Assurance rapporten bij uitbesteding

Similar documents
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Orchestrating the New Paradigm Cloud Assurance

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Understanding changes to the Trust Services Principles for SOC 2 reporting

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Controls over CIS. Ryan O Halloran, Senior Manager KPMG Hobart. TAO Client Information Session. May 2015

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Goodbye, SAS 70! Hello, SSAE 16!

SECURITY AND EXTERNAL SERVICE PROVIDERS

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

SAS No. 70, Service Organizations

Data Processing Agreement for Oracle Cloud Services

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Security Information & Policies

Service Organization Control Reports

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Managing risks in a Salesforce environment

Security from a customer s perspective. Halogen s approach to security

Anypoint Platform Cloud Security and Compliance. Whitepaper

Information for Management of a Service Organization

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

How To Audit Cloud Computing

Planning/Administrative. Management & Organization. Application Level Accuracy and Completeness. EDI Systems Audit Program

Service Organization Control (SOC) Reports

Reports on Service Organizations Where we ve been?

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Security Controls What Works. Southside Virginia Community College: Security Awareness

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

Qualification Guideline

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

Microsoft s Compliance Framework for Online Services

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Information Risk Management

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

3 rd Party Vendor Risk Management

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

12/1/2014. Cybersecurity and Cloud Services Compliance Considerations. Community Medical Centers. Cedars-Sinai. Dec. 5, 2014 San Francisco

The Next Generation of Security Leaders

HIPAA/HITECH Compliance Using VMware vcloud Air

Cloud Computing An Auditor s Perspective

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

The silver lining: Getting value and mitigating risk in cloud computing

Cloud Computing: Risks and Auditing

Information Technology General Controls (ITGCs) 101

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Third party assurance services

Domain 1 The Process of Auditing Information Systems

Audit Committee Institute Assessment of audit committees

FAQs New Service Organization Standards and Implementation Guidance

Sage Nonprofit Online and Sage Virtual Services. Frequently Asked Questions

INFORMATION TECHNOLOGY SECURITY STANDARDS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Security Considerations

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Technical Competency Framework for Information Management (IM)

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Last updated: 30 May Credit Suisse Privacy Policy

Information Security Policies. Version 6.1

Contact: Henry Torres, (870)

Vendor Audit Questionnaire

Intel Enhanced Data Security Assessment Form

Frequently asked questions: SOC 2 and 3

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Overview of Topics Covered

Cloud Computing and Data Protection Compliance - Experiences from Norway

Reliability prudential reporting

EXPLORING THE CAVERN OF DATA GOVERNANCE

WELCOME TO SECURE

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Services Providers. Ivan Soto

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

An organization properly establishes and operates its control over risks regarding the information system to fulfill the following objectives:

Healthcare Organizational Needs

Cloud Security Trust Cisco to Protect Your Data

Validating Enterprise Systems: A Practical Guide

EPCS Third party audits the CPA perspective. 13 September 2012

Pharma CloudAdoption. and Qualification Trends

The Elephant in the Room: What s the Buzz Around Cloud Computing?

International Institute of Management

Your incentive compensation plans have no borders.

Service Organization Control (SOC) reports What are they?

Online/Cloud Services Trust challenges & eidentity-aspects

Whitepaper: 7 Steps to Developing a Cloud Security Plan

A Flexible and Comprehensive Approach to a Cloud Compliance Program

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Information audits in a perimeter-less world

Your incentive compensation plans have no borders. Why should your compliance processes? Powered by KPMG LINK Global Equity Tracker

Understanding SAS 70 Reports on Internal Control

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Technology General Controls And Best Practices

Transcription:

Assurance rapporten bij uitbesteding DNB seminar Cloud computing Amsterdam, Netherlands 20 June 2013 Jaap van Beek

Assurance reports regarding service organizations Assurance frame work Suitable for Service Organizations ISAE 3000 ISAE 3402 Other specific assurance standards USA SOC 2/3 SOC 1 International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 1

Spectrum of Services Covered by SOC Reports SOC1 SM Financial Reporting Controls SOC2 SM (SOC3 SM) Operational Controls Financial services Custodial services Healthcare claims processing Payroll processing Payment processing Cloud ERP service Data center co-location IT systems management Enterprise cloud email Cloud collaboration SaaS-based HR services Security-as-a-service Any service where third parties primary concern is security, availability or privacy

Service Organization Control (SOC) Reports Report Scope/Focus Summary Applicability Standard SOC1 SM Internal Control Over Financial Reporting Detailed report for customers and their auditors Focused on financial reporting risks and controls specified by the service provider. Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. ISAE 3402 or SSAE 16 SOC2 SM Security, Availability, Processing Integrity, Confidentiality and/or Privacy Detailed report for customers and specified parties Focused on Security, Confidentiality, Availability, Processing Integrity and/or Privacy. Applicable to a broad variety of systems. AT101 under guidance of AAG-SOP March 2012 SOC3 SM Same as SOC2 SM Short report that can be generally distributed, with the option of displaying a web site seal Same as above without disclosing detailed controls and testing. Optionally, the service provider can post a Seal if they receive an unqualified opinion. AT101 and TSP100

Summary of SOC2/3 Principles and Criteria Topics Security IT security policy Logical access Incident management Personnel security Security awareness and communication Risk assessment Physical access Security monitoring User authentication Asset classification and management Systems development and maintenance Configuration management Change management Monitoring and compliance Availability Confidentiality Processing Integrity Privacy Availability policy Backup and restoration Environmental controls Disaster recovery Business continuity management Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures (including third parties) Confidentiality of Information in systems development System processing integrity policies Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs Information tracing from source to disposition Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and enforcement

HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer s financial statements? Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization s systems? SOC 1 Report SOC 1 Report SOC 2 or 3 Report Do you need to make the report generally available or seal? SOC 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? No SOC 2 Report SOC 3 Report Bron: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization'smanagement.aspx

2013 KPMG Advisory NV, a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. 26076NSS The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information