IIA & ISACA Seminar. Service organization control reports: SOC 2/SOC 3 common criteria and new requirements to consider for 2015

Transcription

1 IIA & ISACA Seminar Service organization control reports: SOC 2/SOC 3 common criteria and new requirements to consider for 2015 April 8, 2015 kpmg.com

2 Contents SOC overview Summary of SOC 2/SOC 3 principles and criteria Overview trust services principles 2014 revision Enhanced SOC 2 reporting Alignment with relevant standards/frameworks Scoping considerations Industry activities Recent KPMG Webcasts Questions 1

3 SOC overview

4 Service organization control (SOC) reports Report Scope/focus Summary Applicability Standard SOC 1 Internal control over financial reporting Detailed report for customers and auditors Focused on financial reporting risks and controls specified by the service provider. Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. ISAE 3402 (or local equivalent) or SSAE 16 SOC 2 SOC 3 Security, availability, processing integrity, confidentiality and/or privacy Detailed report for customers and specified parties Short report that can be generally distributed, with the option of displaying a web site seal for engagement based on AT101 only Focused on security, confidentiality, availability, processing integrity and/or privacy. Applicable to a broad variety of systems. Same as above without disclosing detailed controls and testing. Optionally, the service provider can post a Seal if they receive an unqualified opinion. AT101 under guidance of AAG-SOP March 2012 ISAE 3000 AT101 under the guidance of TSP100 ISAE 3000 (or local equivalent) 3

5 Contrasting SOC 2/SOC 3 and SOC 1 report scope Attribute SOC 2/SOC 3 SOC 1 Required focus Operational controls ICOFR Defined scope of system Control domains covered Level of standardization Infrastructure Software Procedures People Data Security Availability Confidentiality Processing integrity, and/or privacy Principles selected by service provider Predefined criteria used rather than control objectives Classes of transactions Procedures for processing and reporting transactions Accounting records of the system Handling of significant events and conditions other than transactions Report preparation for users Other aspects relevant to processing and reporting user transactions Transaction processing controls Supporting IT general controls Control objectives defined by service provider and may vary depending on the type of service provided 4

6 SOC reports for different scenarios SOC 1 financial reporting controls Financial services Asset management and custody services Healthcare claims processing Payroll processing Payment processing Cloud ERP service Data center co-location IT systems management SOC 2/SOC 3 operational controls Cloud-based services (SaaS, PaaS, IaaS) HR services Security services , collaboration, and communications Any service where customers primary concern is security, availability, or privacy Security Financial process and supporting system controls Availability Confidentiality Processing integrity Privacy 5

7 Summary of SOC 2/ SOC 3 principles and criteria

8 Principles and criteria topics Principles vs. criteria? Services principles are used to describe the overall objective The practitioner's opinion makes reference only to the criteria Criteria are benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter The criteria are supported by controls that, if operating effectively, enable a system to meet the criteria TSP 100 requires the identification of risks that threaten the achievement of the criteria TSP 100 requires a linkage of the risk to criteria and controls to risks 7

9 SOC 2/SOC 3 Principles (overview) May apply to any type of system, not just financial reporting systems Principles Privacy Processing integrity Availability Confidentiality Security 8

10 SOC 2/SOC 3 Security principle Trust services principle The system is protected against unauthorized access, use or modification. Most commonly requested area of coverage. Applicability The security principle is made up of the common criteria only and does not have additional criteria. Applicable to all outsourced environments, particularly where enterprise customers require assurance regarding the service provider s security controls for any system, nonfinancial or financial. 9

11 SOC 2/SOC 3 Availability principle Trust services principle The system is available for operation and use as committed or agreed Applicability Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering. Most applicable where enterprise customers require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which could not be covered in a SSAE

12 SOC 2/SOC 3 Confidentiality principle Trust services principle Information designated as confidential is protected as committed or agreed Applicability Third most commonly requested area of coverage, particularly where customers want assurance over protecting information provided to the service provider. Most applicable where the customer requires additional assurance regarding the service providers practices for protecting sensitive business information 11

13 SOC 2/SOC 3 Processing Integrity principle Trust services principle System processing is complete, valid, accurate, timely, and authorized Applicability Potentially applicable for a wide variety of nonfinancial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing 12

14 SOC 2/SOC 3 Privacy principle GAPP Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA. These principles and criteria were not affected by the TSP 100 update. Applicability Most applicable where the service provider interacts directly with end customers and gathers their personal information. Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program. 13

15 Overview trust services principles 2014 revision

16 Trust services principles 2014 revision The trust services principles and criteria were revised by the AICPA effective for SOC 2/3 reports with periods ending on or after December 15, The criteria were revised to reduce duplication, improve consistency in reporting, and reduce errors. Common criteria framework is used for security, availability, processing integrity, and confidentiality principles. Unique, specific criteria are applicable for availability, processing integrity, and confidentiality principles The criteria are arranged into seven (7) common criteria categories that apply to the security, availability, processing integrity, and confidentiality principles. The privacy criteria are currently under revision by the AICPA, and additional guidance will be provided at a later date. Until then, the 2009 version of the generally accepted privacy principles should be used. 15

17 SOC 2/SOC 3 report overview 2014 revision The common criteria constitute the complete set of criteria for the security principle, and set the foundation for the availability, processing integrity, and confidentiality principles There are seven common criteria categories consistent with the COSO framework Organization and management Communications Risk management and design and implementation of controls Monitoring of controls Logical and physical access controls System operations Change management 16

18 Significant changes 2014 revision 2009 version of the criteria Security policies Security awareness and communication Risk assessment Threat identification Information classification Security Logical access Physical access Security monitoring Incident management Encryption Personnel Systems development and maintenance Configuration management Change management Monitoring/compliance Availability Confidentiality Processing integrity Availability policy Backup and restoration Environmental controls Disaster recovery Confidentiality policy Confidentiality of inputs, data processing, and outputs Information disclosures Confidentiality of information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Privacy Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement 17

19 Significant changes 2014 revision (continued) 2014 version of the criteria Common criteria Additional criteria Security Availability Confidentiality Processing integrity Organization and management Communications Risk management and design and implementation of controls N/A Specific incremental availability criteria Monitoring of controls Logical and physical access controls System operations Change management Specific incremental confidentiality criteria Specific incremental processing integrity criteria The privacy criteria continue to maintain a separate criteria structure. Management Access Notice Disclosure to third parties Choice and consent Security for privacy Collection Quality Use and retention Monitoring and enforcement 18

20 Significant changes 2014 revision (continued) Summary of major changes Major topic Reorganization of criteria for ease of use Greater emphasis on risk assessment and internal monitoring Key changes Reorganized to simplify and remove redundancy between principles Added more specific risk assessment criteria Added periodic evaluation of design/operating effectiveness of controls Added monitoring of vendors for confidentiality Clarification of various criteria Removed listing of required policy topics Clarified communication requirements internal vs. external Clarified intent of procedural criteria throughout Clarified monitoring criteria 19

21 Enhanced SOC 2 reporting Alignment with relevant standards/ frameworks

22 SOC 2 enhanced reporting Where there are common customer requirements/requests, it may be beneficial for the service provider to include additional details in the SOC 2 report to demonstrate alignment with one or more relevant standards/frameworks (e.g., ISO 27001, Cloud Security Alliance Cloud Controls Matrix, PCI-DSS, etc.). If the referenced standards/frameworks are more detailed than the SOC 2 Trust Services criteria, it may be necessary to include more granular controls within the SOC 2 report to enable a more complete mapping. SAMPLE Relation of service provider s controls to <specify standard/framework> Service provider has developed its controls to align with the <specify standard/framework>. Included below is a mapping of the <specify standard/framework> topics to related service provider controls covered in this report. Specific topics/requirements from <specify standard/framework> SOC 2 criteria Related service provider controls Sec , 1.02 Control description included. Sec Control description included. Sec Control description included. 21

23 Mapping to ISO 27001:2013 controls Ref. Approx. # of requirements Domain A.5 2 Information security policies Common A.6 7 Organization of information security Common A.7 6 Human resources security Common A.8 10 Asset management Common A.9 14 Access control Common A.10 2 Cryptography Common A Physical and environmental security Common A Operations security Common A.13 7 Communications security Common A System acquisition, development, and maintenance Common A.15 5 Supplier relationships Common A.16 7 Information security incident management Common A.17 4 Information security aspects of business continuity management Availability A.18 8 Compliance Common SOC 2/SOC 3 primary reference Total 114 An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common and availability criteria align with the ISO 27001:2013 control objective topics. 22

24 Mapping to CSA cloud controls matrix (CCM) v3.0 Ref. Approx. # of requirements Domain SOC 2/SOC 3 primary reference AIS 4 Application & interface security Common/Integrity AAC 3 Audit assurance & compliance Common BCR 11 Business continuity management & operational resilience Availability CCC 5 Change control & configuration management Common/Availability DSI 7 Data security &information lifecycle management Common/Confidentiality/ Integrity DSC 9 Datacenter security Common/Confidentiality/ Availability EKM 4 Encryption & key management Common/Confidentiality GRM 11 Governance and risk management Common/Confidentiality HRS 11 Human resources Common An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements. 23

25 Mapping to CSA cloud controls matrix (CCM) v3.0 (continued) Ref. Approx. # of requirements Domain IAM 13 Identity & access management Common SOC 2/SOC 3 primary reference IVS 13 Infrastructure & virtualization security Common/Availability IPY 5 Interoperability & portability None identified MOS 20 Mobile security None identified SEF 5 Security incident management, e-discovery & cloud forensics Common/Confidentiality/ Availability/Integrity STA 9 Supply chain management, transparency and accountability Common/Confidentiality/ Availability TVM 3 Threat and vulnerability management Common Total 133 An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements. 24

26 Mapping to PCI data security standard (DSS) v3.0 Ref. Approx. # of requirements Domain 1 23 Firewall Common 2 12 System passwords Common 3 22 Protect stored cardholder data Common 4 4 Encryption Common 5 6 Antivirus Common 6 28 Development and maintenance Common 7 10 Access restrictions Common 8 23 Unique IDs Common 9 27 Physical access Common Monitoring Common Testing Common Security policy Common Total 242 SOC 2/SOC 3 primary reference An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common criteria align with the PCI DSS v3.0 requirements. 25

27 Scoping considerations

28 Typical SOC 2/SOC 3 scoping considerations Services/applications provided Supporting infrastructure Locations Subservice providers Applicable principles Enhanced reporting inclusion of other information regarding alignment with other standards/frameworks 27

29 Criteria approach Criteria specific: Each criterion should be treated like a SOC 1 control objective Identify the threats that may cause the criterion to not be met (while some will be similar for all clients, some may significantly vary based on service offered, customer agreements, and industry) Identify key controls that addresses those threats (some controls may be non-key across each criterion for the principle(s) and judgment should be applied to determine if removal of orphaned controls is needed) This requirement may result in material gaps in a service organization s ability to meet the principle Perform this exercise early in the planning phase to avoid material gaps 28

30 Engagement approach considerations Concluding on criteria: Suitability of design Appropriateness of controls based on service, industry, and customer commitments Need to gain an understanding of the commitments to the users of the system While many controls will apply to nearly all service providers, some will vary based on the service offered and the industry the service organization is serving Threat inventory and determination if a control is a key control Key controls may work in tandem and require multiple key controls to adequately address the threat Key controls should primarily be reported on, although some non-key controls may be included if determined appropriate (enhanced reporting) Assess whether the risks are adequately addressed or if more controls are required 29

31 Engagement approach considerations (continued) Concluding on criteria: Operating effectiveness Operational period of the control Need to assess if the controls were in place throughout the entire examination period Periodic controls, need to demonstrate activity in all periods (sampling risk is generally greatest in the most recent period, however for first year reports with a control change, the earliest period has a significant risk) Event based controls should be in place from the period start (example change management, incident reporting) 30

32 Engagement approach considerations (continued) Exceptions Similar treatment, however now we must consider the risk that the criteria may not be met. Tie back to the identified risks Assess whether sufficient compensating controls exists to mitigate the risks, including non-key controls Determine whether the non-key controls should be included in the scope of the report Assess whether something did go wrong as a result of the control exception Even if the exception sample didn t have any impact, it doesn t mean that the criteria was met 31

33 Industry activities Recent KPMG Webcasts

34 Industry activities Recent KPMG Webcasts Webcast Effectively using SOC1, SOC 2 and SOC3 reports for increased assurance over outsourced operations (April 2012) SOC2 reports to address industry requirements for assurance over outsourced operations (October 2012) SOC 2 frequently asked questions (November 2012) Enabling vendor risk and compliance management using SOC2 and SOC 3 reports (July 2013) SOC2, SOC3 in Europe Virtual meeting (February 2014) Link to playback /ArticlesPublications/Documents/PDF/IT- Advisory/SOC2.pdf 33

35 Questions? Matt Tobey

36 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.