Understanding changes to the Trust Services Principles for SOC 2 reporting

Similar documents
SRA International Managed Information Systems Internal Audit Report

HIPAA Compliance: Are you prepared for the new regulatory changes?

CTR System Report FISMA

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Practical Overview on responsibilities of Data Protection Officers. Security measures

Instructions for Completing the Information Technology Officer s Questionnaire

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Alert

Security Controls What Works. Southside Virginia Community College: Security Awareness

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Information for Management of a Service Organization

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

ISO Controls and Objectives

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Get Confidence in Mission Security with IV&V Information Assurance

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

INFORMATION TECHNOLOGY SECURITY STANDARDS

TITLE III INFORMATION SECURITY

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

Microsoft s Compliance Framework for Online Services

Utility consulting. > > Operate as a quasi-standalone business with its own profit center > > Focus solely on internal customers

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Standard CIP 007 3a Cyber Security Systems Security Management

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Public Law th Congress An Act

Internal audit value optimization for insurance organizations

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Standard CIP Cyber Security Systems Security Management

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

State of Oregon. State of Oregon 1

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Security and Privacy Controls for Federal Information Systems and Organizations

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Altius IT Policy Collection Compliance and Standards Matrix

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

05.0 Application Development

Owner s project control review Baker Tilly Virchow Krause, LLP

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

BPA Policy Cyber Security Program

FINAL May Guideline on Security Systems for Safeguarding Customer Information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Orchestrating the New Paradigm Cloud Assurance

CHIS, Inc. Privacy General Guidelines

Information Shield Solution Matrix for CIP Security Standards

Legislative Language

Cybersecurity Framework Security Policy Mapping Table

HIPAA Privacy Rule Policies

Information Resources Security Guidelines

Office 365 Data Processing Agreement with Model Clauses

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

VMware vcloud Air HIPAA Matrix

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

The Next Generation of Security Leaders

HIPAA Security Rule Compliance

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Financial Institutions Industry Insights

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

IT Security Management Risk Analysis and Controls

February Sample audit committee charter

ISO27001 Controls and Objectives

Looking at the SANS 20 Critical Security Controls

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Construction auditing: Continuous monitoring of active construction projects

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Rowan University Data Governance Policy

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Security Issues in Cloud Computing

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Hot Topics in IT. CUAV Conference May 2012

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Minimum Security Requirements for Federal Information and Information Systems

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Transcription:

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting

Agenda SOC 2 defined and clarified Changes to the Trust Services Principles 2

SECTION 1 SOC 2: DEFINED AND CLARIFIED 3

SOC Framework SOC 1 (Service organization control 1) SOC 2 (Service organization control 2) SOC 3 (Service organization control 3) Applicable to services that are likely to be relevant to user entities internal control over financial reporting Applicable to services that don t directly impact financial reporting Applicable to services that don t directly impact financial reporting Reports on controls supporting financial statement audits Reports on controls related to operations Reports on controls related to operations Restricted to customers during the audit period Restricted to those familiar with the subject matter General use report Example organizations: payroll processors, transaction processors Example organizations: Direct mailers, call centers Example organizations: Direct mailers, call centers 4

Trust services What are trust services ( TS )? A set of professional attestation and advisory services» based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Consists of five key components organized to achieve a specified objective. 5

Key components of trust services Infrastructure > The physical and hardware components of a system (facilities, equipment, and networks) Software > The programs and operating software of a system (systems, applications, and utilities) People > The personnel involved in the operation and use of a system (e.g. developers, operators, users, and managers) Procedures > The programmed and manual procedures involved in the operation of a system (automated or manual) Data > The information used and supported by a system (e.g. transaction streams, files, databases, and tables) 6

Trust services principles and criteria (cont.) Principles Objectives Privacy Security Security Availability The protection of the system from unauthorized access, both logical and physical The accessibility to the system, products, or services as advertized or committed by contact, service-level, or other agreements Confidentiality Availability Processing integrity The completeness, accuracy, validity, timeliness, and authorization of system processing Processing integrity Confidentiality Privacy The system s ability to protect the information designated as confidential, as committed or agreed Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice 7

Previous Structure of the Trust Services Principles and Criteria Previous Structure > Security, Availability, Processing Integrity and Confidentiality were previously subdivided into common domains: Policies Communication Procedures Monitoring A lot of overlap built into the criteria > 51 unique criteria across security, availability, processing integrity, confidentiality > Separate criteria specific to privacy to be revised at a later date 8

Redesigned Structure of the Trust Services Principles and Criteria Redesigned Structure > As a result of the overlaps, criteria applicable to all four principles has been placed together as common criteria organized into the following categories: Organization and management Communications Risk management and design implementation of controls Monitoring of controls Logical and physical access controls System operations Change management > Additional criteria specific to Availability, Processing Integrity and Confidentiality > Separate criteria specific to privacy to be revised at a later date 9

CC1.0 Common criteria organization management CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as the relate to [insert in scope principles. Criteria is new and was not covered previously CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity s system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation. Previously fell under S1.3, A1.3, I1.3, and C1.3 CC1.3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert in scope principles] have the qualifications and resources to fulfill their responsibilities. Previously fell under S3.11, A3.14, I3.15, C3.17 CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.11, A3.14, I3.15, C3.17 10

CC2.0 Common criteria communications Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized CC2.1 Previously fell under S2.1, A2.1, I2.1, C2.1 internal and external system users to permit users to understand their role in the system and the results of system operation. The entity s [insert in scope principles] commitments are communicated to external users, as appropriate, and those commitments and the associated Previously fell under S2.2 A2.2, I2.2, C2.2 CC2.2 system requirements are communicated to internal system users to enable them to carry out their responsibilities. The entity communicates the responsibilities of internal and external users Previously fell under S2.2, A2.2, I2.2, C2.2 CC2.3 and others whose roles affect system operation. Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the Previously fell under S2.3, A2.3, I2.3, C2.3 CC2.4 [insert in scope principles] of the system, have the information necessary to carry out those responsibilities. Internal and external system users have been provided with information on Previously fell under S2.4, A2.4, I2.4, C2.4 CC2.5 how to report [insert in scope principles] failures, incidents, concerns, and other complaints to appropriate personnel. CC2.6 Previously fell under S2.5, A2.5, I2.5, C2.5 System changes that affect internal and external system user responsibilities or the entity s commitments and requirements relevant to [insert in scope principles] are communicated to those users in a timely manner. 11

Common criteria risk management and design and implementation of controls and monitoring controls CC3.0 CC3.1 CC3.2 The entity (1) identifies potential threats that would impair system [insert in scope principles] commitments and requirements, (2) analyzes the significance of risks associated with the identified threats, and (3) determines mitigation strategies for those risks (including controls and other mitigation strategies). The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy. Previously fell under S3.1, S3.8, A3.1, A3.11, I3.1, I3.12, C3.1 and C3.14 Previously fell under S1.1, S1.2, S2.3, A1.1, A1.2, A2.3, I1.1, I1.2, I2.3, C1.1, C1.2 and C2.3 CC3.3 The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technical changes) that could significantly affect the system of internal control for [insert in scope principles] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary. Previously fell under S4.3, A4.3, I4.3 and C4.3 CC4.0 Common Criteria Related to Monitoring of Controls CC4.1 The design and operating effectiveness of controls are periodically evaluated against [insert in scope principles] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. Previously fell under S4.1, S4.2, A4.1, A4.2, I4.1, I4.2, C4.1, C4.2 12

CC5.0 Common Criteria Logical and Physical Access Controls CC5.1 Logical access security software, infrastructure, and architecture have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access. Previously fell under S3.2.a, S3.2.e, S3.2.f, S3.2.g, S3.8, A3.5.a, A3.5.e, A3.5.f, A3.11, I3.6.a, I3.6.e, I3.f, I3.6.g, I3.12, C3.8.a, C3.8.g, C3.8.h, C3.8.i, C3.8.e, C3.8.f, and C3.14 CC5.2 New internal and external system users are registered and authorized prior to being issued system credentials, and granted the ability to access the system. User system credentials are removed when user access is no longer authorized. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d CC5.3 Internal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data). Previously fell under S3.2.b, A3.5.b, I3.6.b and C3.8.b CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d 13

CC5.0 Common Criteria Logical and Physical Access Controls CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel. Previously fell under S3.3, A3.6, I3.7 and C3.9 CC5.6 Logical access security measures have been implemented to protect against [insert in scope principles] threats from sources outside the boundaries of the system. Previously fell under S3.4, A3.7, I3.8 and C3.10 CC5.7 The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement or removal enabling the entity to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.6, A3.9, I3.10 and C3.12 CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software. Previously fell under S3.5, A3.8, I3.9 and C3.11 14

CC6.0 Common criteria system operations CC6.1 Vulnerabilities of system components to [insert in scope principles] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities. Criteria is new and was not covered included previously. CC6.2 [Insert in scope principles] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures. Previously fell under S3.7, S3.9, A3.10, A3.12, I3.11, I3.13 and C3.13 and C3.15 15

CC7.0 Common Criteria change management CC7.1 [Insert in scope principles] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing modification, and maintenance of system components. Previously fell under S3.10, A3.13, I3.14 and C3.15 CC7.2 Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.12, A3.15, I3.16 and C3.18 CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and monitoring. Criteria is new and was not covered included previously. CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert in scope principles] commitments and requirements. Previously fell under S3.13, S3.14, A3.16, A3.17, I3.17, I3.18, C3.2 and C3.19 16

A1. 0 Additional criteria - availability Current processing capacity and usage are maintained, monitored, and Previously fell under A3.2 and I3.19 A1.1 evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements. A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements. Previously fell under A3.2, A3.3, I3.2 and I3.19 A1.3 Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements. Previously fell under A3.4 and I3.21 17

PI1.0 Additional criteria processing integrity PI1.1 Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements. Criteria is new and was not covered included previously. System inputs are measured and recorded completely, accurately, and timely Previously fell under I3.2 PI1.2 in accordance with processing integrity commitments and requirements. Data is processed completely, accurately, and timely as authorized in Previously fell under I3.3 and I3.5 PI1.3 accordance with processing integrity commitments and requirements. PI1.4 Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.. Criteria is new and was not covered included previously. System output is complete, accurate, distributed, and retained in accordance Previously fell under I3.4 PI1.5 with processing integrity commitments and requirements. PI1.6 Modification of data is authorized, using authorized procedures in accordance with processing integrity commitments and requirements. Criteria is new and was not covered included previously. 18

C1.0 Additional criteria confidentiality Confidential information is protected during the system design, development, C1.1 testing, implementation, and change processes in accordance with Previously fell under C3.21 confidentiality commitments and requirements. Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, Previously fell under C3.2, C3.3 and C3.4 C1.2 retention, output, and disposition in accordance with confidentiality commitments and requirements. Access to confidential information from outside the boundaries of the system Previously fell under C3.5 C1.3 and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements. The entity obtains confidentiality commitments that are consistent with the entity s confidentiality requirements from vendors and other third parties Previously fell under C3.6 C1.4 whose products and services comprise part of the system and have access to confidential information. Compliance with confidentiality commitments and requirements by vendors and other third parties whose products and services comprise part of the Previously fell under C3.6 C1.5 system is assessed on a periodic and as needed basis and corrective action is taken if necessary. C1.6 Previously fell under C3.7 Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system. 19

Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. 2012 Baker Tilly Virchow Krause, LLP 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information