are set forth in generally accepted privacy principles (GAPP).

Additiona l Principles & Criteria

AvailabilityCapacity and Usage

Environmental ControlsData Backup and RecoveryTesting of Recovery Plans

Processing IntegrityHandling Processing ErrorsControlling System Inputs

Data Processing and Storage System Output and Data Modifications

Confidentia lityChange Management

Access ControlInternal & External Information Disclosure

Confidentiality Agreements


Example TSP&C

Criteria Risks Illustra tive Controls

CC1.0 Common Criteria Related to Organization and Management

CC1.1 The entity has defined organizational

structures, reporting lines, authorities, and

responsibilities for the design, development,

implementation, operation, maintenance,

and monitoring of the system enabling it to

meet its commitments and requirements as

they relate to [insert the principle(s) being

reported on: security, availability, processing

integrity, or confidentiality or any

combination thereof].

The entity's

organizational structure

does not provide the

necessary information

flow to manage

[security, availability,

processing integrity, or

confidentiality]

activities.

The entity evaluates its organizational

structure, reporting lines, authorities,

and responsibilities as part of its

business planning process and as

part of its ongoing risk assessment

and management process and revises

these when necessary to help meet

changing commitments and

requirements.


TSP&C – Overview

CC1.1 Organizational structures, reporting lines, authorities, and responsibilities

CC1.2 Responsibility and accountability

CC1.3 Qualifications and resources

CC1.4 Workforce conduct standardsCandidate background screening proceduresEnforcement procedures

1 .0 Organization and M anagement

CC2.1 System and its boundaries

CC2.2 Commitments communicated to internal and external users

CC2.3 Communicating responsibilities of internal and external users

CC2.4 Internal and external personnel have information necessary to carry out responsibilities

CC2.5 Reporting failures, incidents, concerns, and other complaints to appropriate personnel

CC2.6 System changes communicated to users in a timely manner

2 .0 Communications


TSP&C – Overview

CC3.1 Identifying potential threats that would impair systemAnalyzing identified threatsDetermining mitigation strategies

CC3.2 Implement its risk mitigation strategy

CC3.3 Identifying and assesses changes that could impact the system of internal controlReassesses the suitability of control activities

3 .0 Risk M anagement & Interna l Controls

CC4.1 Design and operating effectiveness of controls are periodically evaluated

4 .0 M onitoring of Controls


TSP&C – Overview

CC5.1 Restriction of authorized user accessPrevention and detection of unauthorized access.

CC5.2 New internal and external system users are registered and authorizedUser system credentials are removed when user access is no longer authorized.

CC5.3 Internal and external system users are identified and authenticated

CC5.4 Access to data, software, functions, and other IT resources granted based on principle of least privileged

CC5.5 Physical access to facilities housing the system

CC5.6 Threats from sources outside the boundaries of the system.

CC5.7 Transmission, movement, and removal of information

CC5.8 Introduction of unauthorized or malicious software.

5 .0 Logica l and Physica l Access Control


TSP&C – Overview

CC6.1 Vulnerabilities of system components to breaches and incidents monitored & countermeasures

CC6.2 Incident response procedures

CC7.1 System development lifecycle

CC7.2 Infrastructure, data, software, and procedures are updated

CC7.3 Change management initiated when deficiencies in controls are identified

CC7.4 Changes are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with commitments

6 .0 System Operations

7 .0 Change M anagement

A1.1 Processing capacity and usage

A1.2 Environmental protections, software, data backup processes, and recovery infrastructure

A1.3 Recovery plans are periodically tested

A1 Availability


TSP&C – Overview

P1.1 Procedures to prevent, detect, and correct processing errors

P1.2 Input controls

P1.3 Processing controls

P1.4 Data storage and maintenance

P1.5 System output

P1.6 Modification of data

C1.1 During the system development and change processes

C1.2 Within the boundaries of the system

C1.3 From outside the boundaries of the system

C1.4 Confidentiality commitments from vendors and other third parties

C1.5 Compliance with confidentiality commitments

C1.6 Changes to confidentiality commitments

P1 Processing Integrity

C1 Confidentia lity


Generally Accepted Privacy Principles (GAPP)

GAPP contain ten (10) privacy principles and related criteria that are essential for the proper protection and management of personal information.

These privacy principles and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and in common and leading practices.


GAPP Principles

Ten GAPP Principles

M anagement Access

N otice Disclosure to third parties

Choice and consent Security for privacy

Collection Quality

Use, retention, and disposal M onitoring and enforcement


SOC 2 Challenges

• TSP&C are NOT an internal control framework• However, any internal control framework implemented

by the Service Provider should be leveraged• Management & organizational commitment• Lack of external requirements/ deadlines• Size and scope of the TSP&C


SOC Readiness Review

The purpose of a readiness review is to prepare an organization for a SOC Engagement

Engage an ex perienced professional to assist w ith the follow ing:• Document control activities• Identify any potential control deficiencies• Provide a gap analysis to facilitate remediation efforts• Assist in developing the system description


SOC Reporting - Sample Timeline


SOC Reporting – Displaying the SOC Logo

• Service organizations that have had a SOC 2 engagement w ithin the past year may register w ith the AICPA for the use of this logo to be displayed.

• Service organizations searching for CPA firms that perform SOC engagements, should look for firms with the SOC logo displayed on their website.

For use by CPAs For use by Service Orgs


Anders EricksonEide Bailly, Risk Advisory Senior Manager

[email protected]

Questions?


Appendix – Supplemental Material


Modifications of Service Auditor’s Report

Service auditor’s opinion should be modified, and the service auditor’s report should contain a clear description of all reasons for modification if service auditor concludes that…

Points to Consider

• Managements description not fairly presented, in all material respects;• Controls not suitably designed• Controls did not operate effectively throughout specified period• A scope limitation exists, resulting in service auditor’s inability to obtain sufficient appropriate evidence• the case of a type 2 report that addresses the privacy principle, the serviceorganization did not comply with the commitments in its statement of privacypractices.


Quantita tive and Qualita tive Factors• Nature and cause of the exceptions• Tolerable rate of exceptions that the service auditor has established• Pervasiveness of exceptions• Likelihood that exceptions are indicators of control deficiencies that will result in failure to meet the control objective or TSP&C• Magnitude of such failures that could occur as a result of controldeficiencies• W hether users could be misled if service auditor’s opinion was not modified

Modifications of Service Auditor’s Report

W hen determining whether to modify the service auditor’s report, the service auditor considers quantitative and qualitative factors, such as:


TSP&C – Common Criteria 1.0 Organization and Management

CC1.1 The entity has defined organiza tiona l structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].

CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity's system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation.

CC1.3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] have the qualifica tions and resources to fulfill their responsibilities.

CC1.4 The entity has established w orkforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].


TSP&C – Common Criteria 2.0 Communications

CC2.1 Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external system users to permit users to understand their role in the system and the results of system operation.

CC2.2 The entity's [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments are communicated to ex terna l users, as appropriate, and those commitments and the associated system requirements are communicated to interna l system users to enable them to carry out their responsibilities.

CC2.3 The entity communicates the responsibilities of interna l and ex terna l users and others whose roles affect system operation.

CC2.4 Interna l and ex terna l personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] of the system, have the information necessary to carry out those responsibilities.

CC2.5 Internal and external system users have been provided with information on how to report [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] fa ilures, incidents, concerns, and other compla ints to appropria te personnel.

CC2.6 System changes that affect internal and external system user responsibilities or the entity's commitments and requirements relevant to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] are communicated to those users in a timely manner.


TSP&C – Common Criteria 3.0 Risk Management & Internal Controls

CC3.1 The entity (1) identifies potentia l threats that w ould impair system [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, (2) ana lyzes the significance of risks associated with the identified threats, and (3) determines mitigation stra tegies for those risks (including controls and other mitigation strategies).

CC3.2 The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitiga tion stra tegy .

CC3.3 The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could significantly a ffect the system of interna l control for [insert the principle( s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary.


TSP&C – Common Criteria 4.0 Monitoring of Controls

CC4.1 The design and opera ting effectiveness of controls are periodica lly eva luatedagainst [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.


TSP&C – Common Criteria 5.0 Logical and Physical Access Control

CC5.1 Logica l access security softw are, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access.

CC5.2 N ew interna l and ex terna l system users are registered and authorized prior to being issued system credentials, and granted the ability to access the system. User system credentials are removed when user access is no longer authorized.

CC5.3 Interna l and ex terna l system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data).

CC5.4 Access to data , softw are, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them.

CC5.5 Physica l access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel.

CC5.6 Logical access security measures have been implemented to protect against [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] threats from sources outside the boundaries of the system .

CC5.7 The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement, or removal enabling the entity to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].

CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious softw are.


TSP&C – Common Criteria 6.0 System Operations

CC6.1 Vulnerabilities of system components to [insert the principle (s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities.

CC6.2 [Insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures.


TSP&C – Common Criteria 7.0 Change Management

CC7.1 [Insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.

CC7.2 Infrastructure, da ta , softw are, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].

CC7.3 Change management processes are initiated when deficiencies in the design or opera ting effectiveness of controls are identified during system operation and monitoring.

CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements.


TSP&C – Common Criteria A1 Availability

A1.1 Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements.

A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements.

A1.3 Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.


TSP&C – Common Criteria P1 Processing Integrity

P1.1 Procedures ex ist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements.

P1.2 System inputs are measured and recorded completely, accurately, and timely in accordance with processing integrity commitments and requirements.

P1.3 Data is processed completely, accurately, and timely as authorized in accordance with processing integrity commitments and requirements.

P1.4 Data is stored and mainta ined completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.

P1.5 System output is complete, accurate, distributed, and retained in accordance with processing integrity commitments and requirements.

P1.6 M odifica tion of da ta is authorized, using authorized procedures in accordance with processing integrity commitments and requirements.


TSP&C – Common Criteria C1 Confidentiality

C1.1 Confidential information is protected during the system design, development, testing, implementa tion, and change processes in accordance with confidentiality commitments and requirements.

C1.2 Confidential information w ithin the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements.

C1.3 Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements.

C1.4 The entity obtains confidentia lity commitments that are consistent with the entity's confidentiality requirements from vendors and other third parties whose products and services comprise part of the system and have access to confidential information.

C1.5 Compliance w ith confidentia lity commitments and requirements by vendors and others third parties whose products and services comprise part of the system is assessed on a periodic and as-needed basis and corrective action is taken, if necessary.

C1.6 Changes to confidentia lity commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system.

service organization controls (soc) 2 - chapters site - … 2... · service organization controls...

Documents