Post on 16-Feb-2017
transcript
SOC 2 and You | 1
Overview & Updates
SOC 2 and You
SOC 2 and You | 2
Introduction
SOC 2 and You | 3
Debbie Zaller
Principal
Completed SOC projects: 945
Danny Manimbo
Manager
Completed SOC projects: 185
Instructors
SOC 2 and You | 4
Agenda 01. Background / Overview of SOC 2
02. The AICPA Framework
03. Purpose and Scope
04. The Anatomy
05. Considerations
06. Mapping – Other Standards
07. Q/A
SOC 2 and You | 5
Background & Overview 01
SOC 2 and You | 6
Growth & Popularity
SOC 2 and You | 7
Service Auditors
SOC 2 and You | 8
Service Providers
SOC 2 and You | 9 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
User Entities
SOC 2 and You | 10
Why Do You Need a SOC Report?
Regulatory requirements
User entity mandates
Vendor management programs
Due diligence
Independent 3rd party opinion
Competition and market
SOC 2 and You | 11
Overview
• What is a SOC 2 report?
• How does a SOC 2 differ from a SOC 1 report
• SOC 2 versus SOC 3
SOC 2 and You | 12
Overview of the AICPA Framework 02
SOC 2 and You | 13
AICPA SOC Framework
Applicable SOC-1 SOC-2 SOC-3
Standard/Guidance SSAE 16:
AICPA Guide (2013)
AT 101:
AICPA Guide (2013)
AT 101:
Technical Practice Aid
(2014)
Scope ICFR Security/Systems, Privacy Security/Systems, Privacy
Criteria Control Objectives Trust Services
Principles/GAPP
Trust Services
Principles/GAPP
Usage of report User auditor, user entity,
management of SO Knowledgeable parties Anyone
SOC 2 and You | 14
Purpose & Scope 03
SOC 2 and You | 15
Purpose
• What SOC 2 does cover?
• What SOC 2 does cover?
SOC 2 and You | 16
• System
• Boundaries
• Commitments
• System Requirements
Scope
SOC 2 and You | 17
Principles
• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
SOC 2 and You | 18
Common Criteria (Security):
1: Organization & Mgmt
2: Communications
3: Risk Mgmt & Controls
4: Monitoring of Controls
5: Logical and Physical Access
6: System Operations
7: Change Management
Principles
SOC 2 and You | 19
Availability Common Criteria: +3
Processing Integrity Common Criteria: +6
Confidentiality Common Criteria: +6
Privacy Common Criteria: +74
Principles
SOC 2 and You | 20
• Type 1
• Type 2
Report Type
SOC 2 and You | 21
The Anatomy 04
SOC 2 and You | 22
Report Structure
Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
SOC 2 and You | 23
Unqualified vs. Qualified
Service Auditor’s Report
SOC 2 and You | 24
• Commitment - suitability and accuracy
• Subservice organizations
Management’s Assertion
SOC 2 and You | 25
• Management’s objective description of the
services provided to user entities
• Components of a System Description
System Description
SOC 2 and You | 26
• Test procedures
• Results
• Deviations / Exceptions
Test of Controls / Results
SOC 2 and You | 27
Intended Use
• Management of service organization
• User entities of the services
• Other knowledgeable parties
SOC 2 and You | 28
Considerations 05
SOC 2 and You | 29
Relevance To The User
• RFP requirements
• Customer mandates
• Regulatory needs
• Vendor management process
SOC 2 and You | 30
Understanding Reporting • SOC 1 vs. SOC 2
• AT 101
• AT 601
• Agreed Upon Procedures
• Readiness Assessment
• PCI
SOC 2 and You | 31
Education & Preparedness • Contracts, RFP, SLA
• AICPA website
• Training and awareness
• Executive communication
• Discussion with service auditor
SOC 2 and You | 32
Control Environment • Start-up
• Developing systems
• No customers yet
• Lack of documentation /evidence
• No monitoring of controls
SOC 2 and You | 33
Carve-out Vs Inclusive • Subservice organization
• Carve-out method emphasis
• Inclusive method requirements
SOC 2 and You | 34
• Identify in-scope services
• Select physical locations
• Identify subservice organizations
• Identify risks
• Document processes
• Identify control activities
• Identify timeline
Risk Assessment & Scope
SOC 2 and You | 35
• Internally
• Service auditors
Readiness Assessment
SOC 2 and You | 36
• Policies / Procedures
• Segregation of duties
• Monitoring
Remediation
SOC 2 and You | 37
• Licensed CPA firm
• Independent
• Single vendor approach
• Audit team
Audit Firm Selection
SOC 2 and You | 38
Mapping to Other Standards 06
SOC 2 and You | 39
• SOC 1
• ISO 27001
• HIPAA
• HITRUST
• PCI
Other Standards
SOC 2 and You | 40
Questions & Answers 07
SOC 2 and You | 41
Join Us Next Time
Locking Up Your Cloud Environment:
Get Vital Information on ISO 27017 and ISO 27018
March 25th
www.schellmanco.com/resources
SOC 2 and You | 42
Debbie Zaller
debbie.zaller@schellmanco.com
866.254.0000 ext. 117
Danny Manimbo
danny.manimbo@schellmanco.com
866.254.0000 ext. 110
THANK YOU