IIA & ISACA Seminar. Service organization control reports: SOC 2/SOC 3 common criteria and new requirements to consider for 2015
|
|
- Sherman Palmer
- 7 years ago
- Views:
Transcription
1 IIA & ISACA Seminar Service organization control reports: SOC 2/SOC 3 common criteria and new requirements to consider for 2015 April 8, 2015 kpmg.com
2 Contents SOC overview Summary of SOC 2/SOC 3 principles and criteria Overview trust services principles 2014 revision Enhanced SOC 2 reporting Alignment with relevant standards/frameworks Scoping considerations Industry activities Recent KPMG Webcasts Questions 1
3 SOC overview
4 Service organization control (SOC) reports Report Scope/focus Summary Applicability Standard SOC 1 Internal control over financial reporting Detailed report for customers and auditors Focused on financial reporting risks and controls specified by the service provider. Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. ISAE 3402 (or local equivalent) or SSAE 16 SOC 2 SOC 3 Security, availability, processing integrity, confidentiality and/or privacy Detailed report for customers and specified parties Short report that can be generally distributed, with the option of displaying a web site seal for engagement based on AT101 only Focused on security, confidentiality, availability, processing integrity and/or privacy. Applicable to a broad variety of systems. Same as above without disclosing detailed controls and testing. Optionally, the service provider can post a Seal if they receive an unqualified opinion. AT101 under guidance of AAG-SOP March 2012 ISAE 3000 AT101 under the guidance of TSP100 ISAE 3000 (or local equivalent) 3
5 Contrasting SOC 2/SOC 3 and SOC 1 report scope Attribute SOC 2/SOC 3 SOC 1 Required focus Operational controls ICOFR Defined scope of system Control domains covered Level of standardization Infrastructure Software Procedures People Data Security Availability Confidentiality Processing integrity, and/or privacy Principles selected by service provider Predefined criteria used rather than control objectives Classes of transactions Procedures for processing and reporting transactions Accounting records of the system Handling of significant events and conditions other than transactions Report preparation for users Other aspects relevant to processing and reporting user transactions Transaction processing controls Supporting IT general controls Control objectives defined by service provider and may vary depending on the type of service provided 4
6 SOC reports for different scenarios SOC 1 financial reporting controls Financial services Asset management and custody services Healthcare claims processing Payroll processing Payment processing Cloud ERP service Data center co-location IT systems management SOC 2/SOC 3 operational controls Cloud-based services (SaaS, PaaS, IaaS) HR services Security services , collaboration, and communications Any service where customers primary concern is security, availability, or privacy Security Financial process and supporting system controls Availability Confidentiality Processing integrity Privacy 5
7 Summary of SOC 2/ SOC 3 principles and criteria
8 Principles and criteria topics Principles vs. criteria? Services principles are used to describe the overall objective The practitioner's opinion makes reference only to the criteria Criteria are benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter The criteria are supported by controls that, if operating effectively, enable a system to meet the criteria TSP 100 requires the identification of risks that threaten the achievement of the criteria TSP 100 requires a linkage of the risk to criteria and controls to risks 7
9 SOC 2/SOC 3 Principles (overview) May apply to any type of system, not just financial reporting systems Principles Privacy Processing integrity Availability Confidentiality Security 8
10 SOC 2/SOC 3 Security principle Trust services principle The system is protected against unauthorized access, use or modification. Most commonly requested area of coverage. Applicability The security principle is made up of the common criteria only and does not have additional criteria. Applicable to all outsourced environments, particularly where enterprise customers require assurance regarding the service provider s security controls for any system, nonfinancial or financial. 9
11 SOC 2/SOC 3 Availability principle Trust services principle The system is available for operation and use as committed or agreed Applicability Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering. Most applicable where enterprise customers require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which could not be covered in a SSAE
12 SOC 2/SOC 3 Confidentiality principle Trust services principle Information designated as confidential is protected as committed or agreed Applicability Third most commonly requested area of coverage, particularly where customers want assurance over protecting information provided to the service provider. Most applicable where the customer requires additional assurance regarding the service providers practices for protecting sensitive business information 11
13 SOC 2/SOC 3 Processing Integrity principle Trust services principle System processing is complete, valid, accurate, timely, and authorized Applicability Potentially applicable for a wide variety of nonfinancial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing 12
14 SOC 2/SOC 3 Privacy principle GAPP Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA. These principles and criteria were not affected by the TSP 100 update. Applicability Most applicable where the service provider interacts directly with end customers and gathers their personal information. Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program. 13
15 Overview trust services principles 2014 revision
16 Trust services principles 2014 revision The trust services principles and criteria were revised by the AICPA effective for SOC 2/3 reports with periods ending on or after December 15, The criteria were revised to reduce duplication, improve consistency in reporting, and reduce errors. Common criteria framework is used for security, availability, processing integrity, and confidentiality principles. Unique, specific criteria are applicable for availability, processing integrity, and confidentiality principles The criteria are arranged into seven (7) common criteria categories that apply to the security, availability, processing integrity, and confidentiality principles. The privacy criteria are currently under revision by the AICPA, and additional guidance will be provided at a later date. Until then, the 2009 version of the generally accepted privacy principles should be used. 15
17 SOC 2/SOC 3 report overview 2014 revision The common criteria constitute the complete set of criteria for the security principle, and set the foundation for the availability, processing integrity, and confidentiality principles There are seven common criteria categories consistent with the COSO framework Organization and management Communications Risk management and design and implementation of controls Monitoring of controls Logical and physical access controls System operations Change management 16
18 Significant changes 2014 revision 2009 version of the criteria Security policies Security awareness and communication Risk assessment Threat identification Information classification Security Logical access Physical access Security monitoring Incident management Encryption Personnel Systems development and maintenance Configuration management Change management Monitoring/compliance Availability Confidentiality Processing integrity Availability policy Backup and restoration Environmental controls Disaster recovery Confidentiality policy Confidentiality of inputs, data processing, and outputs Information disclosures Confidentiality of information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Privacy Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement 17
19 Significant changes 2014 revision (continued) 2014 version of the criteria Common criteria Additional criteria Security Availability Confidentiality Processing integrity Organization and management Communications Risk management and design and implementation of controls N/A Specific incremental availability criteria Monitoring of controls Logical and physical access controls System operations Change management Specific incremental confidentiality criteria Specific incremental processing integrity criteria The privacy criteria continue to maintain a separate criteria structure. Management Access Notice Disclosure to third parties Choice and consent Security for privacy Collection Quality Use and retention Monitoring and enforcement 18
20 Significant changes 2014 revision (continued) Summary of major changes Major topic Reorganization of criteria for ease of use Greater emphasis on risk assessment and internal monitoring Key changes Reorganized to simplify and remove redundancy between principles Added more specific risk assessment criteria Added periodic evaluation of design/operating effectiveness of controls Added monitoring of vendors for confidentiality Clarification of various criteria Removed listing of required policy topics Clarified communication requirements internal vs. external Clarified intent of procedural criteria throughout Clarified monitoring criteria 19
21 Enhanced SOC 2 reporting Alignment with relevant standards/ frameworks
22 SOC 2 enhanced reporting Where there are common customer requirements/requests, it may be beneficial for the service provider to include additional details in the SOC 2 report to demonstrate alignment with one or more relevant standards/frameworks (e.g., ISO 27001, Cloud Security Alliance Cloud Controls Matrix, PCI-DSS, etc.). If the referenced standards/frameworks are more detailed than the SOC 2 Trust Services criteria, it may be necessary to include more granular controls within the SOC 2 report to enable a more complete mapping. SAMPLE Relation of service provider s controls to <specify standard/framework> Service provider has developed its controls to align with the <specify standard/framework>. Included below is a mapping of the <specify standard/framework> topics to related service provider controls covered in this report. Specific topics/requirements from <specify standard/framework> SOC 2 criteria Related service provider controls Sec , 1.02 Control description included. Sec Control description included. Sec Control description included. 21
23 Mapping to ISO 27001:2013 controls Ref. Approx. # of requirements Domain A.5 2 Information security policies Common A.6 7 Organization of information security Common A.7 6 Human resources security Common A.8 10 Asset management Common A.9 14 Access control Common A.10 2 Cryptography Common A Physical and environmental security Common A Operations security Common A.13 7 Communications security Common A System acquisition, development, and maintenance Common A.15 5 Supplier relationships Common A.16 7 Information security incident management Common A.17 4 Information security aspects of business continuity management Availability A.18 8 Compliance Common SOC 2/SOC 3 primary reference Total 114 An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common and availability criteria align with the ISO 27001:2013 control objective topics. 22
24 Mapping to CSA cloud controls matrix (CCM) v3.0 Ref. Approx. # of requirements Domain SOC 2/SOC 3 primary reference AIS 4 Application & interface security Common/Integrity AAC 3 Audit assurance & compliance Common BCR 11 Business continuity management & operational resilience Availability CCC 5 Change control & configuration management Common/Availability DSI 7 Data security &information lifecycle management Common/Confidentiality/ Integrity DSC 9 Datacenter security Common/Confidentiality/ Availability EKM 4 Encryption & key management Common/Confidentiality GRM 11 Governance and risk management Common/Confidentiality HRS 11 Human resources Common An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements. 23
25 Mapping to CSA cloud controls matrix (CCM) v3.0 (continued) Ref. Approx. # of requirements Domain IAM 13 Identity & access management Common SOC 2/SOC 3 primary reference IVS 13 Infrastructure & virtualization security Common/Availability IPY 5 Interoperability & portability None identified MOS 20 Mobile security None identified SEF 5 Security incident management, e-discovery & cloud forensics Common/Confidentiality/ Availability/Integrity STA 9 Supply chain management, transparency and accountability Common/Confidentiality/ Availability TVM 3 Threat and vulnerability management Common Total 133 An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements. 24
26 Mapping to PCI data security standard (DSS) v3.0 Ref. Approx. # of requirements Domain 1 23 Firewall Common 2 12 System passwords Common 3 22 Protect stored cardholder data Common 4 4 Encryption Common 5 6 Antivirus Common 6 28 Development and maintenance Common 7 10 Access restrictions Common 8 23 Unique IDs Common 9 27 Physical access Common Monitoring Common Testing Common Security policy Common Total 242 SOC 2/SOC 3 primary reference An enhanced SOC 2 report can show how the service provider s SOC 2 controls to achieve the common criteria align with the PCI DSS v3.0 requirements. 25
27 Scoping considerations
28 Typical SOC 2/SOC 3 scoping considerations Services/applications provided Supporting infrastructure Locations Subservice providers Applicable principles Enhanced reporting inclusion of other information regarding alignment with other standards/frameworks 27
29 Criteria approach Criteria specific: Each criterion should be treated like a SOC 1 control objective Identify the threats that may cause the criterion to not be met (while some will be similar for all clients, some may significantly vary based on service offered, customer agreements, and industry) Identify key controls that addresses those threats (some controls may be non-key across each criterion for the principle(s) and judgment should be applied to determine if removal of orphaned controls is needed) This requirement may result in material gaps in a service organization s ability to meet the principle Perform this exercise early in the planning phase to avoid material gaps 28
30 Engagement approach considerations Concluding on criteria: Suitability of design Appropriateness of controls based on service, industry, and customer commitments Need to gain an understanding of the commitments to the users of the system While many controls will apply to nearly all service providers, some will vary based on the service offered and the industry the service organization is serving Threat inventory and determination if a control is a key control Key controls may work in tandem and require multiple key controls to adequately address the threat Key controls should primarily be reported on, although some non-key controls may be included if determined appropriate (enhanced reporting) Assess whether the risks are adequately addressed or if more controls are required 29
31 Engagement approach considerations (continued) Concluding on criteria: Operating effectiveness Operational period of the control Need to assess if the controls were in place throughout the entire examination period Periodic controls, need to demonstrate activity in all periods (sampling risk is generally greatest in the most recent period, however for first year reports with a control change, the earliest period has a significant risk) Event based controls should be in place from the period start (example change management, incident reporting) 30
32 Engagement approach considerations (continued) Exceptions Similar treatment, however now we must consider the risk that the criteria may not be met. Tie back to the identified risks Assess whether sufficient compensating controls exists to mitigate the risks, including non-key controls Determine whether the non-key controls should be included in the scope of the report Assess whether something did go wrong as a result of the control exception Even if the exception sample didn t have any impact, it doesn t mean that the criteria was met 31
33 Industry activities Recent KPMG Webcasts
34 Industry activities Recent KPMG Webcasts Webcast Effectively using SOC1, SOC 2 and SOC3 reports for increased assurance over outsourced operations (April 2012) SOC2 reports to address industry requirements for assurance over outsourced operations (October 2012) SOC 2 frequently asked questions (November 2012) Enabling vendor risk and compliance management using SOC2 and SOC 3 reports (July 2013) SOC2, SOC3 in Europe Virtual meeting (February 2014) Link to playback /ArticlesPublications/Documents/PDF/IT- Advisory/SOC2.pdf 33
35 Questions? Matt Tobey
36 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationBaker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated
More informationService Organization Control Reports
SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationCloud Computing What Auditors need to know
Cloud Computing What Auditors need to know This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business,
More informationAbout the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives
SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter
More informationGoodbye, SAS 70! Hello, SSAE 16!
Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70
More informationUnderstanding changes to the Trust Services Principles for SOC 2 reporting
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationAHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationHow To Audit Cloud Computing
Assessing the Audit Impact of Cloud Computing kpmg.com 1 Assessing the Audit Impact of Cloud Computing Cloud Computing Cloud computing is becoming an important IT strategy for entities that need varying
More informationCompliance and the Cloud: What You Can and What You Can t Outsource
Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Kate Donofrio Security Assessor Fortrex Technologies Instructor Biography Background On Fortrex What s In A Cloud? Pick
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationCloud Security Introduction and Overview
Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationReports on Service Organizations Where we ve been?
Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview
More informationService Organization Control (SOC) Reports
Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationA Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey
A Comparison of IT Governance & Control Frameworks in Cloud Computing Jack D. Becker ITDS Department, UNT & Elana Bailey ITDS Department, UNT MS in IS AMCIS 2014 August, 2014 Savannah, GA Presentation
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationHow To Be A Successful Compliance Officer
: A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:
More informationCloud Security Certification
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationMassachusetts Bay Transportation Authority
Status Report to the Fiscal Management and Control Board Massachusetts Bay Transportation Authority Year ended June 30, 2015 January 2016 kpmg.com KPMG Audit Objectives Audit Objectives Conduct an independent
More informationFAQs New Service Organization Standards and Implementation Guidance
FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationProtec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli
Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Vice President, IT Risk Management McKesson Corpora-on What is Your Business Model? Economic Moats In business, I look
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationSUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR
SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR Michael de Crespigny, CEO Information Security Forum Session ID: GRC R02B Session Classification: General Interest KEY ISSUE Our
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationProgram Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).
Overview Certified in Data Protection (CDP) is a comprehensive global training and certification program which leverages international security standards and privacy laws to teach candidates on how to
More informationAyla Networks, Inc. SOC 3 SysTrust 2015
Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationPharma CloudAdoption. and Qualification Trends
Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationFrequently asked questions: SOC 2 and 3
1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same
More informationAdopting Cloud Computing with a RISK Mitigation Strategy
Adopting Cloud Computing with a RISK Mitigation Strategy TS Yu, OGCIO 21 March 2013 1. Introduction 2. Security Challenges Agenda 3. Risk Mitigation Strategy Before start using When using 4. Policy & Guidelines
More informationSSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011
SSAE 16 Everything You Wanted To Know But Are Afraid To Ask Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 1 Agenda SAS 70 Misunderstood and Overused o Why the change? SSAE
More informationSecurity Information & Policies
Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER
More informationSOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationThe Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011
The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402
More informationCloud Computing An Internal Audit Perspective Institute of Internal Auditors Topeka Chapter
Cloud Computing An Internal Audit Perspective Institute of Internal Auditors Topeka Chapter Bernard Wieger, Partner Cassie Meschke, Senior Manager December 6, 2011 Discussion Agenda Introduction to cloud
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationHIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting
More informationStratusLIVE for Fundraisers Cloud Operations
6465 College Park Square Virginia Beach, VA 23464 757-273-8219 (main) 757-962-6989 (fax) stratuslive.com Contents Security Services... 3 Rackspace Multi Layered Approach to Security... 3 Network... 3 Rackspace
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationCloud Computing An Internal Audit Perspective. Heather Paquette, Partner Tom Humbert, Manager
Cloud Computing An Internal Audit Perspective Heather Paquette, Partner Tom Humbert, Manager March10 2011 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationCloud Computing: Risks and Auditing
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
More informationHIPAA in the Cloud How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationCloud Risk Management and Audit
Cloud Risk Management and Audit Sukumar Nayak, CTO Cloud Services Integration & Automation Leader Date Created: 01/27/2014 Date last updated: 03/15/2015 Objective: Provide an overview of Cloud Risk Management
More informationAnypoint Platform Cloud Security and Compliance. Whitepaper
Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.
More informationKeeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?
Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies
More informationCOSO Internal Control Integrated Framework (2013)
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
More informationOverview of Topics Covered
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationCLOUD MIGRATION. Celina Alexandre M6807
CLOUD MIGRATION M6807 S Content 1. Introduction 2. Methodology 3. Requirements Definition Phase 3.1. Strategy 3.2. Knowledge 06/05/15 2 Content 4. Analysis Phase 4.1. Aplications and Systems 4.2. Development
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationThird party assurance services
TECHNOLOGY RISK SERVICES Third party assurance services Delivering assurance over your service providers The current third party service provider environment Corporate UK has been transformed in recent
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationTime to Value: Successful Cloud Software Implementation
Time to Value: Successful Cloud Software Implementation Cloud & Data Security 2015 Client Conference About the Presenter Scott Schimberg, CPA, CMA Partner, Consulting, Armanino Scott became a Certified
More informationKey Considerations of Regulatory Compliance in the Public Cloud
Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,
More informationSecurity, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32
Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization
More informationService Organization Control (SOC) reports What are they?
Service Organization Control (SOC) reports What are they? Jeff Cook, CPA, CITP, CIPT, CISA June 2015 Introduction Service Organization Control (SOC) reports are on the rise in the IT assurance and compliance
More informationUnderstanding ISO 27018 and Preparing for the Modern Era of Cloud Security
Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)
More informationEnsuring Cloud Security Using Cloud Control Matrix
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring
More informationSHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE
SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE The Shared Assessments Trust, But Verify Model The Shared Assessments Program Tools are used for managing the vendor risk
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from
More informationHIPAA Compliance and Reporting Requirements
Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management By Dan Schroeder, CPA, MBA, CISA, CIA, PCI QSA, CISM, CIPP/US Dan.schroeder@hawcpa.com BRIEF CONTENTS HCIT IMPROVES THE
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationAuditing Cloud Computing and Outsourced Operations
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
More informationQualification Guideline
Qualification Guideline June 2013 Disclaimer: This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does not warrant that the use of the recommendations
More informationGovernance and Control in the Cloud. Infrastructure as a Service
1 Governance and Control in the Cloud Infrastructure as a Service Cows 2 The Triumph of the Utility 3 Our Discussion 4 How we ll talk about Governance and Controls today Not an IT-assurance methodology
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationG24 - SAS 70 Practices and Developments Todd Bishop
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
More informationThe Information Systems Audit
November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated
More information