Understanding changes to the Trust Services Principles for SOC 2 reporting

Transcription

1 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting

2 Agenda SOC 2 defined and clarified Changes to the Trust Services Principles 2

3 SECTION 1 SOC 2: DEFINED AND CLARIFIED 3

4 SOC Framework SOC 1 (Service organization control 1) SOC 2 (Service organization control 2) SOC 3 (Service organization control 3) Applicable to services that are likely to be relevant to user entities internal control over financial reporting Applicable to services that don t directly impact financial reporting Applicable to services that don t directly impact financial reporting Reports on controls supporting financial statement audits Reports on controls related to operations Reports on controls related to operations Restricted to customers during the audit period Restricted to those familiar with the subject matter General use report Example organizations: payroll processors, transaction processors Example organizations: Direct mailers, call centers Example organizations: Direct mailers, call centers 4

5 Trust services What are trust services ( TS )? A set of professional attestation and advisory services» based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Consists of five key components organized to achieve a specified objective. 5

6 Key components of trust services Infrastructure > The physical and hardware components of a system (facilities, equipment, and networks) Software > The programs and operating software of a system (systems, applications, and utilities) People > The personnel involved in the operation and use of a system (e.g. developers, operators, users, and managers) Procedures > The programmed and manual procedures involved in the operation of a system (automated or manual) Data > The information used and supported by a system (e.g. transaction streams, files, databases, and tables) 6

7 Trust services principles and criteria (cont.) Principles Objectives Privacy Security Security Availability The protection of the system from unauthorized access, both logical and physical The accessibility to the system, products, or services as advertized or committed by contact, service-level, or other agreements Confidentiality Availability Processing integrity The completeness, accuracy, validity, timeliness, and authorization of system processing Processing integrity Confidentiality Privacy The system s ability to protect the information designated as confidential, as committed or agreed Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice 7

8 Previous Structure of the Trust Services Principles and Criteria Previous Structure > Security, Availability, Processing Integrity and Confidentiality were previously subdivided into common domains: Policies Communication Procedures Monitoring A lot of overlap built into the criteria > 51 unique criteria across security, availability, processing integrity, confidentiality > Separate criteria specific to privacy to be revised at a later date 8

9 Redesigned Structure of the Trust Services Principles and Criteria Redesigned Structure > As a result of the overlaps, criteria applicable to all four principles has been placed together as common criteria organized into the following categories: Organization and management Communications Risk management and design implementation of controls Monitoring of controls Logical and physical access controls System operations Change management > Additional criteria specific to Availability, Processing Integrity and Confidentiality > Separate criteria specific to privacy to be revised at a later date 9

10 CC1.0 Common criteria organization management CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as the relate to [insert in scope principles. Criteria is new and was not covered previously CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity s system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation. Previously fell under S1.3, A1.3, I1.3, and C1.3 CC1.3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert in scope principles] have the qualifications and resources to fulfill their responsibilities. Previously fell under S3.11, A3.14, I3.15, C3.17 CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.11, A3.14, I3.15, C

11 CC2.0 Common criteria communications Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized CC2.1 Previously fell under S2.1, A2.1, I2.1, C2.1 internal and external system users to permit users to understand their role in the system and the results of system operation. The entity s [insert in scope principles] commitments are communicated to external users, as appropriate, and those commitments and the associated Previously fell under S2.2 A2.2, I2.2, C2.2 CC2.2 system requirements are communicated to internal system users to enable them to carry out their responsibilities. The entity communicates the responsibilities of internal and external users Previously fell under S2.2, A2.2, I2.2, C2.2 CC2.3 and others whose roles affect system operation. Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the Previously fell under S2.3, A2.3, I2.3, C2.3 CC2.4 [insert in scope principles] of the system, have the information necessary to carry out those responsibilities. Internal and external system users have been provided with information on Previously fell under S2.4, A2.4, I2.4, C2.4 CC2.5 how to report [insert in scope principles] failures, incidents, concerns, and other complaints to appropriate personnel. CC2.6 Previously fell under S2.5, A2.5, I2.5, C2.5 System changes that affect internal and external system user responsibilities or the entity s commitments and requirements relevant to [insert in scope principles] are communicated to those users in a timely manner. 11

12 Common criteria risk management and design and implementation of controls and monitoring controls CC3.0 CC3.1 CC3.2 The entity (1) identifies potential threats that would impair system [insert in scope principles] commitments and requirements, (2) analyzes the significance of risks associated with the identified threats, and (3) determines mitigation strategies for those risks (including controls and other mitigation strategies). The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy. Previously fell under S3.1, S3.8, A3.1, A3.11, I3.1, I3.12, C3.1 and C3.14 Previously fell under S1.1, S1.2, S2.3, A1.1, A1.2, A2.3, I1.1, I1.2, I2.3, C1.1, C1.2 and C2.3 CC3.3 The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technical changes) that could significantly affect the system of internal control for [insert in scope principles] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary. Previously fell under S4.3, A4.3, I4.3 and C4.3 CC4.0 Common Criteria Related to Monitoring of Controls CC4.1 The design and operating effectiveness of controls are periodically evaluated against [insert in scope principles] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. Previously fell under S4.1, S4.2, A4.1, A4.2, I4.1, I4.2, C4.1, C4.2 12

13 CC5.0 Common Criteria Logical and Physical Access Controls CC5.1 Logical access security software, infrastructure, and architecture have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access. Previously fell under S3.2.a, S3.2.e, S3.2.f, S3.2.g, S3.8, A3.5.a, A3.5.e, A3.5.f, A3.11, I3.6.a, I3.6.e, I3.f, I3.6.g, I3.12, C3.8.a, C3.8.g, C3.8.h, C3.8.i, C3.8.e, C3.8.f, and C3.14 CC5.2 New internal and external system users are registered and authorized prior to being issued system credentials, and granted the ability to access the system. User system credentials are removed when user access is no longer authorized. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d CC5.3 Internal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data). Previously fell under S3.2.b, A3.5.b, I3.6.b and C3.8.b CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d 13

14 CC5.0 Common Criteria Logical and Physical Access Controls CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel. Previously fell under S3.3, A3.6, I3.7 and C3.9 CC5.6 Logical access security measures have been implemented to protect against [insert in scope principles] threats from sources outside the boundaries of the system. Previously fell under S3.4, A3.7, I3.8 and C3.10 CC5.7 The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement or removal enabling the entity to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.6, A3.9, I3.10 and C3.12 CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software. Previously fell under S3.5, A3.8, I3.9 and C

15 CC6.0 Common criteria system operations CC6.1 Vulnerabilities of system components to [insert in scope principles] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities. Criteria is new and was not covered included previously. CC6.2 [Insert in scope principles] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures. Previously fell under S3.7, S3.9, A3.10, A3.12, I3.11, I3.13 and C3.13 and C

16 CC7.0 Common Criteria change management CC7.1 [Insert in scope principles] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing modification, and maintenance of system components. Previously fell under S3.10, A3.13, I3.14 and C3.15 CC7.2 Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.12, A3.15, I3.16 and C3.18 CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and monitoring. Criteria is new and was not covered included previously. CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert in scope principles] commitments and requirements. Previously fell under S3.13, S3.14, A3.16, A3.17, I3.17, I3.18, C3.2 and C

17 A1. 0 Additional criteria - availability Current processing capacity and usage are maintained, monitored, and Previously fell under A3.2 and I3.19 A1.1 evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements. A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements. Previously fell under A3.2, A3.3, I3.2 and I3.19 A1.3 Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements. Previously fell under A3.4 and I

18 PI1.0 Additional criteria processing integrity PI1.1 Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements. Criteria is new and was not covered included previously. System inputs are measured and recorded completely, accurately, and timely Previously fell under I3.2 PI1.2 in accordance with processing integrity commitments and requirements. Data is processed completely, accurately, and timely as authorized in Previously fell under I3.3 and I3.5 PI1.3 accordance with processing integrity commitments and requirements. PI1.4 Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.. Criteria is new and was not covered included previously. System output is complete, accurate, distributed, and retained in accordance Previously fell under I3.4 PI1.5 with processing integrity commitments and requirements. PI1.6 Modification of data is authorized, using authorized procedures in accordance with processing integrity commitments and requirements. Criteria is new and was not covered included previously. 18

19 C1.0 Additional criteria confidentiality Confidential information is protected during the system design, development, C1.1 testing, implementation, and change processes in accordance with Previously fell under C3.21 confidentiality commitments and requirements. Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, Previously fell under C3.2, C3.3 and C3.4 C1.2 retention, output, and disposition in accordance with confidentiality commitments and requirements. Access to confidential information from outside the boundaries of the system Previously fell under C3.5 C1.3 and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements. The entity obtains confidentiality commitments that are consistent with the entity s confidentiality requirements from vendors and other third parties Previously fell under C3.6 C1.4 whose products and services comprise part of the system and have access to confidential information. Compliance with confidentiality commitments and requirements by vendors and other third parties whose products and services comprise part of the Previously fell under C3.6 C1.5 system is assessed on a periodic and as needed basis and corrective action is taken if necessary. C1.6 Previously fell under C3.7 Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system. 19

20 Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought Baker Tilly Virchow Krause, LLP 20