WELCOME TO SECURE360 2013

Similar documents
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Understanding changes to the Trust Services Principles for SOC 2 reporting

Reports on Service Organizations Where we ve been?

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

HIPAA Compliance: Are you prepared for the new regulatory changes?

Service Organization Control Reports

Vendor Management Best Practices

Information for Management of a Service Organization

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

IT Insights. Managing Third Party Technology Risk

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Third Party Risk Management 12 April 2012

HIPAA Compliance and Reporting Requirements

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

WebEx guide. > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host.

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Service Organization Control (SOC) reports What are they?

Conducting a System Implementation Risk Review at Higher Education Institutions

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Managing data security and privacy risk of third-party vendors

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Hot Topics in IT. CUAV Conference May 2012

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Cloud Computing An Auditor s Perspective

Understanding Vendor Risk And Analyzing the SSAE No. 16

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

The silver lining: Getting value and mitigating risk in cloud computing

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

How To Be A Successful Compliance Officer

Internal audit value optimization for insurance organizations

Ayla Networks, Inc. SOC 3 SysTrust 2015

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

SAS No. 70, Service Organizations

The Elephant in the Room: What s the Buzz Around Cloud Computing?

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

FAQs New Service Organization Standards and Implementation Guidance

provide funding as an incentive to

Service Organization Control (SOC) Reports

Goodbye, SAS 70! Hello, SSAE 16!

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security and Managing Use Risks

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Monitoring Outside Service Providers, Part III: SAS 70 Updates

How To Protect Your Organization From Liability From A Cell Phone (For Business)

Cybersecurity: Protecting Your Business. March 11, 2015

Welcome & Introductions

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Orchestrating the New Paradigm Cloud Assurance

Auditing Engineer-Procure-Construct (EPC) Projects

CFPB Readiness Series: Compliant Vendor Management Overview

Isaac Willett April 5, 2011

Construction Fraud: Stories from the Field

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants Visit us on the web: Or Call:

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Security and Privacy in Cloud Computing

VENDOR MANAGEMENT. General Overview

Analyzing contract terms: General requirements

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States Government Accountability Office

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Understanding ISO and Preparing for the Modern Era of Cloud Security

PNC is a registered mark of The PNC Financial Services Group, Inc.( PNC ) 2013 The PNC Financial Services Group, Inc. All rights reserved.

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

SECURITY AND EXTERNAL SERVICE PROVIDERS

Securing Oracle E-Business Suite in the Cloud

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012

Lessons Learned: Implementing Cloud Application Software Suites

(or required) to sign up for managed care programs. Depending on the state, Medicaid managed care may be voluntary or mandatory.

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

End of the SAS 70 Era

Service Organizations and the Internal Audit function conference Institute of Internal Auditors in Israel

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Keeping watch over your best business interests.

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS

The Value of Vulnerability Management*

Financial Institutions Industry Insights

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Top Ten Technology Risks Facing Colleges and Universities

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

Uncovering outpatient operations hidden revenue busters

SECURITY CONSIDERATIONS FOR LAW FIRMS

Privacy Law Basics and Best Practices

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

05.0 Application Development

Missouri Student Information System Data Governance

A Vendor s Journey to SaaS & the Cloud

Security Considerations for the Cloud

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Managing Cloud Computing Risk

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Transcription:

WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting? #Sec360

INTRODUCTIONS Tom Wojcinski, CISA, CRISC Director, Baker Tilly Virchow Krause, LLP Phone: 414-777-5536 Email: Tom.Wojcinski@bakertilly.com Daniel Steiner, MBA, CPA, CFE, ARM Manager, Baker Tilly Virchow Krause, LLP Phone: 608-220-5528 Email: Daniel.Steiner@bakertilly.com

BAKER TILLY VIRCHOW KRAUSE, LLP With more than 1,400 employees, Baker Tilly provides a wide range of accounting, tax, and advisory services. Ranked as one of the top twenty largest firms in the country*, Baker Tilly serves clients from offices in Chicago, Detroit, Minneapolis, New York, Washington DC, and throughout Wisconsin. Baker Tilly International is a worldwide network of independent accounting and business advisory firms in 125 countries, with more than 25,000 professionals. The combined worldwide revenue of independent member firms exceeds $3 billion *According to the 2012 Accounting Today "Top 100 Firms."

AGENDA A brief history and perspective of the new SOC landscape SOC reporting defined and clarified SOC 2 Trust services overview Report structure Examination process Benefits beyond compliance Alignment with other compliance frameworks

THE SOC LANDSCAPE AICPA replaced SAS 70 Effective for audit periods ending after June 15, 2011 Established the Statement of Control Framework (SOC Framework) Why Confusion in the market we are SAS 70 certified Frequently misused to report on controls not relevant to financial reporting market demand for expanded scope of report Security Availability Processing integrity Confidentiality Privacy

THE SOC LANDSCAPE Why - continued Growth of the service organization landscape New technologies Cloud computing (SAAS, PAAS, IAAS) Convergence of US and international standards Increased leverage on outsourced service offerings from experts

THE SOC LANDSCAPE SOC 1 (Service organization control 1) SOC 2 (Service organization control 2) SOC 3 (Service organization control 3) Applicable to services that are likely to be relevant to user entities internal control over financial reporting Applicable to services that don t directly impact financial reporting Applicable to services that don t directly impact financial reporting Reports on controls supporting financial statement audits Reports on controls related to operations Reports on controls related to operations Restricted to customers during the audit period Restricted to those familiar with the subject matter General use report Example organizations: payroll processors, transaction processors Example organizations: Direct mailers, call centers Example organizations: Direct mailers, call centers

SOC 1 REPORT What s in the report? Impacts to service organizations Impacts to user entities Formal audit letter Management s assertion Management s system description, including specified control objectives Tests of controls and results Written assertion about the accuracy and relevance of the system description and the design and operating effectiveness of controls Specify the criteria used in making the assertion Management must have a reasonable basis for its assertion Document and disclose changes in controls during the period Can be used to support financial statement audit Need to evaluate exceptions and determine relevance and any additional analysis Should be evaluated and confirm compliance with user control considerations

SOC 2 REPORT What s in the report? Impacts to service organizations Impacts to user entities Formal audit letter Management s assertion Management s system description, including trust Services principles and criteria instead of control objectives Tests of controls and results Additional requirements for system description much clearer guidance on how to describe the system Similar requirements as SOC 1 for management s assertion Focused on control assurance Not likely useful in a financial statement audit

SOC 3 REPORT What s in the report? Impacts to service organizations Impacts to user entities Audit report with limited opinion Abbreviated system description Enhanced marketing potential May not be possible in scenarios with subservice organizations or significant reliance on user control considerations Useful where detailed understanding of controls isn t required

THE THREAT FROM WITHIN Texas data breach exposed 3.5 million records: Names, addresses, and social security numbers of state retirees and unemployment beneficiaries were posted, unencrypted, on a public server. (InformationWeek, April 13 2011) Internal staff error Bank of America gets hit twice by internal staff: ATMs and data were compromised in separate attacks stemming from an employee theft of bank customer data and a multi-atm heist perpetrated by a Diebold employee. (Bank Technology News American Banker, May 2011) Internal staff and vendor staff purposeful breach

THE THREAT FROM WITHIN New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) data breach of Social Security numbers, dates of birth and financial institution account numbers through an independent software development consulting firm employee who allowed unauthorized access to one of the companies customer information systems. (http://www.databreaches.net/?p=22960&goback=%2egde_860307_member_91453823, January 24, 2012) Contractor data breach Telstra (an internet and email service provider) data breach of detailed information outlining the customer's account number, what broadband plan they are on, other Telstra services they were signed up to and notes associated with the accounts, including user names and passwords causing the company to suspend services to almost 1 million users. (http://www.smh.com.au/it-pro/it-news/network-outage-as-telstra-probes-privacy-breach-20111210-1oohk.html, December 10, 2011) Unspecified internal staff error

TRUST SERVICES What are trust services ( TS )? A set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Consists of five key components organized to achieve a specified objective.

KEY COMPONENTS OF TRUST SERVICES Infrastructure The physical and hardware components of a system (facilities, equipment, and networks) Software The programs and operating software of a system (systems, applications, and utilities) People The personnel involved in the operation and use of a system (e.g. developers, operators, users, and managers) Procedures The programmed and manual procedures involved in the operation of a system (automated or manual) Data The information used and supported by a system (e.g. transaction streams, files, databases, and tables)

TRUST PRINCIPLES Security Principles Security Objectives The protection of the system from unauthorized access, both logical and physical Availability The accessibility to the system, products, or services as advertized or committed by contact, service-level, or other agreements Privacy Availability Processing integrity The completeness, accuracy, validity, timeliness, and authorization of system processing Confidentiality The system s ability to protect the information designated as confidential, as committed or agreed Confidentiality Processing Integrity Privacy Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice

TRUST SERVICES PRINCIPLES AND CRITERIA Defined criteria in five trust principle areas Further subdivided into trust services criteria domains: Policies Communication Procedures Monitoring A lot of overlap built into the criteria 51 unique criteria across security, availability, processing integrity, confidentiality Separate criteria specific to privacy

GENERALLY ACCEPTED PRIVACY PRINCIPLES Privacy principles Provides criteria and related material for protecting the privacy of personal information Incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines Used to guide and assist organizations in implementing privacy programs http://www.aicpa.org/privacy

GENERALLY ACCEPTED PRIVACY PRINCIPLES 1) Management 2) Notice 3) Choice and consent 4) Collection 5) Use and retention 6) Access 7) Disclosure to third parties 8) Security for privacy 9) Quality 10) Monitoring and enforcement http://www.aicpa.org/privacy

REPORT STRUCTURE Sections 1) Service auditor s report (the opinion) 2) Management s assertion 3) System description 4) Tests of controls and results 5) Additional information provided by the service organization

BUILD TRUST AND COMMUNICATION Opines on fairness of presentation for the system description Opines on the design and/or operating effectiveness of controls Examination Effect Objectively describe the service provided Increased awareness of customer requirements Transparent communication of results Opportunity to deepen customer relationships Demonstrate commitment to customer Benefit

STRENGTHEN ENTITY LEVEL CONTROLS Examine all relevant criteria for the selected principles Can t pick and choose Examination Effect Define comprehensive policies Communicate duties to all parties Monitor control performance Top-to-bottom organizational awareness of policies Management can drive consistency Benefit

ENHANCED RISK AWARENESS Evaluate whether the company sufficiently evaluates risk relative to the achievement of the principles Examination Effect Formalize the ad-hoc nature of risk assessments Objectively define the system from the customer perspective Develop a holistic view of service risks from the customer perspective Understand the voice of the customer Benefit

IMPROVED CONSISTENCY Trust Services requires documentation of policies and procedures Evidencing controls requires consistent documentation Examination Effect Forces the documentation of ad-hoc processes Requires consistent control evidence Increases the institutional knowledge for controls Improved consistency of operations Reduced reliance on any one critical human resource Benefit

ENHANCED RELIABILITY Evaluates the implementation status and/or operational effectiveness of controls Requires continuous demonstration of key activities Examination Effect Increased accountability for control performance Employees develop increase sense of ownership for service delivery Service performance may increase Customer perceptions of reliability may increase Benefit

CULTURE OF CONTINUOUS IMPROVEMENT Is not a walk in the park Needs to be more efficient better, faster, cheaper Examination Effect Engage management and control performers to drive year-over-year efficiencies Eliminate variations in control performance Creates a culture of continuous improvement Benefit

ALIGNMENT WITH OTHER COMPLIANCE FRAMEWORKS Written at high level, thus often can be mapped to specific regulatory requirements and recognized control frameworks HIPAA Security Standards ISO PCI Cloud security Separate assertion, description, testing, and opinion paragraph HIPAA standards are written at a more detailed level, and map well with SOC 2 security

ALIGNMENT WITH OTHER COMPLIANCE FRAMEWORKS Determining what report is best: What needs to be communicated? Who is requiring/intended audience? What are the intended uses of the report? Avoid overly complex reports

QUESTIONS?

REQUIRED DISCLOSURE AND CIRCULAR 230 PROMINENT DISCLOSURE The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2012 Baker Tilly Virchow Krause, LLP.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information