We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAugustus Eldred
Modified about 1 year ago
The Unique Alternative to the Big Four ® SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers August 2014
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 2 Audit | Tax | Advisory | Risk | Performance Agenda Overview of Cloud Computing Importance of Third Party Risk Management SOC Reports – A Method of Third Party Risk Management Alignment of Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) and SOC 2 Trust Services Principles (TSP) Summary and Conclusion Q&A
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 3 Audit | Tax | Advisory | Risk | Performance What is Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources. Networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 4 Audit | Tax | Advisory | Risk | Performance What is Cloud Computing
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 5 Audit | Tax | Advisory | Risk | Performance Opportunities Cost savings – Customers pay for only the computing resources used. There are no physical space requirements or utility costs. All dollars are expensed (that is, receive a U.S. tax benefit). Speed of deployment – The time to fulfill requests for computing power and applications can change from months to weeks, weeks to days, and days to hours. Scalability and better alignment of technology resources – Companies can scale up or down their capacity without capital expenditures. Decreased effort in managing technology – Cloud computing provides the organization more time to focus on core purpose and goals; more consistent technology upgrades; and expedited fulfillment of IT resource requests. Environmental benefits – Significant adoption of cloud computing should yield less overall power consumption, carbon emissions, and physical land use.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 6 Audit | Tax | Advisory | Risk | Performance Risks Some of the typical risks associated with cloud computing are: Disruptive force Residing in the same risk ecosystem as the cloud service provider (CSP) and other tenants of the cloud Lack of transparency Reliability and performance issues Vendor lock-in and lack of application portability and interoperability Security and compliance concerns Creation of high-value cyber-attack targets Risk of data leakage IT organizational changes Viability of the CSP
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 7 Audit | Tax | Advisory | Risk | Performance Changes in the Operating Environment With Cloud Computing Risks and other cloud computing effects should be incorporated in ERM programs. Organizations can engage cloud computing solutions while bypassing normal management oversight controls. Cloud computing solutions are: a) easily adopted within a short period of time, b) require a small monetary investment, and c) involve very few personnel.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 8 Audit | Tax | Advisory | Risk | Performance Shared Control Environment
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 9 Audit | Tax | Advisory | Risk | Performance Risk Levels – Shared Control Environment
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 10 Audit | Tax | Advisory | Risk | Performance Shared Control Environment Risk Profile Impact of CSPs and fellow cloud tenants Using cloud computing converts an organization’s internal environment into a combination of its own internal environment and the internal environment of the contracted CSP. Why Both? Data and processes are hosted in a shared environment with other cloud tenants. Behavior and events of the CSP and fellow tenants could have a direct impact on the organization.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 11 Audit | Tax | Advisory | Risk | Performance Cloud Governance Cloud governance” refers to the controls and processes in place for cloud planning and strategy, vendor selection, contract negotiation, implementation, operation, monitoring and possible termination and transition of cloud services.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 12 Audit | Tax | Advisory | Risk | Performance Investing in Third Party Risk Management – Disruption of Service
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 13 Audit | Tax | Advisory | Risk | Performance Investing in Third Party Risk Management – Data Breach “On average, third party errors increased the cost of data breach by as much as $43 per record in the US” Source: “2013 Cost of Data Breach Study: Global Analysis”, Sponsored by Symantec, May 2013, Ponemon Institute
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 14 Audit | Tax | Advisory | Risk | Performance Third-Party Risk Management Concerns Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 15 Audit | Tax | Advisory | Risk | Performance Third Party Risk Management Activities Vendor management activities performed should be based on risk associated with the vendor In order to ensure the risks with outsourcing cloud services are properly addressed organizations should consider performing the following activities: Review cloud provider’s policies and procedures Request cloud provider respond to internal control questionnaires Perform an onsite review of cloud provider operations Review a Service Organization Control (SOC) Report Organizations can use SOC reports to obtain a level of comfort over a cloud provider’s controls related to security, availability, processing integrity, confidentiality and privacy controls.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 16 Audit | Tax | Advisory | Risk | Performance Service Organization Controls (SOC) Reports – Overview AICPA created separate reports on internal controls over financial reporting and reports on other types of controls. The AICPA has added additional reporting options. The three reporting options now are: SOC 1 SOC 2 SOC 3
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 17 Audit | Tax | Advisory | Risk | Performance Types of SOC Reports SOC 1 Internal controls related to financial reporting SOC 2 Trust Services Principles Restricted Use Report SOC 3 Trust Services Principles General use report SSAE 16/ AT 801 AT 101
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 18 Audit | Tax | Advisory | Risk | Performance Who May Need to Issue a SOC 2 Report? Organizations that need to demonstrate how they process transactions and/or data on behalf of their customers Organizations that need to demonstrate how their security controls operate Organizations that need to demonstrate how their controls related to system availability function Organizations that need to demonstrate how their controls related to data privacy or confidentiality operate A Cloud Service Provider Fits These Characteristics!
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 19 Audit | Tax | Advisory | Risk | Performance Trust Services Principles Security – The system is protected against unauthorized access (both physical and logical). Availability – The system is available for operation and use as committed or agreed to. Processing Integrity – System processing is complete, accurate, timely, and authorized. Confidentiality – Information designated as confidential is protected as committed or agreed to. Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and the Canadian Institute of Chartered Accountants (CICA).
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 20 Audit | Tax | Advisory | Risk | Performance Relationship Between Principles, Criteria and Controls PrincipleCriteriaControls
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 21 Audit | Tax | Advisory | Risk | Performance Example Criteria and Illustrative Controls Security Principle - Criteria 3.3 Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers. Illustrative Controls: Physical access to the computer rooms, which house the entity's IT resources, servers, and related hardware such as firewalls and routers, is restricted to authorized individuals by card key systems and monitored by video surveillance. Physical access cards are managed by building security staff. Access card usage is logged. Logs are maintained and reviewed by building security staff. Requests for physical access privileges to the entity's computer facilities require the approval of the manager of computer operations. Documented procedures exist for the identification and escalation of potential physical security breaches. Offsite media are stored in locked containers in secured facilities. Physical access to these containers is restricted to facilities personnel and employees authorized by the manager of computer operations.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 22 Audit | Tax | Advisory | Risk | Performance Example Criteria and Illustrative Controls Security Principle - Criteria 3.4 Procedures exist to protect against unauthorized access to system resources. Illustrative Controls: Login sessions are terminated after three unsuccessful login attempts. Virtual private networking (VPN) software is used to permit remote access by authorized users. Users are authenticated by the VPN server through specific "client" software and user ID and passwords. Firewalls are used and configured to prevent unauthorized access. Firewall events are logged and reviewed daily by the security administrator. Unneeded network services (for example, telnet, ftp, and http) are deactivated on the entity's servers. A listing of the required and authorized services is maintained by the IT department. This list is reviewed by entity management on a routine basis for its appropriateness for the current operating conditions. Intrusion detection systems are used to provide continuous monitoring of the entity's network and early identification of potential security breaches. The entity contracts with third parties to conduct periodic security reviews and vulnerability assessments. Results and recommendations for improvement are reported to management.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 23 Audit | Tax | Advisory | Risk | Performance SOC Report Sections SOC 2 Report Sections Service Auditor’s Opinion Management’s Assertion Description of Systems Test Results Complementary Controls Other Information
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 24 Audit | Tax | Advisory | Risk | Performance Cloud Control Matrix (CCM) Developed by the Cloud Security Alliance (CSA) Establishes a controls framework for cloud providers to follow Based on industry accepted control frameworks such as ISO 27001/27002, ISACA COBIT and NIST Provides guidance in the following domains: 1.Application and Interface Security 2.Audit Assurance and Compliance 3.Business Continuity Management & Operational Resilience 4.Change Control & Configuration Management 5.Data Security & Information Lifecycle Management 6.Datacenter Security 7.Encryption and Key Management 8.Governance and Risk Management 9.Human Resources 10.Identify and Access Management 11.Infrastructure & Virtualization Security 12.Interoperability & Portability 13.Mobile Security 14.Security Incident Management, E-Discovery & Cloud Forensics 15.Supply Chain Management, Transparency and Accountability 16.Threat and Vulnerability Management
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 25 Audit | Tax | Advisory | Risk | Performance CCM Controls Map to SOC 2 Criteria CCM - Change Control and Configuration Management Control Specification: Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function. SOC 2 TSP Criteria: (S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies. (S3.12.0) Procedures exist to maintain system components, including configurations consistent with the defined system security policies. (S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 26 Audit | Tax | Advisory | Risk | Performance CCM Controls Map to SOC 2 Criteria CCM – Datacenter Security Control Specification: Physical access to information assets and functions by users and support personnel shall be restricted. SOC 2 TSP Criteria: (S3.4.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 27 Audit | Tax | Advisory | Risk | Performance SOC Report Review Organizations should obtain and formally review SOC reports. The review should focus on the following: Report Type Type 1 or Type 2 Areas of Coverage/Scope Opinion Unqualified or Qualified Subservice Organizations Description of Systems Content Test Results/Impact of Exceptions Noted Evaluation of User Control Considerations
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 28 Audit | Tax | Advisory | Risk | Performance Summary and Conclusion
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 29 Audit | Tax | Advisory | Risk | Performance Questions
The Unique Alternative to the Big Four ® © 2014 Crowe Horwath LLP 30 Audit | Tax | Advisory | Risk | Performance Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. © 2014 Crowe Horwath LLP For more information, contact: Jeff Palgon Direct
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
Security Controls – What Works Southside Virginia Community College: Security Awareness.
Service Organization Control (SOC) Reporting Options and Information 1.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
The NIST Special Publications for Security Management By: Waylon Coulter.
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Session 3 – Information Security Policies. 2 General - background How to establish security requirements –Risk assessments –Legal, statutory requirements.
Network security policy: best practices Ref: document ID
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Roles and Responsibilities Examples. Introduction Standards and Frameworks: – ISO/IEC – COBIT 5 – ITIL® – MOF 4 Functional Divisions Examples.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
“ Does Cloud Computing Offer a Viable Option for the Control of Statistical Data: How Safe Are Clouds” Federal Committee for Statistical Methodology (FCSM)
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Engineering Essential Characteristics Security Engineering Process Overview.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT.
International Standards for the Professional Practice of Internal Auditing.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Audit Committee Update CAFR Assistance Project March 25, 2010.
Chapter 9-1 Chapter 9: Introduction to Internal Control Systems Introduction 1992 COSO Report Updates on Risk Assessment Examples of Control Activities.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Chapter 6 Information Systems Security. Learning Objectives Upon successful completion of this chapter, you will be able to: Identify the information.
Information Security Policies and Standards Bryan McLaughlin Information Security Officer Creighton University
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch February 4, 2010.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
© 2017 SlidePlayer.com Inc. All rights reserved.