soc 2 attestation for cloud - ecominfotech.biz 2 for cloud.pdf · governance ansi-asq national...
TRANSCRIPT
www.accedere.us [email protected] Page 2
INTRODUCTION
Data breaches and cloud service abuse rank among the
greatest Cyber Security threats. To illustrate the potential
magnitude of this threat, in a recent incident described how a
virtual machine could use side-channel timing information to
extract private cryptographic keys in use by other VMs on the
same server. A malicious hacker wouldn't necessarily need to
go to such lengths to pull off that sort of feat, though. If a
multitenant cloud service database isn't designed properly, a
single flaw in one client's application could allow an attacker
to get at not just that client's data, but every other clients'
data as well.
The challenge in addressing this threats of data loss and
data leakage is that "the measures you put in place to
mitigate one can exacerbate the other". You could
encrypt your data to reduce the impact of a breach, but
if you lose your encryption key, you'll lose your data.
However, if you opt to keep offline backups of your
data to reduce data loss, you increase your exposure to
data breaches.
Data Security and Privacy are increasing challenges in
today’ Cloud based environments. Providing an
independent third party assurance such as a SOC 2
report helps address these concerns and helps Cloud
Service Providers (CSP) stay above the competition.
CSA AND CLOUD
Cloud Security Alliance (CSA) has determined that for
most cloud providers, a SOC 2 Type 2 attestation
examination conducted in accordance with AICPA standard
SSAE 18 utilizing the CSA Cloud Controls Matrix (CCM) as
additional suitable criteria is likely to meet the assurance
and reporting needs of the majority of users of cloud
services.
NIST’s Visual definition of cloud
• IAAS Infrastructure As A Service. The capability
provided to the consumer is to provision processing,
storage, networks, and other fundamental computing
resources where the consumer is able to deploy and
run arbitrary software, which can include operating systems and applications.
www.accedere.us [email protected] Page 3
CSA recommends the AICPA’s SOC2 reporting for Cloud environments
• PAAS Platform As A Service. The capability provided to the consumer is to deploy onto the cloud
infrastructure consumer-created or acquired applications created using programming languages
and tools supported by the provider.
• SAAS Software As A Service. The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure.
• Recently more terms are in buzz such as DRaaS Disaster Recovery As A Service, IDaaS-Identity
as a Service etc.
Cloud Models for Security Control & Compliance
CLOUD CONTROLS MATRIX (CCM)
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide
fundamental security principles to guide cloud vendors and to assist prospective cloud customers in
assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework
that gives detailed understanding of security concepts and principles that are aligned to the Cloud
Security Alliance guidance. The foundations of the Cloud Security Alliance Controls Matrix rest on its
customized relationship to other industry-accepted security standards, regulations, and controls
frameworks such as the
• ISO 27001/27002,
• ISACA COBIT,
• PCI,
• NIST,
• Jericho Forum and
• NERC CIP
and will augment or provide internal control direction for service organization control reports
attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with
the needed structure, detail and clarity relating to information security tailored to the cloud industry.
The CSA CCM strengthens existing information security control environments by emphasizing
www.accedere.us [email protected] Page 4
business information security control requirements, reduces and identifies consistent security threats
and vulnerabilities in the cloud, provides standardized security and operational risk management, and
seeks to normalize security expectations, cloud taxonomy and terminology, and security measures
implemented in the cloud.
Cloud STAR Certification Roadmap
CSA STAR is the industry’s most powerful program for assurance in the cloud. STAR encompasses key
principles of transparency, rigorous auditing, harmonization of standards and eventually continuous
monitoring. The best practices and initial level can be achieved at no cost, and we encourage
providers and consumers to adopt STAR to enable trust in cloud computing.
CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to
conduct SOC 2 engagements using criteria from the AICPA SSAE 18 and the CSA Cloud Controls
Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud
providers.www.cloudsecurityalliance.org/star/attestation/
Cloud STAR Attestation for Level 2
Security, Trust and Assurance Registry (STAR) is CSA initiative. The
STAR Attestation is positioned as STAR Certification at Level 2 of the
Open Certification Framework and STAR Certification is a rigorous third party independent assessment
of the security of a cloud service provider. Star Attestation is based on type 2 SOC
attestations supplemented by the criteria in the Cloud Controls Matrix (CCM). This
assessment:
• Is based on a mature attest standard
• Allows for immediate adoption of the CCM as additional criteria and the
flexibility to update the criteria as technology and market requirements
change
• Does not require the use of any criteria that were not designed for, or readily
accepted by cloud providers
www.accedere.us [email protected] Page 5
• Provides for robust reporting on the service provider’s description of its system and on the service
provider’s controls, including a description of the service auditor’s tests of controls in a format
very similar to the now obsolete SAS 70 reporting format and current SOC reporting, thereby
facilitating market acceptance.
• STAR Attestation builds on the key strengths of SOC 2.
ISO 27001 v/s SOC 2 for Step 2 of CSA Framework
Sr. No Area ISO 27001 SOC 2 Type II
1. Standard International Standard ISO/IEC
27001, Second Edition 2013-10-
01, ISMS- Information Security
Management Systems
Trust Services Principles and
Criteria for Security, Availability,
Process Integrity,
Confidentiality and /or Privacy
2. Governance ANSI-ASQ National Accreditation
Board (ANAB)
AICPA
3. Purpose Assist organization’s management
in establishment and certification
of ISMS that meets specified
requirements and is able to be
certified as best practice
Assist service organization’s
management in reporting to
customers that it has met
established security criteria that
ensure that the system is
protected against Unauthorized
Access
4. Applicability ISMS for the Organization System Description by
Management
5. Period
Covered
Point in Time. i.e. as on a date Period of Time i.e. for the
period ended xxxx (date)
6. Objective Establish, implement, maintain,
and improve the ISMS
Measure a Service Organization
against specific security
principles and criteria
7. Period
Covered
Re-Certified for every 3 years Certified for every 1 year (or 6
months)
8. Audit
Frequency
Surveillance audit conducted
Annually
Continuous monitoring during
the period
9. Certified/
Attested by
ISO Accredited Registrar
Certification
Attestation by a Licensed CPA
10. Nature of
Testing
Design effectiveness Design effectiveness and
operating effectiveness
11. Controls in
report
Details of Controls not provided Details of Controls provided
12. Focus Organization’s ability to maintain
an ISMS
Technology and the processes
behind the security of the
specific service
13. Report Single page Certification Report containing the auditor’s
opinion, management’s
assertion, description of
controls, user control
www.accedere.us [email protected] Page 6
considerations, tests of
controls, and results
14. Difficulty to
Achieve
Higher Moderate
15. Structure Information Security Framework Principles and Criteria
SOC 2 for other Compliance & Assurance
The SOC 2 Attestation allows for inclusion of other standards “Additional Subject Matter” such as
Cloud STAR, PCI DSS, ISO 27001 NIST, etc. We can partner with other Auditors such as QSAs and ISO
registrars to conduct testing together eliminating testing redundancy.
SOC 2 and “Additional Subject Matter” engagements can
be undertaken jointly with your existing Auditors. At the
end of the engagement, organizations receive a SOC 2 report
that covers a period of time AND they receive separate
reports covering the other standards-i.e. PCI-DSS (ROC), and /
or ISO 27001 Certificate.
In nut shell use SOC 2 Type II report as the assurance wrapper for
any or all of the following:
• ISO 27001
• CSA CCM
• PCI-DSS
• HIPAA/HITRUST
• NIST 800-53
WHY SOC 2 FOR CLOUD SECURITY
• A Service Organization Controls (SOC) 2 report for privacy is based on American Institute of
Certified Public Accountants (AICPA) SSAE 18 attest standard and Trust Services Criteria.
• SOC 2 is an attest engagement, that applies to engagements in which a practitioner is engaged
to issue an examination of an assertion about subject matter that is the responsibility of another
party (The organization to be reported on e.g. for outsourced services).
• SOC 2 may be applied selectively, specifically covering security and privacy in the scope of the
engagement. GAPP can also be applied for the whole organization or selectively for the
organization’s web site covering online collection of Personally Identifiable Information (PII).
• The AICPA’s SSAE 18 attestation standard allows a CPA to attest to an entity’s compliance with
requirements of specified law. Organizations may be able to have their privacy controls examined
for regulations such as HIPAA, GLBA and other applicable Privacy Laws.
www.accedere.us [email protected] Page 7
SOC 2 Type II currently can provide a more reasonable assurance for Cloud Security
due the following reasons:
Additional Benefits of SOC 2 for Cloud
Having a SOC 2 can give your organization a competitive edge. A process driven well defined SOC 2
can reduce the insider threat in your organization. Knowing how much extra value and assurance a
SOC 2 can deliver, many clients find that it makes sense to take steps to ensure a more successful
outcome, including hiring experts who are skilled in helping companies be more thorough and
thoughtful in how they approach their audits.
• Helps in building trust
• Differentiates Your from peers
• Provides management insight into the effectiveness of controls and possible areas for improvement
• Provides an independent assurance by a CPA
• Allows service organization to meet regulatory/contractual requirements
• Provides a level of comfort over control consciousness of the service organization and its services.
• More weightage than an Self-Assessment
• Can include Cloud Control Matrix (CCM)/ other Cloud or any other Compliance requirements.
• Joint audit work serves as the basis for multiple reports that You receive
• Solid detail great standards for your compliance needs
• Inclusion of Cloud standards like CCM
• Little to No Risk – Very high reliability provided by period of time testing
• Specific reports to satisfy everybody
• International Acceptance
Difference between SOC 1 and SOC 2 for Cloud
SOC 1 is applicable for Internal Controls over Finacial Reporting ( ICFR). If your processes are related
to financial data then you may choose SOC 1 reporting. If your processes are realting to Trust Services
Criteria of Security, Availability, Process Intigerty, Confidentiality and/or Privacy then choose SOC 2.
Many Cloud providers may need to choose both.
SOC 2 Type II can cover the entire year and the effectiveness of the controls in place can be reported
It is a Third Party Period- of-Time assessment and so has Accountability
Since it is a period of time assessment, it is more like a continuous compliance with low risk and high reliability
Most other assurance programs or audits are only, at a point in time
Comprehensive Framework for Security & Privacy by AICPA & CICA
Provides a high reliability SOC 2 Seal by AICPA
www.accedere.us [email protected] Page 8
WHY SOC 2 FOR CLOUD PRIVACY Violation of privacy laws can lead to civil and/or criminal penalties. For
example:
SOC 2 reporting helps you in providing assurance for compliance in the cloud with
privacy laws. Examples of Cloud providers:
In 2014 Australia has made changes to its Privacy Act that can lead to civil penalties up to $1.7 million for companies
In US, for HIPAA privacy , the criminal provisions can lead to penalties up to $ 250,000 ( Max 1.5 million p.a) and imprisonment of up to 10 years
Countries such as Canada too are reforming the privacy provisions
www.accedere.us [email protected] Page 9
SCOPE OF WORK (SOW) FOR SOC 2 FOR CLOUD
Cloud Controls CCM
When following the SOC 2 Attestation route for achieving the CSA STAR Certification Framework it is
required to include the Controls Domains described by the CCM under the SOW. The CSA CCM
provides a controls framework that gives detailed understanding of security concepts and principles
that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud
Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted
security standards, regulations, and controls frameworks.
IT General Controls(ITGC)
The AICPA, SSAE 18 defines the standards used by a service auditor to assess the internal controls of a
service organization. The control objectives and activities vary based on the scope of the SOC2, client
operations and Trust Services Criteria. relationship between the service organization and the user
organizations must be viewed to help determine the controls that should be included in the
engagement by reviewing the Service Level Agreements (SLA) or End User Licencing Agreements
(EULA). The following outlines typical categories for control activities that are included in the
description of controls for some SOC engagements:
• Logical security (security administration / passwords)
• Physical and environmental security
• Network security (firewalls, intrusion prevention)
• Change management
• Data retention and storage
• Disaster recovery / business continuity
• System documentation
www.accedere.us [email protected] Page 10
OUR PROJECT EXECUTION METHODOLOGY
Plan Deliver Assess Report Understanding the client
entity and environment
Understanding and
verifying documentation
of existing internal
controls
Evaluate Samples Evaluate additional info
Define scope,
expectations and project
roles
Perform Walkthrough Analyse Samples for
effectiveness
Request clarifications
Readiness Assessment if
required
Assess Risks Request additional
info
System Description and
Management Assertions
is drafted through
inputs from the audit
team by the client
management
Kick off meeting with
Stakeholders
Identifying the control
objectives and controls
in place
Issue draft report
Preliminary interviews /
questionnaires
conducted to gain
understanding of
requirements
Conduct Interviews Incorporate
Management comments
and Issue final report
Client information
request list prepared
and distributed
Request Samples Ongoing support
Analysis of client‐
prepared information
performed and client
feedback provided
Validation of the
implementation of
controls
Answer questions to
Management and User
Auditors
Project timeline
(including estimates of
client hours) / plan
created
Test results
communicated and
exceptions are resolved,
if possible
Update Plan based on
client discussions
www.accedere.us [email protected] Page 11
VALUE DELIVERY
Knowing how much extra value and assurance a SOC can deliver, many
clients find that it makes sense to take steps to ensure a more successful
outcome, including hiring experts who are skilled in helping organizations
be more thorough and thoughtful in how they approach their engagement.
Preparing for a SOC reporting engagement is a matter of clear thinking and
smart planning. Working with a cyber security specialized consulting
specialists such as ours, helps you dig into areas such as data security,
incident response, and change management processes and much more.
We provide end to end process for SOC Engagements. With the rapid Cloud adaption and increased
use of BIG DATA, Cloud Security and Privacy concerns are on the rise. We can conduct integrated
information security engagements with privacy engagements.
Some of the advantages of working with us are:
To discuss your specific need please email [email protected]
A
End to end process for SOC Reporting & Attest Services
Project management methodology consistently applied to each engagement
B
Efficient service delivery with minimal disruption to operations
Our engagements are executed by senior experienced professionals
C
15 years of Information Security & Cyber Security experience
Reduced time to complete assignments
D
Licensed CPA & Security Professionals to execute projects & provide attest reports
Prompt services with engagements completed in record time
E
Ongoing support. We are with you whenever you need us
Our services are competitively priced than BIG names to provide higher ROI
Disclaimer: The content contained in this document is only for information and should not be
construed as an advice or an opinion. The rules are subject to change and for the latest information please
visit the official websites. In no way Accedere is responsible for the information contained in this document as
a result of its/her/his use or reliance on the information. A formal Scope of Work shall be signed which should
be referred to for any specific services offered.