IIA & ISACA Seminar - Chapters Site 2... · IIA & ISACA Seminar ... transaction processing systems. ISAE 3402 (or local equivalent) or SSAE 16 ... not just financial reporting systems

IIA & ISACA SeminarService organization control reports: SOC 2/SOC 3 common criteria and new requirements to consider for 2015

April 8, 2015

kpmg.com

1© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335

Contents

■ SOC overview

■ Summary of SOC 2/SOC 3 principles and criteria

■ Overview trust services principles – 2014 revision

■ Enhanced SOC 2 reporting – Alignment with relevant standards/frameworks

■ Scoping considerations

■ Industry activities – Recent KPMG Webcasts

■ Questions

SOC overview


Service organization control (SOC) reports

Report Scope/focus Summary Applicability Standard

SOC 1 Internal control over financial reporting

Detailed report for customers and auditors

Focused on financial reporting risks and controls specified by the service provider.

Most applicable when the service provider performs financial transaction processing or supports transaction processing systems.

ISAE 3402 (or local equivalent) or SSAE 16

SOC 2 Security, availability, processing integrity, confidentiality and/or privacy

Detailed report for customers and specified parties

Focused on security, confidentiality, availability, processing integrity and/or privacy.

Applicable to a broad variety of systems.

AT101 under guidance of AAG-SOP March 2012

ISAE 3000

SOC 3 Short report that can be generally distributed, with the option of displaying a web site seal for engagement based on AT101 only

Same as above without disclosing detailed controls and testing.

Optionally, the service provider can post a Seal if they receive an unqualified opinion.

AT101 under the guidance of TSP100

ISAE 3000 (or local equivalent)


Contrasting SOC 2/SOC 3 and SOC 1 report scope

Attribute SOC 2/SOC 3 SOC 1Required focus ■ Operational controls ■ ICOFR

Defined scope of system

■ Infrastructure■ Software■ Procedures■ People ■ Data

■ Classes of transactions■ Procedures for processing and

reporting transactions■ Accounting records of the system■ Handling of significant events and

conditions other than transactions■ Report preparation for users■ Other aspects relevant to processing

and reporting user transactions

Control domains covered

■ Security■ Availability■ Confidentiality■ Processing integrity, and/or privacy

■ Transaction processing controls■ Supporting IT general controls

Level of standardization

■ Principles selected by service provider■ Predefined criteria used rather than

control objectives

■ Control objectives defined by service provider and may vary depending on the type of service provided


SOC reports for different scenarios

SOC 1 financial reporting controls

SOC 2/SOC 3operational controls

■ Financial services■ Asset management and custody

services■ Healthcare claims processing■ Payroll processing■ Payment processing

■ Cloud ERP service■ Data center co-location■ IT systems management

■ Cloud-based services (SaaS, PaaS, IaaS)

■ HR services■ Security services■ E-mail, collaboration, and

communications■ Any service where customers’

primary concern is security, availability, or privacy

Financial process and supporting system controls

Security

Availability

Confidentiality

Processing integrity

Privacy

Summary of SOC 2/ SOC 3 principles and criteria


Principles and criteria topics

Principles vs. criteria?

■ Services principles are used to describe the overall objective

– The practitioner's opinion makes reference only to the criteria

■ Criteria are benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter

– The criteria are supported by controls that, if operating effectively, enable a system to meet the criteria

– TSP 100 requires the identification of risks that threaten the achievement of the criteria

– TSP 100 requires a linkage of the risk to criteria and controls to risks


SOC 2/SOC 3 Principles (overview)

■ May apply to any type of system, not just financial reporting systems

PrinciplesPrivacy

Processing integrity

Availability

Confidentiality

Security


SOC 2/SOC 3 Security principle

The system is protected against unauthorized access, use or modification.Trust

services principle

Most commonly requested area of coverage.

The security principle is made up of the common criteria only and does not have additional criteria.

Applicable to all outsourced environments, particularly where enterprise customers require assurance regarding the service provider’s security controls for any system, nonfinancial or financial.

Applicability


SOC 2/SOC 3 Availability principle

The system is available for operation and use as committed or agreed

Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering.

Most applicable where enterprise customers require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which could not be covered in a SSAE 16.

Trust services principle

Applicability


SOC 2/SOC 3 Confidentiality principle

Third most commonly requested area of coverage, particularly where customers want assurance over protecting information provided to the service provider.

Most applicable where the customer requires additional assurance regarding the service providers practices for protecting sensitive business information

Information designated as confidential is protected as committed or agreedTrust

services principle

Applicability


SOC 2/SOC 3 Processing Integrity principle

System processing is complete, valid, accurate, timely, and authorized

Potentially applicable for a wide variety of nonfinancial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing

Trust services principle

Applicability


SOC 2/SOC 3 Privacy principle

Most applicable where the service provider interacts directly with end customers and gathers their personal information.

Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program.

Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA. These principles and criteria were not affected by the TSP 100 update.

GAPP

Applicability

Overview trust services principles – 2014 revision


Trust services principles – 2014 revision

■ The trust services principles and criteria were revised by the AICPA effective for SOC 2/3 reports with periods ending on or after December 15, 2014.

■ The criteria were revised to reduce duplication, improve consistency in reporting, and reduce errors.

■ Common criteria framework is used for security, availability, processing integrity, and confidentiality principles.

■ Unique, specific criteria are applicable for availability, processing integrity, and confidentiality principles

■ The criteria are arranged into seven (7) common criteria categories that apply to the security, availability, processing integrity, and confidentiality principles.

■ The privacy criteria are currently under revision by the AICPA, and additional guidance will be provided at a later date. Until then, the 2009 version of the generally accepted privacy principles should be used.


SOC 2/SOC 3 report overview – 2014 revision

■ The common criteria constitute the complete set of criteria for the security principle, and set the foundation for the availability, processing integrity, and confidentiality principles

■ There are seven common criteria categories consistent with the COSO framework

Organization and management Communications

Risk management and design and

implementation of controls

Monitoring of controls

Logical and physical access

controlsSystem operations Change

management


Significant changes – 2014 revision

2009 version of the criteria

Security

■ Security policies

■ Security awareness and communication

■ Risk assessment

■ Threat identification

■ Information classification

■ Logical access

■ Physical access

■ Security monitoring

■ Incident management

■ Encryption

■ Personnel

■ Systems development and maintenance

■ Configuration management

■ Change management

■ Monitoring/compliance

Availability Confidentiality Processing integrity

■ Availability policy

■ Backup and restoration

■ Environmental controls

■ Disaster recovery

■ Confidentiality policy

■ Confidentiality of inputs, data processing, and outputs

■ Information disclosures

■ Confidentiality of information in systems development

■ System processing integrity policies

■ Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs

■ Information tracing from source to disposition

Privacy

■ Management

■ Notice

■ Choice and consent

■ Collection

■ Use and retention

■ Access

■ Disclosure to third parties

■ Security for privacy

■ Quality

■ Monitoring and enforcement


Significant changes – 2014 revision (continued)

2014 version of the criteria

Security Availability Confidentiality Processing integrity

Common criteria

■ Organization and management

■ Communications

■ Risk management and design and implementation of controls

■ Monitoring of controls

■ Logical and physical access controls

■ System operations

■ Change management

Additional criteria N/A ■ Specific incremental

availability criteria■ Specific incremental

confidentiality criteria

■ Specific incremental processing integrity criteria

The privacy criteria continue to maintain a separate criteria structure.

■ Management

■ Notice

■ Choice and consent

■ Collection

■ Use and retention

■ Access

■ Disclosure to third parties

■ Security for privacy

■ Quality

■ Monitoring and enforcement


Significant changes – 2014 revision (continued)

Summary of major changes

Major topic Key changes

Reorganization of criteria for ease of use

■ Reorganized to simplify and remove redundancy between principles

Greater emphasis on risk assessment and internal monitoring

■ Added more specific risk assessment criteria

■ Added periodic evaluation of design/operating effectiveness of controls

■ Added monitoring of vendors for confidentiality

Clarification of various criteria ■ Removed listing of required policy topics

■ Clarified communication requirements – internal vs. external

■ Clarified intent of procedural criteria throughout

■ Clarified monitoring criteria

Enhanced SOC 2 reporting – Alignment with relevant standards/ frameworks


SOC 2 enhanced reporting

■ Where there are common customer requirements/requests, it may be beneficial for the service provider to include additional details in the SOC 2 report to demonstrate alignment with one or more relevant standards/frameworks (e.g., ISO 27001, Cloud Security Alliance Cloud Controls Matrix, PCI-DSS, etc.).

■ If the referenced standards/frameworks are more detailed than the SOC 2 Trust Services criteria, it may be necessary to include more granular controls within the SOC 2 report to enable a more complete mapping.

SAMPLE – Relation of service provider’s controls to <specify standard/framework>

Service provider has developed its controls to align with the <specify standard/framework>. Included below is a mapping of the <specify standard/framework> topics to related service provider controls covered in this report.

Specific topics/requirements from <specify standard/framework> SOC 2 criteria

Related service provider controls

Sec 1.1 1.01, 1.02 Control description included.Sec 1.2 1.03 Control description included.Sec 1.3 1.02 Control description included.


Mapping to ISO 27001:2013 controls

Ref. Approx. # of requirements Domain

SOC 2/SOC 3 primary reference

A.5 2 Information security policies Common

A.6 7 Organization of information security Common

A.7 6 Human resources security Common

A.8 10 Asset management Common

A.9 14 Access control Common

A.10 2 Cryptography Common

A.11 15 Physical and environmental security Common

A.12 14 Operations security Common

A.13 7 Communications security Common

A.14 13 System acquisition, development, and maintenance Common

A.15 5 Supplier relationships Common

A.16 7 Information security incident management Common

A.17 4 Information security aspects of business continuity management Availability

A.18 8 Compliance Common

Total 114An enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common and availability criteria align with the ISO 27001:2013 control objective topics.


Mapping to CSA cloud controls matrix (CCM) v3.0



AIS 4 Application & interface security Common/Integrity

AAC 3 Audit assurance & compliance Common

BCR 11 Business continuity management & operational resilience Availability

CCC 5 Change control & configuration management Common/Availability

DSI 7 Data security &information lifecycle management Common/Confidentiality/Integrity

DSC 9 Datacenter security Common/Confidentiality/ Availability

EKM 4 Encryption & key management Common/Confidentiality

GRM 11 Governance and risk management Common/Confidentiality

HRS 11 Human resources CommonAn enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements.


Mapping to CSA cloud controls matrix (CCM) v3.0(continued)



IAM 13 Identity & access management Common

IVS 13 Infrastructure & virtualization security Common/Availability

IPY 5 Interoperability & portability None identified

MOS 20 Mobile security None identified

SEF 5 Security incident management, e-discovery & cloud forensics Common/Confidentiality/ Availability/Integrity

STA 9 Supply chain management, transparency and accountability Common/Confidentiality/ Availability

TVM 3 Threat and vulnerability management Common

Total 133

An enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common, integrity, availability, and confidentiality criteria align with the CSA CCM v3.0 requirements.


Mapping to PCI data security standard (DSS) v3.0



1 23 Firewall Common

2 12 System passwords Common

3 22 Protect stored cardholder data Common

4 4 Encryption Common

5 6 Antivirus Common

6 28 Development and maintenance Common

7 10 Access restrictions Common

8 23 Unique IDs Common

9 27 Physical access Common

10 32 Monitoring Common

11 16 Testing Common

12 39 Security policy Common

Total 242An enhanced SOC 2 report can show how the service provider’s SOC 2 controls to achieve the common criteria align with the PCI DSS v3.0 requirements.

Scoping considerations


Typical SOC 2/SOC 3 scoping considerations

■ Services/applications provided

■ Supporting infrastructure

■ Locations

■ Subservice providers

■ Applicable principles

■ Enhanced reporting—inclusion of other information regarding alignment with other standards/frameworks


Criteria approach

Criteria specific:

■ Each criterion should be treated like a SOC 1 control objective

– Identify the threats that may cause the criterion to not be met (while some will be similar for all clients, some may significantly vary based on service offered, customer agreements, and industry)

– Identify key controls that addresses those threats (some controls may be non-key across each criterion for the principle(s) and judgment should be applied to determine if removal of orphaned controls is needed)

– This requirement may result in material gaps in a service organization’s ability to meet the principle

– Perform this exercise early in the planning phase to avoid material gaps


Engagement approach considerations

Concluding on criteria:

■ Suitability of design

– Appropriateness of controls based on service, industry, and customer commitments

■ Need to gain an understanding of the commitments to the users of the system

■ While many controls will apply to nearly all service providers, some will vary based on the service offered and the industry the service organization is serving

– Threat inventory and determination if a control is a key control

■ Key controls may work in tandem and require multiple key controls to adequately address the threat

■ Key controls should primarily be reported on, although some non-key controls may be included if determined appropriate (enhanced reporting)

■ Assess whether the risks are adequately addressed or if more controls are required


Engagement approach considerations (continued)

Concluding on criteria:

■ Operating effectiveness

– Operational period of the control

■ Need to assess if the controls were in place throughout the entire examination period

– Periodic controls, need to demonstrate activity in all periods (sampling risk is generally greatest in the most recent period, however for first year reports with a control change, the earliest period has a significant risk)

– Event based controls should be in place from the period start (example change management, incident reporting)


Engagement approach considerations (continued)

Exceptions

■ Similar treatment, however now we must consider the risk that the criteria may not be met.

– Tie back to the identified risks

– Assess whether sufficient compensating controls exists to mitigate the risks, including non-key controls

– Determine whether the non-key controls should be included in the scope of the report

– Assess whether something did go wrong as a result of the control exception

– Even if the exception sample didn’t have any impact, it doesn’t mean that the criteria was met

Industry activities –Recent KPMG Webcasts


Industry activities – Recent KPMG Webcasts

Webcast Link to playback

Effectively using SOC1, SOC 2 and SOC3 reports for increased assurance over outsourced operations (April 2012)

http://www.kpmginstitutes.com/advisory-institute/events/soc-reporting.aspx

SOC2 reports to address industry requirements for assurance over outsourced operations (October 2012)

http://www.kpmginstitutes.com/advisory-institute/events/webcast-soc2-assurance-over-outsourced-operations.aspx

SOC 2 frequently asked questions (November 2012)

http://www.kpmginstitutes.com/advisory-institute/events/soc-2-frequently-asked-questions.aspx

Enabling vendor risk and compliance management using SOC2 and SOC 3 reports (July 2013)

http://www.kpmginstitutes.com/advisory-institute/events/webcast-vendor-risk-compliance-soc2-soc3.aspx

SOC2, SOC3 in Europe – Virtual meeting (February 2014)

http://www.kpmg.com/NL/nl/IssuesAndInsights/ArticlesPublications/Documents/PDF/IT-Advisory/SOC2.pdf

Questions?Matt Tobey [email protected]

© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 362335

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.