Presentation on theme: "SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers"— Presentation transcript:
1SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers August 2014
2Agenda Overview of Cloud Computing Importance of Third Party Risk ManagementSOC Reports – A Method of Third Party Risk ManagementAlignment of Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) and SOC 2 Trust Services Principles (TSP)Summary and ConclusionQ&A
3What is Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources.Networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
5OpportunitiesCost savings – Customers pay for only the computing resources used. There are no physical space requirements or utility costs. All dollars are expensed (that is, receive a U.S. tax benefit).Speed of deployment – The time to fulfill requests for computing power and applications can change from months to weeks, weeks to days, and days to hours.Scalability and better alignment of technology resources – Companies can scale up or down their capacity without capital expenditures.Decreased effort in managing technology – Cloud computing provides the organization more time to focus on core purpose and goals; more consistent technology upgrades; and expedited fulfillment of IT resource requests.Environmental benefits – Significant adoption of cloud computing should yield less overall power consumption, carbon emissions, and physical land use.
6Risks Some of the typical risks associated with cloud computing are: Disruptive forceResiding in the same risk ecosystem as the cloud service provider (CSP) and other tenants of the cloudLack of transparencyReliability and performance issuesVendor lock-in and lack of application portability and interoperabilitySecurity and compliance concernsCreation of high-value cyber-attack targetsRisk of data leakageIT organizational changesViability of the CSP
7Changes in the Operating Environment With Cloud Computing Risks and other cloud computing effects should be incorporated in ERM programs.Organizations can engage cloud computing solutions while bypassing normal management oversight controls.Cloud computing solutions are: a) easily adopted within a short period of time, b) require a small monetary investment, and c) involve very few personnel.
10Shared Control Environment Risk Profile Impact of CSPs and fellow cloud tenantsUsing cloud computing converts an organization’s internal environment into a combination of its own internal environment and the internal environment of the contracted CSP.Why Both?Data and processes are hosted in a shared environment with other cloud tenants.Behavior and events of the CSP and fellow tenants could have a direct impact on the organization.
11Cloud GovernanceCloud governance” refers to the controls and processes in place for cloud planning and strategy, vendor selection, contract negotiation, implementation, operation, monitoring and possible termination and transition of cloud services.
12Investing in Third Party Risk Management – Disruption of Service
13Investing in Third Party Risk Management – Data Breach “On average, third party errors increased the cost of data breach by as much as $43 per record in the US”Source: “2013 Cost of Data Breach Study: Global Analysis”, Sponsored by Symantec, May 2013, Ponemon Institute
14Third-Party Risk Management Concerns Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
15Third Party Risk Management Activities Vendor management activities performed should be based on risk associated with the vendorIn order to ensure the risks with outsourcing cloud services are properly addressed organizations should consider performing the following activities:Review cloud provider’s policies and proceduresRequest cloud provider respond to internal control questionnairesPerform an onsite review of cloud provider operationsReview a Service Organization Control (SOC) ReportOrganizations can use SOC reports to obtain a level of comfort over a cloud provider’s controls related to security, availability, processing integrity, confidentiality and privacy controls.The CSA issued a position paper in February 2013 stating that a SOC 2 Type 2 report should meet the vendor management needs of cloud users. (https://cloudsecurityalliance.org/download/csa-position-paper-on-aicpa-service-organization-control-reports/)
16Service Organization Controls (SOC) Reports – Overview AICPA created separate reports on internal controls over financial reporting and reports on other types of controls.The AICPA has added additional reporting options. The three reporting options now are:SOC 1SOC 2SOC 3
17Internal controls related to financial reporting Types of SOC ReportsSOC 1Internal controls related to financial reportingSOC 2Trust Services PrinciplesRestricted Use ReportSOC 3Trust Services PrinciplesGeneral use reportSSAE 16/ AT 801AT 101
18Who May Need to Issue a SOC 2 Report? Organizations that need to demonstrate how they process transactions and/or data on behalf of their customersOrganizations that need to demonstrate how their security controls operateOrganizations that need to demonstrate how their controls related to system availability functionOrganizations that need to demonstrate how their controls related to data privacy or confidentiality operateA Cloud Service Provider Fits These Characteristics!
19Trust Services Principles Security – The system is protected against unauthorized access (both physical and logical).Availability – The system is available for operation and use as committed or agreed to.Processing Integrity – System processing is complete, accurate, timely, and authorized.Confidentiality – Information designated as confidential is protected as committed or agreed to.Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and the Canadian Institute of Chartered Accountants (CICA).
20Relationship Between Principles, Criteria and Controls
21Example Criteria and Illustrative Controls Security Principle - Criteria 3.3Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.Illustrative Controls:Physical access to the computer rooms, which house the entity's IT resources, servers, and related hardware such as firewalls and routers, is restricted to authorized individuals by card key systems and monitored by video surveillance.Physical access cards are managed by building security staff. Access card usage is logged. Logs are maintained and reviewed by building security staff.Requests for physical access privileges to the entity's computer facilities require the approval of the manager of computer operations.Documented procedures exist for the identification and escalation of potential physical security breaches.Offsite media are stored in locked containers in secured facilities. Physical access to these containers is restricted to facilities personnel and employees authorized by the manager of computer operations.
22Example Criteria and Illustrative Controls Security Principle - Criteria 3.4Procedures exist to protect against unauthorized access to system resources.Illustrative Controls:Login sessions are terminated after three unsuccessful login attempts. Virtual private networking (VPN) software is used to permit remote access by authorized users. Users are authenticated by the VPN server through specific "client" software and user ID and passwords.Firewalls are used and configured to prevent unauthorized access. Firewall events are logged and reviewed daily by the security administrator.Unneeded network services (for example, telnet, ftp, and http) are deactivated on the entity's servers. A listing of the required and authorized services is maintained by the IT department. This list is reviewed by entity management on a routine basis for its appropriateness for the current operating conditions.Intrusion detection systems are used to provide continuous monitoring of the entity's network and early identification of potential security breaches.The entity contracts with third parties to conduct periodic security reviews and vulnerability assessments. Results and recommendations for improvement are reported to management.
23Service Auditor’s Opinion SOC Report SectionsSOC 2 Report SectionsService Auditor’s OpinionManagement’s AssertionDescription of SystemsTest ResultsComplementary ControlsOther Information
24Cloud Control Matrix (CCM) Developed by the Cloud Security Alliance (CSA)Establishes a controls framework for cloud providers to followBased on industry accepted control frameworks such as ISO 27001/27002, ISACA COBIT and NISTProvides guidance in the following domains:Application and Interface SecurityAudit Assurance and ComplianceBusiness Continuity Management & Operational ResilienceChange Control & Configuration ManagementData Security & Information Lifecycle ManagementDatacenter SecurityEncryption and Key ManagementGovernance and Risk ManagementHuman ResourcesIdentify and Access ManagementInfrastructure & Virtualization SecurityInteroperability & PortabilityMobile SecuritySecurity Incident Management, E-Discovery & Cloud ForensicsSupply Chain Management, Transparency and AccountabilityThreat and Vulnerability Management
25CCM Controls Map to SOC 2 Criteria CCM - Change Control and Configuration ManagementControl Specification:Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function.SOC 2 TSP Criteria:(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies.(S3.12.0) Procedures exist to maintain system components, including configurations consistent with the defined system security policies.(S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
26CCM Controls Map to SOC 2 Criteria CCM – Datacenter SecurityControl Specification:Physical access to information assets and functions by users and support personnel shall be restricted.SOC 2 TSP Criteria:(S3.4.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
27SOC Report ReviewOrganizations should obtain and formally review SOC reports.The review should focus on the following:Report TypeType 1 or Type 2Areas of Coverage/ScopeOpinionUnqualified or QualifiedSubservice OrganizationsDescription of Systems ContentTest Results/Impact of Exceptions NotedEvaluation of User Control ConsiderationsMore emphasize on this component
28Summary and Conclusion Cloud computing services affect TPRM activitiesSOC reports one component of TPRM activities