SOC2 s role in assurance on outsourcers
|
|
- Juliet Allison
- 7 years ago
- Views:
Transcription
1 SOC2 s role in assurance on outsourcers Mark Russell, EY 5 September 2014
2 Agenda What is SOC2? What does SOC2 give users? Why SOC2? Current market trends How does SOC2 fit with other assurance tools? Experiences around SOC2 Page 1
3 What is SOC2? Owned by American Institute of Certified Public Accountants (AICPA) Designed to provide information on processes and controls at a service organisation, together with an independent service auditor s opinion Processes do not have to be related to financial statement processing unlike SOC1 (ISAE3402 / SSAE16) Based around Principles and Criteria so more of a checklist approach than SOC1 Criteria re-ordered in early Page 2
4 What is SOC2? Trust Services Principles Security Availability Confidentiality Privacy Processing Integrity Must select Common Criteria effectively Security Then add any others you think should be included Must then address ALL criteria for the selected Principles Type 1 design Type 2 operating effectiveness Page 3
5 What is SOC2? System Processing Integrity Security Availability Confidentiality Privacy Scope of SOC1 (AT 801) Scope of SOC 2 and SOC 3 (Trust Services Criteria) Users: User entity controller User entity SOX dept. User auditor Users: User entity security User entity compliance User entity vendor mgmnt Regulators Prospective user entities Users: Anyone Page 4
6 What does SOC2 give users? Management Assertion Independent service auditor s report Description fairly presents the in scope services Controls suitable designed to meet in scope criteria Controls have operated effectively to deliver criteria (Type 2) Description of System Description of Controls, Tests and Results of Tests Page 5
7 What does SOC2 give users? In one word, SOC2 provides INFORMATION Independent assurance on what the service organisation is doing Clear explanation of what was tested, how, so you can assess the relevance of the audit work to your requirements Information on processes and controls so you can better understand what the service organisation is doing Assurance over a defined period of time (Type 2) Page 6
8 Why SOC2? Can cover non financial processes Independent assurance Covers areas not covered by some other standards Availability / Privacy / Confidentiality not explicitly / extensively covered in SOC1 Privacy / Confidentiality not explicitly / extensively covered in ISO SOC2 is more easily tailored to a company s existing control environment Users can more easily benchmark vendors since all must report against the same criteria Page 7
9 How does SOC2 fit with other assurance standards? Map criteria to other frameworks ISO Cloud Security Alliance NIST One set of work can support multiple reports / opinions SOC2 testing is typically thorough and wide-ranging SOC2 Type 2 also covers period of time Page 8
10 Experiences around SOC2 what makes a successful project? Clear understanding of what the users want from the report is SOC2 the right answer? Clear understanding of who does what and how it is recorded i.e. what actually happens, not what is in the procedure manual Single point of contact for the service auditor Understands the service delivery teams Can get things done Pay the service auditor to produce the Description of System Expect deviations and allow time to investigate them Page 9
11 Experiences around SOC2 market reaction Definite increase in demand in Driven by checklist approach Also, availability is seen as better covered Also looking at multiple reports from one set of work SOC1 / SOC2 / SOC3 / HIPAA / ISO27001 Increasing understanding of SOC2 v. SOC1 Your experiences? Page 10
12 Useful links AICPA links for service organisations looking at SOC reports Pages/SOCToolkit_ServiceOrgs.aspx CSA whitepaper on SOC reports in the cloud ohttp:// services/downloadabledocuments/csa-position-paper-onaicpa-service-organization-control-reports.pdf AWS example of presenting certifications to users Page 11
13 Thank you Claus Hansen Mark Russell
14 Disclaimer The information in this pack is intended to provide only a general outline of the subjects covered. It should not be regarded as comprehensive or sufficient for making decisions, nor should it be used in place of professional advice. Accordingly, Ernst & Young LLP accepts no responsibility for loss arising from action taken or not taken by any party using this information. The information will have been supplemented by matters arising from any oral presentation by us, and should be considered in light of this additional information. If you require any further information or explanations, or specific advice, please contact us and we will be happy to discuss matters further. Page 13
15 EY Assurance Tax Transactions Advisory Ernst & Young LLP Ernst & Young LLP. Published in the UK. All Rights Reserved. The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC and is a member firm of Ernst & Young Global Limited. Ernst & Young LLP, 1 More London Place, London, SE1 2AF. ey.com
Cybersecurity and the AICPA Cybersecurity Attestation Project
Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force 2 October 2015 Increasing awareness of cybersecurity
More informationService Organization Control (SOC) Reports
Service Organization Control (SOC) Reports Transitioning from SAS 70 to SSAE 16 Deloitte & Touche LLP Agenda Overview SAS 70/SSAE 16 Historical Perspective The New Framework Under SSAE 16 (SOC 1) Impact
More informationGoodbye, SAS 70! Hello, SSAE 16!
Goodbye, SAS 70! Hello, SSAE 16! A Session to Provide Insight on the New Standard and What Service Providers and End-Users Need to Know January 3, 2012 Agenda Introduction Background on what was SAS 70
More informationSERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements
More informationCSA Position Paper on AICPA Service Organization Control Reports
CSA Position Paper on AICPA Service Organization Control Reports February 2013 2013, Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link
More informationService Organization Control Reports
SAS 70 ENDS EXIT TO SSAE 16 Service Organization Control Reports What Did We Learn from Year One? Agenda Definitions Service Organization Reports What are they? Year One Experiences SSAE 16 Year One Experiences
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationTIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization
November 2011 AICPA Technical Practice Aids TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization.01 New Standards for Service Auditors and User Auditors Inquiry Did the issuance
More informationCertification of claims and returns annual report 2013-14
Certification of claims and returns annual report 2013-14 Fareham Borough Council February 2015 Ernst & Young LLP Ernst & Young LLP 1 More London Place London SE1 2AF Tel: + 44 20 7951 2000 Fax: + 44 20
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationService Organizations and the Internal Audit function. 2015 conference Institute of Internal Auditors in Israel
Service Organizations and the Internal Audit function 2015 conference Institute of Internal Auditors in Israel Proprietary This work product/document is intended solely for the information and use of the
More informationSSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards
A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationIT architecture in a cloudified IT organization. Sander Schouten / Richard Bussink Nov, 2012
IT architecture in a cloudified IT organization Sander Schouten / Richard Bussink Nov, 2012 Ernst & Young Advisory Performance Technologies Strategy Business performance Enabled by Business Performance-
More informationSAS No. 70, Service Organizations
SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing
More informationG24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP
G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP Audits of controls at a service organization Roadmap to the
More informationSUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR
SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR Michael de Crespigny, CEO Information Security Forum Session ID: GRC R02B Session Classification: General Interest KEY ISSUE Our
More informationFeeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com. Visit us on the web: www.fdcpa.com Or Call: 888-875-9770
Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants www.fdcpa.com SAS 70 Background 2 SAS No. 70 Reports on the Processing of Transactions by Service Organizations Independent examination
More informationThe Future Distribution Landscape TISA. Malcolm Kerr March 21st 2013
The Future Distribution Landscape TISA Malcolm Kerr March 21st 2013 RDR is opening up an advice gap for mass market and mass affluent customers, with new D2C propositions being developed to address this
More informationSSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011
SSAE 16 Everything You Wanted To Know But Are Afraid To Ask Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011 1 Agenda SAS 70 Misunderstood and Overused o Why the change? SSAE
More informationEPCS Third party audits the CPA perspective. 13 September 2012
EPCS Third party audits the CPA perspective 13 September 2012 Agenda Introduction History Report review Audit process Moving forward Introduction 1311.300 Application provider requirements Third-party
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationReports on Service Organizations Where we ve been?
Reports on Service Organizations Where we ve been? What s changing? How does this impact Internal Audit? Eric Wright Shareholder Frank Dezort Senior Manager Schneider Downs & Co., Inc. May 2, 2011 Overview
More informationMobile computing. Does your organisation have any safe options? The better the question. The better the answer. The better the world works.
Mobile computing Does your organisation have any safe options? The better the question. The better the answer. The better the world works. The big picture The mobile security risk surface Devices Jailbreak
More informationThe Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011
The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011 Table of Contents A Short History of SAS 70 Overview of SSAE 16 and ISAE 3402
More informationFAQs New Service Organization Standards and Implementation Guidance
FAQs New Service Organization Standards and Implementation Guidance During the past two years several significant changes have occurred in audit and attest standards for reporting on controls at service
More informationLogically Securing a Public Cloud Service
SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers
Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationUnderstanding ISO 27018 and Preparing for the Modern Era of Cloud Security
Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security Presented by Microsoft and Foley Hoag LLP s Privacy and Data Security Practice Group May 14, 2015 Proposal or event name (optional)
More informationAnypoint Platform Cloud Security and Compliance. Whitepaper
Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.
More informationService Organization Controls. Managing Risks by Obtaining a Service Auditor s Report
Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA/CITP, Partner at RubinBrown, LLP Janis Parthun, CPA/CITP, Sr. Technical Manager
More informationHot Topics in IT. CUAV Conference May 2012
Hot Topics in IT CUAV Conference May 2012 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationModelling for Project Finance. Training course outline
Modelling for Project Finance Training course outline Overview This course aims to provide participants with a thorough understanding of how to build a robust financial model from start to finish. Calculations
More informationFrequently asked questions: SOC 2 and 3
1. Is the licensing requirement for a SOC 2 or 3 different than for a SOC 1? SOC reports are attestation reports issued in accordance with AICPA standards. Therefore, licensing requirements are the same
More informationRobert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014
Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to
More informationSOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or
More informationBrighton and Sussex University Hospital NHS Trust
Brighton and Sussex University Hospital NHS Trust Year Ending 31 March 2013 Annual Audit Letter July 2013 Ernst & Young LLP Executive summary Ernst & Young LLP 1 More London Place London SE1 2AF Tel: +44
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationMonitoring Outside Service Providers, Part III: SAS 70 Updates
Monitoring Outside Service Providers, Part III: SAS 70 Updates Richard F. Fischer, CPA Louis Plung & Company, LLP richard.fischer@louisplung.com 412-281-8771 CHANGES TO SAS 70 SERVICE ORGANIZATIONS: Statement
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationWeighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers
Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationglobal solutions risk advisory services
global solutions risk advisory services who are we? PKF is a global family of legally independent firms bound together by a shared commitment to quality, integrity and the creation of clarity in a complex
More informationService Organization Controls. Managing Risks by Obtaining a Service Auditor s Report
Service Organization Controls Managing Risks by Obtaining a Service Auditor s Report Contributing Authors Audrey Katcher, CPA, CITP, Partner at RubinBrown, LLP Janis Parthun, CPA, CITP, Sr. Technical Manager
More informationAt a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.
At a glance While there are some differences, SAS 70 and SSAE 16 are substantially the same. SAS 70 is an audit standard while SSAE 16 is an attest standard. Out with the old SAS 70 and in with the new
More informationThird party assurance services
TECHNOLOGY RISK SERVICES Third party assurance services Delivering assurance over your service providers The current third party service provider environment Corporate UK has been transformed in recent
More informationService Organization Control (SOC) reports What are they?
Service Organization Control (SOC) reports What are they? Jeff Cook, CPA, CITP, CIPT, CISA June 2015 Introduction Service Organization Control (SOC) reports are on the rise in the IT assurance and compliance
More informationCONTENT OUTLINE. Background... 3 Cloud Security... 3. Instance Isolation:... 4. SecureGRC Application Security... 5
Page 2 Disclaimer THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF THE LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET
More informationTHE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT
THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT White Paper www.a3freightpayment.com THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT Introduction An essential element
More informationAbout the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives
SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter
More informationpayroll services BUSINESS SERVICES AND ACCOUNTING
payroll services BUSINESS SERVICES AND ACCOUNTING payroll services How effective is the operation of your payroll? Are you up to date on your regulatory requirements? BDO s Payroll Team helps clients negotiate
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationHIPAA Compliance and Reporting Requirements
Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management By Dan Schroeder, CPA, MBA, CISA, CIA, PCI QSA, CISM, CIPP/US Dan.schroeder@hawcpa.com BRIEF CONTENTS HCIT IMPROVES THE
More informationBaker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated
More informationEnd of the SAS 70 Era
End of the SAS 70 Era For years businesses that outsource have relied on SAS 70 reports on the internal controls of third party providers. The standard for those reports is changing. New Standards Replacing
More informationCustomer-Facing Information Security Policy
Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Sigma Technology Partners offers its clients number of assurance services including SAS 70 Type I and SAS 70 Type II audits. Our team of CPA s, CISA s
More informationAccelerating your financial close arrangements
Accelerating your financial close arrangements EY Think Piece Contents at a glance Local government accounting, auditing and governance preserving quality financial reporting in light of the new reporting
More informationOUTSOURCING AND SERVICE AUDITOR S REPORTS
OUTSOURCING AND SERVICE AUDITOR S REPORTS FREEDOM TO DO BUSINESS Outsourcing and service Auditor s Reports 3 OUTSOURCING AND SERVICE AUDITOR S REPORTS SERVICE AUDITOR S REPORTS ARE GROWING IN IMPORTANCE,
More informationIs it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc.
Is it Time to Look at an Ektron Managed Cloud Strategy? Agenda 1. Introductions 2. This Session 3. Real Life Stories 4. Ektron s Managed Cloud and Managed Services Managed Cloud Managed Services 5. Customer
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationCloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University
Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationSECURITY AND EXTERNAL SERVICE PROVIDERS
SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security
More informationOFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationRevisorns syn på ISO 27000- serien och SAS 70
Revisorns syn på ISO 27000- serien och SAS 70 Rätt Säkerhet 2009 Andreas Halvarsson 25 maj, 2009 What is SAS 70 AICPA STANDARDS The AICPA s Statement on Auditing Standards No. 70 Service Organizations
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2014 through September 30, 2015 Independent SOC 3 Report for the Security and Availability Trust
More informationBECOME A SMARTER CLOUD CONSUMER
Kurt Hagerman Chief Information Security Officer BECOME A SMARTER CLOUD CONSUMER Ripping through the Rhetoric to Find Your Cloud & Control Your Risk 05/18/2015 ABOUT KURT HAGERMAN Kurt Hagerman Chief Information
More informationHow To Be A Successful Compliance Officer
: A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:
More informationGRC Stack Research Sponsorship
GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary
More informationSupply Chains In Practice Networking Event
Shaping the Future Supply Chains In Practice Networking Event Data Driven SCM Big Data for Big Breakthroughs 16 th June 2015 Explore from 3 perspectives 1. Landscape overview Matthew 2. Enabling the data
More informationcloud accounting FACTS AND FICTION
cloud accounting FACTS AND FICTION WHAT IS THE CLOUD? Everyone has heard of the cloud but many people are still unsure of what it is and how it works. Cloud computing is simply when data and programmes
More informationSSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report
Presenting a live 110 minute teleconference with interactive Q&A SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report WEDNESDAY,
More informationWhite Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationCharity Audit Committee performance evaluation Self assessment checklist. October 2014
Charity Audit Committee performance evaluation Self assessment checklist October 2014 With increasing responsibilities and complexities, being a member of the Audit Committee has never been more challenging
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationASSESSMENT REPORT 13 19. Federal PKI Compliance Report September 6, 2013
ASSESSMENT REPORT 13 19 Federal PKI Compliance Report September 6, 2013 Date September 6, 2013 To Chief Information Officer From Inspector General Subject Assessment Report Federal PKI Compliance Report
More informationIIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.
IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability
More informationIAASB Main Agenda (June 2010) Agenda Item. April 28, 2009
Agenda Item 8-B Statement of Position 09-1 April 28, 2009 Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data Issued Under the Authority
More informationUnderstanding Vendor Risk And Analyzing the SSAE No. 16
Understanding Vendor Risk And Analyzing the SSAE No. 16 Accelerate your Credit Union s Performance June 19, 2014 AUSTIN, TEXAS www.cuaccelerator.com Agenda Vendor Management Key Outsourcing Risk Areas
More informationInternal Audit at the University of Cambridge.
Internal Audit at the University of Cambridge. Contents Introduction to Deloitte 1 Our team 2 What is Internal Audit? 4 Our approach to Internal Audit 5 Authority and reporting lines 7 Planning 8 Ad Hoc
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationSECTION I INDEPENDENT SERVICE AUDITOR S REPORT
SOC2 Security Report on Controls Supporting DriveSavers Services Independent Service Auditor s Report on Design of Controls Placed in Operation and Tests of Operational Effectiveness Relevant to Security
More informationESET Secure Authentication
ESET Secure Authentication Second factor authentication and compliance Document Version 1.2 6 November, 2013 www.eset.com ESET Secure Authentication - second factor authentication and compliance 2 2 Summary
More informationINTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT
INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT AGENDA Introduction Annex SL Changes to ISO 9001 Future Development How SGS can support you 2 INTRODUCTION ISO 9001 Revision Committee Draft Issued 2013
More informationD-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV
D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV September 2013 Contents 1 Service Overview 1 2 Detailed Service Description 4 3 Commercials 8 4 Our
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationInformation Commissioner's Office
Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft
More information