Cloud Computing BENEFITS & RISKS Cloudy with a Chance of Risk
Presenters Ad Information Technology Matisse Long, CPA Jerry Jones, CPA, CISA, CISM, CGEIT, CRISC
Agenda What is cloud computing? What are cloud computing benefits? What are considerations for selecting cloud service providers? What are cloud computing risks? What are practical concerns for cloud compliance? What are cloud security considerations? What is cloud service provider compliance reporting SSAE16 (SOC 1) / SOC 2 / SOC 3?
Cloud Computing Intro to Cloud Based Services
Cloud Based Services What are Cloud based services and offerings?
Cloud Services Marketing Microsoft s To The Cloud TV Campaign To The Cloud
Microsoft To The Cloud
Cloud Services Survey Do you know what the Cloud is? Survey sponsored by Citrix August 2012 One-third of Americans believe the Cloud is weather related, not tech Only 16% responded correctly that the cloud is a computer network used to store, access and share data from an Internetconnected device. One in five have lied, pretending they know what the cloud is in conversation 65% have used online banking; 20% use file sharing services Source: Network World
Cloud Based Service Basics Cloud services are consumer and business products, services and solutions delivered and consumed over the Internet. Cloud computing is on-demand delivery of IT resources as a service via the Internet with pay-as-you-go pricing. Cloud computing services vary from renting hardware to utilizing Cloud application programming interfaces (API). Companies can rapidly deploy applications where the underlying technology components can expand and contract with the natural ebb and flow of the business life cycle Cloud computing incorporates virtualization, on-demand deployment, Internet delivery of services, and open source software and allow applications to be dynamically deployed onto the most suitable infrastructure at run time.
Electric Utility Businesses in the 1800s had to produce their own electricity. The shoe factory had to focus on making shoes and generating electricity. Engineering improvements made electricity transmission easier. Electric utilities started producing the electricity once produced internally; electricity became cheaper. The shoe factory could focus on the core business of making shoes. Electric utilities made it disadvantageous to produce electricity internally.
Utility Computing Utility computing is the packaging of computing resources, such as computation, storage and services, as a metered service. Foundation of on demand, software as a service and cloud computing. Attributes include virtualization, time sharing, multiple servers and distributed computing. Utility computing is not a new concept. IBM and other mainframe providers offered time sharing in the 1970 s and 1980 s. Cloud computing service providers are organized to deliver cost effective computing power. Like electric utilities, cloud computing allows the business to focus on the core business and not infrastructure and maintenance.
Utility Computing and Virtualization Creating a virtual version of a device or resource such as a server, storage device, network or operating system. To access multiple operating systems on one machine, the old standby was to dual boot or multi boot a hard drive. Required partitioned hard drive. Virtualization has roots in the mainframe environment when mainframe resources were logically divided into libraries or volumes. Virtualization introduced new features including snapshots of point in time image; can revert on demand back to that state. Can virtualize a physical server or workstation to migrate the server to the cloud. Desktop virtualization has helped some companies migrate to thin clients where processing is done at the server instead of the client / desktop.
Utility Computing and Virtualization Virtualization provides a hyper visor to allow physical resources to be independent of other systems. The virtual machines do not care where they physically are located. Advantages can include reduction in heat, reduction in hardware, faster redeployment, easier backups, better testing, hardware independence, easier disaster recovery, single purpose servers, extended life and easier cloud migration.
Utility Computing and Virtualization Virtualization can result in lower costs since resources can be more closely matched with requirements. Virtual servers can allow for hardware consolidation with more powerful servers. Servers can be moved in real time between data centers
Utility Computing and Virtualization Virtual Box (www.virtualbox.org); free open source software sponsored by Oracle
Cloud Computing Cloud Computing
Cloud Computing Services
Cloud Computing Definition What is Cloud computing? National Institute of Standards and Technology (NIST) Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Five Essential Characteristics of Cloud Computing 1. On demand service 2. Broad network access 3. Resource pooling 4. Rapid elasticity or expansion 5. Measured service
Cloud Computing Definition Three services models of Cloud Computing 1. Software i.e. SaaS (Software as a Service) 2. Platform i.e. PaaS (Platform as a Service) 3. Infrastructure i.e. IaaS (Infrastructure as a Service)
Cloud Service Model Examples SaaS (Software as a Service) Software solutions that an end user can just use. Microsoft Office 365, Google Gmail and Cisco WebEx PaaS (Platform as a Service) A cloud based development platform used in building applications for the cloud. Microsoft Azure, VMware Cloud Foundry and Force.com (salesforce) IaaS (Infrastructure as a Service) The hardware and software platforms, provided on scale, that provides or extends the infrastructure needs of an organization. Rackspace and Amazon
Cloud Service Model Examples SaaS Example Office 365
Cloud Service Model Examples SaaS Example QuickBooks Online
Cloud Service Model Examples SaaS Example DropBox Considerations: Who controls encryption key and algorithm Must enable two factor authentication Central administrative panel
Cloud Service Model Examples PaaS Windows Azure
Cloud Service Model Examples PaaS SalesForce.com
Cloud Service Model Examples IaaS Example Rackspace Cloud with Hardware Based Firewall
Cloud Service Model Examples IaaS Example Rackspace Cloud with Hardware Based Firewall
Cloud Service Model Examples SaaS / IaaS Example Host Gator
Cloud Service Model Examples SaaS (Software as a Service) PaaS (Platform as a Service) IaaS (Infrastructure as a Service) Source: Oracle
Other as a Service Models o Backup as a Service (BaaS) VM snapshot storage, backups, etc. o Communication as a Service (CaaS) VOIP, video conferencing, etc. o Desktop as a Service (DaaS) access desktops remotely. o Hadoop as a Service (HaaS) Java based framework for processing and analyzing large amounts of data. o Identify as a Service (IDaaS) single sign-on for the cloud. o Load Balancing as a Service (LBaaS) directs traffic to balance load. o Monitoring as a Service (MaaS) hosted monitoring and notifications. o Disaster Recovery as a Service (DRaaS) cloud based DR. o Storage as a Service (SaaS) data storage as the primary service. o Security as a Service (SECaaS) security services like antivirus. o Etc.
Cloud Computing Definition Four deployment models of Cloud Computing 1. Private 2. Community 3. Public 4. Hybrid
Private, Public and Hybrid Deployment Deployment Goal Provide easy, scalable access to computing resources and IT services. Deployment Revisited 1. A public cloud sells services to anyone on the Internet, with all users leveraging a common and scalable implementation. 2. A private cloud has a similar implementation, but it is typically secured in an organizations data center, or managed by a hosting organization in a private and secure manner. 3. Hybrid" cloud has some of the desired solution existing securely in the private cloud data center and some of it existing in the public cloud. Public Cloud Deployment Benefits 1. Easy and inexpensive setup because hardware, application and bandwidth costs are covered by the provider. 2. Scalability to meet needs. 3. No wasted resources because you pay for what you use.
Cloud Computing Cloud Benefits
Cloud Benefits Reduced costs due to operational efficiencies, and more rapid deployment of new business services. Cost allocation flexibility for customers wanting to move CapEx into OpEx. Elastic nature of the infrastructure to rapidly allocate and deallocate massively scalable resources to business services on a demand basis. Flexibility to choose multiple vendors that provide reliable and scalable business services, development environments, and infrastructure that can be leveraged out of the box and billed on a metered basis with no long term contracts Decoupling and separation of the business service from the infrastructure needed to run it (virtualization)
Cloud Benefits Cloud service providers can provide data centers around the world which facilitates easy expansion. If the customer adds a location in Australia, a closer data center can improve performance by lowering latency and provide a better experience for customers at minimal cost.
Cloud Benefits Cloud Economic Considerations Opportunity costs Gartner estimates that 80% of IT budgets are spent on maintenance; cloud can allow for these resources to be focused on core business. CapEx verses OpEx Capital expenses have to be paid regardless of use; cloud can allow for operating expenses to be tied directly with use / need. Total cost of ownership Costs of salaries, licenses, electricity, etc. can be hard to budget; cloud can allow for better budgeting and calculations of total cost. Core business focus companies are typically not data center providers; cloud can allow for companies to focus on core business. Division of labor where specialized labor may be more productive.
Cloud Benefits Amazon Web Services (AWS) AWS allows customers to deliver content, reduce CapEx and OpEx costs, large amounts of capacity in a short time. Hundreds or thousands of servers can be deployed in minutes.
Cloud Service Model Benefits Standardized IT-based capability Cloud services are based on a level of standardization for technology components. The underlying logic is that a significant amount of IT client demand has more similarities than differences, and this key to economies of scale for many common technology requirements (processing power, storage, core applications, development platforms, etc.) Consumption billing Most cloud services models charge by actual use of the resources in CPU hours, gigabits (Gbs) consumed, gigabits per second (Gbps) transferred, email accounts, etc., rather than only by number of servers, tickets, or authorized users. The pay-for-play economics, often with shorter contract durations, can be very attractive to clients. Scalable Scalability and resilience are key design components of cloud services. More of the delivery cost risk is on the service provider, but clients have more flexibility (within reasonable commercial limits) for increasing and decreasing demand while continuing to pay only for what is used (along with provider margins and some delivery cost spread across all clients). Web-based accessibility and flexibility Many cloud services use a standard Web browser to control demand and implement services without any unusual software add-ons or specific OS requirements. Clients can provision and manage services without significant involvement by the provider. Source: Forrester Cloud Service Offerings
Cloud Service Model Benefits Ease of operations you can control all your data with one service provider rather than multiple vendors. Cost effective applications are subscription-based, so you pay for only the features needed. There are no upfront license fees so the initial costs are lower. Since the provider will manage the infrastructure, it decreases your reliance on an already over-extended IT department (i.e., drives a lower TCO). Cloud solutions move to an Operational Expense model (OPEX) rather than a Capital Expense model (CapEx). Fast to market a SaaS deployment should be completed in weeks rather than the months or longer traditional software deployment takes. Less risk with a simpler model no software to download, no software license to negotiate and no IT Infrastructure to worry about. It's flexible, has a lower cost and overall, is a lower risk for any organization. Automatic updates the service provider takes the responsibility for adding new releases and feature enhancements to the system, often over a period of time so you can accept them when you are ready. No longer will your IT staff worry about individual users on different versions or the next "upgrade" cycle.
Cloud Computing Evaluating Cloud Service Providers
IT General Controls Security Security policy / user awareness / training Administration / provisioning Identification / authentication Configuration / settings Privileged users Physical access Monitoring Change Management SDLC / Change Control Security impact Data migration / interfaces TEST / DEV / QC / PROD Operations Backup data Monitoring Environmental controls
Cloud Service Compliance Determine compliance requirements and evaluate adherence: SOC 1 (SSAE16), SOC 2 and SOC 3 HIPAA (new updated guidance in 2013) Payment Card Industry (PCI) Data Security Standard (DSS) Gramm-Leach-Bliley (GLB) Sarbanes-Oxley (SOX) Federal Information Security Management Act (FISMA) / NIST guidelines Federal Risk and Authorization Management Program (FedRAMP) Federal Information Processing Standard (FIPS) Publication 140-2 International Organization for Standardization (ISO) 27001 certification Cloud Security Alliance (CSA) Motion Picture Association of America (MPAA)
Cloud Informational Websites https://cloudsecurityalliance.org/ Provides education and research along with controls and mapping http://cloudtaxonomy.opencrowd.com/taxonomy/ Provides information on the cloud computing services and create a dialog between cloud computing services vendors and consumers as well as developers to foster further understanding and adoption of cloud based solutions.
Cloud Obstacles and Opportunities S.No Obstacle Opportunity 1 Availability of Service Use Multiple Cloud Providers to provide Business Continuity; Use Elasticity to Defend Against DDOS attacks 2 Data Lock-In Standardize APIs; Make compatible software available to enable Surge Computing 3 Data Confidentiality and Audit Ability Deploy Encryption, VLANs, and Firewalls; Accommodate National Laws via Geographical Data Storage 4 Data Transfer Bottlenecks FedExing Disks; Data Backup/Archival; Lower WAN Router Costs; Higher Bandwidth LAN Switches 5 Performance Unpredictability Improved Virtual Machine Support; Flash Memory; Gang Scheduling VMs for HPC apps 6 Scalable Storage Invent Scalable Store 7 Bugs in Large-Scale Distributed Systems Invent Debugger that relies on Distributed VMs 8 Scaling Quickly Invent Auto-Scaler that relies on Machine Learning; Snapshots to encourage Cloud Computing Conservationism 9 Reputation Fate Sharing Offer reputation-guarding services like those for email 10 Software Licensing Pay-for-use licenses; Bulk use sales Source: UC Berkeley : Above the Clouds
Cloud Misconceptions Cloud is just virtualization Cloud is just cost savings Private cloud is on premise Private cloud is just infrastructure Private cloud will always be private Cloud is not safe Cloud comparison shopping is easy Proprietary software will dominate the cloud Cloud data centers are killing the environment
Cloud Computing Cloud Risks
Cloud Risks Privileged user access ask the providers to supply specific information on the hiring and oversight of privileged administrators, and the control over their access, because outsourced services usually bypass the physical, logical and personnel security controls which exert over in-house programs. Regulatory compliance the providers who refuse to undergo this scrutiny are signaling that subscribers can only use them for the most trivial functions, as subscribers are ultimately responsible for the security and integrity of their own data even when it is held by a service provider. Data location and ownership ask the providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of the subscribers. Data segregation subscribers data should be segregated with data from other customers as the Cloud is typically a shared environment. The service providers should provide data encryption as options and evidence on the corresponding encryption schemes that were designed and properly tested by experienced specialists, as encryption accidents can make data totally unusable.
Cloud Risks (Continued) Recovery ask the providers if they have implemented and tested any disaster recovery procedures (DRP) which provides them with the ability to do a complete restoration and most importantly, how long it will take to execute the DRP. Investigative support get a contractual commitment from your service provider to support specific forms of investigation on inappropriate or illegal activity that happened to your services, along with evidence that the vendor has already successfully supported such activities, is important as Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. Long-term viability ask the providers how you would get your data back and if it would be in a format that you could import into a replacement application, as they might go broke or get acquired and even swallowed up by a larger company such that your company data may not be able to remain available after such an event.
Cloud Risks (Continued) End User Bypassing Policy and Procedure determine if Cloud computing is considered in company policy and procedure. An employee cannot use a company credit card to order the Cloud service for a department without following an approval and risk assessment process. Document and data retention / disposal should be specifically considered. Does Cloud service selected follow internal company best practice and standards.
Cloud Risks (Continued) NSA Domestic Spying Classified surveillance program NSA has undermined encryption models via hidden back doors, forcing providers to hand over keys or data, cracking encryption methods, etc.? Cloud Security Alliance (CSA) Guidance: Data should be encrypted before leaving the end user s organizational control Encryption should be implemented for data at rest, in transit and in user Encryption keys should be retained by the end user organization and not cloud service provider Select a cloud service provider that adheres to the CSA s best practices
Cloud Computing Cloud Practical Concerns
Cloud Practical Concerns Liability What recourse actions (e.g., financial compensation, early exit of contracts, etc.) can we agree on in the event of a security incident or failures to meet SLA? What conditions under which? Intellectual property Can we stipulate in the SLA that all my data (or applications), including all replicated and redundant copies, are owned by me? Ensure that your service agreement does not lead you to relinquish any IP rights. What would be the recourse if the information was hosted on the vendor s server which is located in a different country where the IP laws are not as strict and/or the vendor servers/infrastructure is confiscated by legal authorities for any reason what so ever. Scrutinize the language in the terms-of-service that governs the ownership of and rights to information that you place in the cloud. End of service support Specify what the cloud vendor will deliver at the end of the service period. Will data be packaged and delivered back to me? If so, in what format? How soon will I have all my data back? Will any remaining copies of data be erased completely from your network? If so, how soon will it happen? Specify and fees that may incur at the end of the service. Source: Forrester Cloud Computing Checklist
Cloud Practical Concerns (Continued) Data Protection Data Segregation How do you separate my data from other customers? Data-at-rest protection Where do you store my data? Encryption and data integrity Access control and authentication Documentation for auditors Data-in-motion protection How do you get data from me to you? How do you transfer data from one place to another? Data leak prevention capabilities (if applicable). Can any third party access my data (your service providers) and how? Can you ensure all my data is erased at the end of service? Vulnerability Management Show evidence of your vulnerability management program. How often do you scan for vulnerabilities on your network and applications? Can I conduct an external vulnerability assessment on your network and how? What s your vulnerability remediation process?
Cloud Practical Concerns (Continued) Identity Management Can you integrate directly with my directories and how? Review the architecture of integration Ensure it doesn t create a security risk for my own infrastructure. If you keep your own user accounts: How do you secure user IDs and access credentials? How do you handle user churns (e.g., provision and de-provision accounts)? Can you support SSO (single sign on) and which standards? Can you support federation and which standards? Physical and personnel security Restricted and monitored access to critical assets 24x7 If dedicated infrastructure is desired, ensure isolated and ask, how often do you scan for vulnerabilities on your network and applications? Background checks for all relevant personnel? How extensive? Do you document employee access to customer data? Have you gone through a SSAE16 / SOC1 / SOC2 / SOC 3, Type I or Type II? Can you share the audit result?
Availability Cloud Practical Concerns (Continued) How many nines do you guarantee in the SLA? What availability measures do you employ to guard against threats and errors? Do you use multiple ISPs? Do you have DDoS protection and how? How do you secure user IDs and access credentials? Provide availability historical data. What is your downtime plan? e.g., service upgrade, patch, etc.? What is your peak load and do you have enough capacity for such a load? Application Security Do you follow OWASP guideline for application development? Do you have a rigorous testing and acceptance procedure for outsourced and packaged application codes? What about third-party apps (components) you use in your services? What application security measures (if any) do you use in your production environment (e.g., application-level firewall, database auditing).
Cloud Practical Concerns (Continued) Incident Response What is your procedure in handling a data breach? Can notification occur within a specified time period? In what format do notifications go out and what info do they contain? Ensure that the vendor s incident response procedures do not violate our own incident response requirements. Privacy Ensure that critical data (e.g., payment card number) is properly masked and only authorized individuals have access to the entirety of the data. Show me how you protect digital identities and credentials and use them in cloud applications. What data do you collect about me (logs, etc.)? How is it stored? How is the data used? How long will it be stored? What are the conditions under which third parties, including government agencies, might have access to my data? Can you guarantee that third-party access to shared logs and resources won t reveal critical information about my organization?
Cloud Practical Concerns (Continued) Business continuity and disaster recovery Do you have any DR and BC planning documents and can we review Ensure the procedures are at least as robust as our own. Can we do a BC audit? Where are your recovery data centers located? What service-level guarantee can you offer under DR conditions? Logs and audit trails Can you accommodate time forensic investigation (e.g., ediscovery)? Can we agree on provisions in the SLA for investigation? What would we have access to? How? How long do you keep logs and audit trails? Can you keep them as long as we desire? Can we have dedicated storage of logs and audit trails, and how? Show evidence of tamper-proofing for logs and audit trails. Specific compliance requirements Are your data centers under local compliance requirements? If so, which ones? Does the local compliance requirements violate our own? Do you have a SSAE16 / SOC 1 / SOC2 / SOC3 report (if applicable)? Are you ISO-27001 compliant (if desired)?
Cloud Computing Cloud Security Considerations
Cloud Security Breach Examples Iran nuclear facility hit with malware that plays AC/DC Facebook users face new email spam campaign providing malware /Trojan; photo tag notifications originate from Faceboook.com Yahoo, Twitter and LinkedIn passwords leaked Flame toolkit / Stuxnet worm that attacked Iran centrifuges Wikileaks unveils The Syria Files - its biggest data leak yet Dropbox possible security breach is to blame for a recent wave of spam e-mail Vegas casino employee takes high-roller info via email
Cloud Security Risk Mitigation Checklist Operations Process and Checklists; Enforcing accountability and reporting like in accounting Anti-malware Covering workstations and servers; up to date and centrally monitored Proactive patch management Evaluate and apply critical items timely; include all levels including firmware Unauthorized / Unnecessary programs and services Resource intensive both machine and human capital wasted Proactive monitoring Event monitoring, assessment, documentation, escalation, resolution Privileged users Domain, enterprise and local admins; all systems considered including infrastructure and databases; least privilege concept
Cloud Security Risk Mitigation Checklist Authentication / Data Transmission Two-factor (e.g. token) is preferred, complex passwords, hashed and salted Encrypted transmission of data, HTTPS, SSL / TLS Security Hardening and Standardization Checklist for setting up production servers, periodic monitoring for changes Consistency minimizes risk and streamlines troubleshooting Change Management Changes to production are authorized, documented and tested Standards and corrections will remain in effect Logical Access Provisioning Authorized and documented requests; least privilege concept No modeling, use role based access instead Training and Education Ongoing end user training Budget and measurement of training results
Cloud Security Configuration Checklist Integrate online sites with Active Directory Implement IP restrictions Secure employee computers and devices Don t utilize user IDs and passwords across multiple sites Provide training and alerts to address phishing and malware Limit sessions with timeouts Implement two factor authentication Strengthen password policies Require secure sessions (HTTPS / SSL) Maintain authorized contacts (especially security)
Cloud Security Data Breaches Mission is to engage, educate and empower individuals to protect their privacy by identifying trends and communicating findings to advocates, policymakers, industry, media and consumers. Chronology of Data Record Breaches https://www.privacyrights.org/data-breach 617,070,844
Cloud Computing Cloud Service Provider Compliance SOC 1 (SSAE16), SOC 2 & SOC 3
SOC Reporting Background Introduction of a New Standard Statement on Auditing Standards No. 70 (SAS 70) became the most widely recognized and requested attestation report, though it was not always the right type of report for the subject matter AICPA recognized a need to provide additional guidance to ensure the appropriate application of the SAS 70 standard
SOC Reporting Background Introduction of a New Standard With its release of Statement on Standards for Attestation Engagements No. 16 (SSAE 16), the AICPA has replaced SAS 70 The AICPA recognized that service providers have needed alternative reporting standards to use to report on controls other than those related to financial reporting AICPA created new terminology: Service Organization Control (SOC) reports
SOC Reporting Background Diverse industries utilizing SOC reports Payroll Providers SaaS providers Direct Mailers Fulfillment Companies Data Centers Third Party Administrators Investment Managers Transfer Agents E-business Platforms Healthcare providers
SOC 1 (SSAE16) Reports American Institute of CPAs (AICPA) Auditing Standards Board (ASB Statement on Standards for Assurance Engagements (SSAE) International Federation of Accountants (IFAC) International Auditing and Assurance Standards Board (IAASB) International Financial Reporting Standards (IFRS) International Standard on Assurance Engagements (ISAE)
SOC 1 (SSAE16) Reports American Institute of CPAs (AICPA) Auditing Standards Board (ASB Statement on Standards for Assurance Engagements (SSAE) International Federation of Accountants (IFAC) International Auditing and Assurance Standards Board (IAASB) International Financial Reporting Standards (IFRS) International Standard on Assurance Engagements (ISAE)
SOC 1 (SSAE16) Reports Key highlights Management must include an assertion Management to identify risks that Control Objectives will not be achieved Management to have a basis for their assertion Auditor s opinion is on management s assertion Opinion covers the Design, Suitability, and Completeness (type 2) Description of the Service Organization s System Changes to Scope During the Reporting Timeframe Disclosing the reliance on the work of Internal Audit User Control Considerations are now call Complimentary User Entity Controls
SOC 1 (SSAE16) Reports In a Type 2 report, the opinion covers; Operating effectiveness, Suitability of the design and The fair presentation of the system implement, throughout the entire reporting period Significant changes to systems (including controls) need to be included in the description Changes in scope after the auditor is engaged will require a reasonable basis
SOC 1 (SSAE16) Reports Policies, procedures, and practices need to be documented SSAE 16 defines the service organization System as The policies and procedures designed, implemented and documented, by management of the service organization to provide user entities with the services covered by the service auditor s report. Paragraph 2, parts a and b state the focus of this SSAE is on controls at a service organization likely to be relevant to user entities internal control over financial reporting.
SOC 1 (SSAE16) Reports Service Organization Responsibilities
SOC 1 (SSAE16) Service Org. Responsibilities Three basic areas 1. Provide a description of its system 2. Provide a written assertion in the report 3. Maintain the environment and plan for changes
SOC 1 (SSAE16) System Description What is the system? Policies and procedures designed, implemented, and documented by management of the service organization Includes the infrastructure, software, people, and data that support them Services provided, including types of transactions Related processes or controls which affect transaction processing or services.
SOC 1 (SSAE16) System Description The service organization needs to provide adequate detail to allow the user of the report to understand the nature of services provided and the flow of transactions from initiation through reporting Initiation Recording Approval Posting or processing How errors and significant events are handled Processes related to reporting transactions
SOC 1 (SSAE16) System Description Control objectives must be indentified Significant changes in the system during the time period must be described But what are significant changes Who determines what is a significant change?
SOC 1 (SSAE16) Mgmt. Assertion Management will need to prepare a written assertion on: The fair presentation of the description of the service organization s system The suitability of the design of controls The operating effectiveness of controls for the timeframe of the report (Type 2 only) The service auditor will attest to management s assertion
SOC 1 (SSAE16) Mgmt. Assertion The assertion must be provided from the beginning timeframe of the report for a type 2 The service auditor cannot begin until the written assertion has been received Will need to be reaffirmed through written representations at the conclusion of the engagement Management must also present the basis for the assertion Monitoring activities Internal audit Other testing The service auditor s report on controls is not considered adequate in providing a basis for management s assertion.
SOC 1 (SSAE16) Mgmt. Assertion Similar to the assertion required under SOX Section 302 Is a separate component in the report and can be included with the description of systems Signed by a member of management Communicates management s responsibility for the description of the system Communicates achievement of the evaluation criteria of the description of the system
SOC 1 (SSAE16) Mgmt. Assertion Gives management more involvement in setting depth and breath of coverage in the report Places the burden on the service organization s management to explicitly acknowledge responsibility Requires management to provide a written statement to the auditor as of the first day of coverage which will be included in the report
SOC 1 (SSAE16) Identifying the Criteria Used in: Preparing the description evaluating if the controls were suitably designed to meet the control objectives, and evaluating if the controls were operating SSAE 16 references AT 101 for definition of Criteria Paragraphs 23, 24 and 33
SOC 1 (SSAE16) AT 101 Criteria.23 The third general standard is The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users. Suitability of Criteria -.24 Criteria are the standards or benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter. Suitable criteria must have each of the following attributes: Objectivity Criteria should be free from bias Measurability Criteria should permit reasonable consistent measurement, qualitative or quantitative, of subject matter Completeness Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion about the subject matter are not omitted Relevance Criteria should be relevant to the subject matter
SOC 1 (SSAE16) AT 101 Criteria Availability of Criteria -.33 The criteria should be available to users in one or more of the following ways: Available publicly Available to all users through inclusion in a clear manner in the presentation of the subject matter or in the assertion Available to all users through inclusion in a clear manner in the practitioner s report Well understood by most users, although not formally available (for example, The distance between points A and B is twenty feet: the criterion of distance measured in feet is considered to be well understood)
SOC 1 (SSAE16) Design, Implement, Maintain Controls Continue daily operations, ensuring controls are operating as designed and evidence documenting effectiveness of controls is retained and organized.
SOC 1 (SSAE16) Changes to Scope The service auditor and service organization need to agree and specify the scope and timeframe of the report before beginning the audit A reasonable basis is required to modify the scope or alter the timeframe for which the report covers once the auditor is engaged Example of a reasonable basis for a change in scope: Sale or purchase of a division that is significant to the controls and control objectives Example of an unacceptable change Altering the scope or timeframe to avoid a qualification to the opinion
Service Organization Responsibilities Provide a description of its system Specify the control objectives of the system and include those control objectives in the description of the system Identify significant changes in the system or controls Provide a written assertion in the report Have a basis for providing the assertion Identify the criteria used in preparing the description, evaluating if the controls were suitably designed to the control objectives, evaluating if the controls were operating effectively Identify the risks that threaten the achievement of the control objectives Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved Changes to scope of the report
Engagement Planning Service auditors will need to be engaged with their clients early in the process Their planning will include: Reviewing the Service Organization assertion Documenting the scope and control objectives to be covered Understanding the basis for the assertion link existing controls and testing to control objectives and controls Understanding the risks that could prevent the control objectives from being achieved Understanding the criteria for evaluating the control objectives (AT 101) Obtaining an understanding of the system Assessing materiality
Engagement Planning ICFR / IT General Control Relationship Significant Accounts in Financial Statements Balance Sheet Income Statement Cash Flows Disclosures Forecasting & Budgeting Business Processes/ Transaction Classes Process 1 Process 1 Process 1 Internal Controls Over Financial Reporting Financial Applications Application X Application Y Application Z Application Controls IT Infrastructure Database Operating System General Controls Network Physical
SOC 2 & 3 Reports These reports cover subject matter that is not relevant to control over financial reporting. Addresses controls at a service organization that are pertinent to the joint AICPA-Canadian Institute of Chartered Accountants (CICA) Trust Services Principles and Criteria. These principles include the following: Security Availability Processing Integrity Confidentiality Privacy
SOC 2 Reports (Continued) These reports focus on Trust Services Principles and may be beneficial to a broad audience. Management identifies one or more Trust Services Principles that it believes it has achieved and the criteria upon which it will base its assertion of achievement. Intended for user organization management, but other stakeholders (e.g., business partners, customers) along with regulators knowledgeable about the subject matter and the criteria may also benefit.
SOC 2 Reports (Continued) These reports are similar in structure to a SOC 1 report. The independent service auditor s report Management s assertion letter A description of the system A section containing the service auditor s tests of the operating effectiveness of controls and the related test results (Type 2 report only).
SOC 3 Reports These reports are structured differently than SOC 2 reports, which allows for a much broader use. SOC 3 reports are short-form reports that include only a service auditor's opinion and a management assertion. SOC 3 reports do not include a description of the system or a detailed description of tests of controls and related test results. SOC 3 reports may be used by a broad audience as they may be accessed through a link/seal posted on a service organizations website(s).
SOC Report Decision Making Process The decision around which report to use begins with an assessment of needs:
SOC Report Decision Making Process (Continued) The needs of service organizations often extend beyond the scope of SOC 1:
SOC Report Decision Making Process (Continued) The needs of service organizations often extend beyond the scope of SOC 1:
What if needs are not met by SOC? Alternatives: AT 101 AT 601 Agreed Upon Procedures ISAE 3402 ISO 27002/3
Factors To Consider Alternatives: Adopting SOC s will take some time Management needs to document an assertion Identify the basis for the assertion Expand the Description of Controls into the Description of Systems Identify Risks Ensure the control objectives and related controls will be controls they believe their user organization auditors will be interested in for the financial audit of the user organizations Clients should work closely with their auditors throughout the time frame for a type 2 report Identify changes to controls and systems and determine if they are significant and discuss those changes with the auditor You may need multiple reports Consider other alternatives
Discussion / Q&A?
Contact Information Ad Information Technology Jerry Jones, CPA, CISA, CISM, CGEIT, CRISC jjones@adinformationtechnology.com 404-822-6495 Matisse Long, CPA mlong@adinformationtechnology.com 404-849-6437
AdIT Practice Areas Governance, Risk & Compliance Services Process Optimization Services Financial and IT Risk Assessments Business, Financial and IT Process and Control Improvement Financial and IT Sarbanes-Oxley (SOX) IT Department and Personnel Evaluations IT Infrastructure Assessment IT New Hire / Candidate Skillset Evaluations Outsourced Internal Audit Services IT Strategic Planning Data Security and Privacy Part-Time / Interim IT Director and CIO IT General & Application Controls Testing (non-sox) IT Maturity Model Assessments IT Audit Specialist Support for CPA Firms Financial and IT Policy / Procedure Development SOC 1 (SSAE 16), SOC 2, SOC 3 Pre-Assessment, Remediation and Audits IT Project Planning and Management IT Managed Services IT Data Mining and Analysis (IDEA, ACL, and SQL) Technology Research IT Issue and Incident Root Cause Analysis & Remediation Cloud Computing Consulting Enterprise Risk Management (ERM) Disaster Recovery and Business Continuity Planning and Testing IT Vendor / Product Selection
Baseline Builder ( Baseline Builder ) promotes effective and practical internal controls while helping to support efficient governance, risk management and compliance ( GRC ) processes. Baseline Builder has also allowed many organizations to significantly improve the efficiency of GRC tasks, and the accuracy and the retention of documentation. Customer reviews and feedback help confirm that the application is streamlined, clean and very responsive. By leveraging the latest technology including ASP.net and SQL Server, the application provides one of the most effective processes for implementing and maintaining a governance, risk and compliance program. Unlike typical in house solutions, data and documentation is centrally managed in a database that allows for intuitive IT general, application, financial and operational control activity tracking, maintenance and reporting.