www.accedere.us info@accedere.us Page 1

06.01.2017

SOC 2 Attestation for Cloud

www.accedere.us info@accedere.us Page 2

INTRODUCTION

Data breaches and cloud service abuse rank among the

greatest Cyber Security threats. To illustrate the potential

magnitude of this threat, in a recent incident described how a

virtual machine could use side-channel timing information to

extract private cryptographic keys in use by other VMs on the

same server. A malicious hacker wouldn't necessarily need to

go to such lengths to pull off that sort of feat, though. If a

multitenant cloud service database isn't designed properly, a

single flaw in one client's application could allow an attacker

to get at not just that client's data, but every other clients'

data as well.

The challenge in addressing this threats of data loss and

data leakage is that "the measures you put in place to

mitigate one can exacerbate the other". You could

encrypt your data to reduce the impact of a breach, but

if you lose your encryption key, you'll lose your data.

However, if you opt to keep offline backups of your

data to reduce data loss, you increase your exposure to

data breaches.

Data Security and Privacy are increasing challenges in

today’ Cloud based environments. Providing an

independent third party assurance such as a SOC 2

report helps address these concerns and helps Cloud

Service Providers (CSP) stay above the competition.

CSA AND CLOUD

Cloud Security Alliance (CSA) has determined that for

most cloud providers, a SOC 2 Type 2 attestation

examination conducted in accordance with AICPA standard

SSAE 18 utilizing the CSA Cloud Controls Matrix (CCM) as

additional suitable criteria is likely to meet the assurance

and reporting needs of the majority of users of cloud

services.

NIST’s Visual definition of cloud

• IAAS Infrastructure As A Service. The capability

provided to the consumer is to provision processing,

storage, networks, and other fundamental computing

resources where the consumer is able to deploy and

run arbitrary software, which can include operating systems and applications.

www.accedere.us info@accedere.us Page 3

CSA recommends the AICPA’s SOC2 reporting for Cloud environments

• PAAS Platform As A Service. The capability provided to the consumer is to deploy onto the cloud

infrastructure consumer-created or acquired applications created using programming languages

and tools supported by the provider.

• SAAS Software As A Service. The capability provided to the consumer is to use the provider’s

applications running on a cloud infrastructure.

• Recently more terms are in buzz such as DRaaS Disaster Recovery As A Service, IDaaS-Identity

as a Service etc.

Cloud Models for Security Control & Compliance

CLOUD CONTROLS MATRIX (CCM)

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide

fundamental security principles to guide cloud vendors and to assist prospective cloud customers in

assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework

that gives detailed understanding of security concepts and principles that are aligned to the Cloud

Security Alliance guidance. The foundations of the Cloud Security Alliance Controls Matrix rest on its

customized relationship to other industry-accepted security standards, regulations, and controls

frameworks such as the

• ISO 27001/27002,

• ISACA COBIT,

• PCI,

• NIST,

• Jericho Forum and

• NERC CIP

and will augment or provide internal control direction for service organization control reports

attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with

the needed structure, detail and clarity relating to information security tailored to the cloud industry.

The CSA CCM strengthens existing information security control environments by emphasizing

www.accedere.us info@accedere.us Page 4

business information security control requirements, reduces and identifies consistent security threats

and vulnerabilities in the cloud, provides standardized security and operational risk management, and

seeks to normalize security expectations, cloud taxonomy and terminology, and security measures

implemented in the cloud.

Cloud STAR Certification Roadmap

CSA STAR is the industry’s most powerful program for assurance in the cloud. STAR encompasses key

principles of transparency, rigorous auditing, harmonization of standards and eventually continuous

monitoring. The best practices and initial level can be achieved at no cost, and we encourage

providers and consumers to adopt STAR to enable trust in cloud computing.

CSA STAR Attestation

CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to

conduct SOC 2 engagements using criteria from the AICPA SSAE 18 and the CSA Cloud Controls

Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud

providers.www.cloudsecurityalliance.org/star/attestation/

Cloud STAR Attestation for Level 2

Security, Trust and Assurance Registry (STAR) is CSA initiative. The

STAR Attestation is positioned as STAR Certification at Level 2 of the

Open Certification Framework and STAR Certification is a rigorous third party independent assessment

of the security of a cloud service provider. Star Attestation is based on type 2 SOC

attestations supplemented by the criteria in the Cloud Controls Matrix (CCM). This

assessment:

• Is based on a mature attest standard

• Allows for immediate adoption of the CCM as additional criteria and the

flexibility to update the criteria as technology and market requirements

change

• Does not require the use of any criteria that were not designed for, or readily

accepted by cloud providers

www.accedere.us info@accedere.us Page 5

• Provides for robust reporting on the service provider’s description of its system and on the service

provider’s controls, including a description of the service auditor’s tests of controls in a format

very similar to the now obsolete SAS 70 reporting format and current SOC reporting, thereby

facilitating market acceptance.

• STAR Attestation builds on the key strengths of SOC 2.

ISO 27001 v/s SOC 2 for Step 2 of CSA Framework

Sr. No Area ISO 27001 SOC 2 Type II

1. Standard International Standard ISO/IEC

27001, Second Edition 2013-10-

01, ISMS- Information Security

Management Systems

Trust Services Principles and

Criteria for Security, Availability,

Process Integrity,

Confidentiality and /or Privacy

2. Governance ANSI-ASQ National Accreditation

Board (ANAB)

AICPA

3. Purpose Assist organization’s management

in establishment and certification

of ISMS that meets specified

requirements and is able to be

certified as best practice

Assist service organization’s

management in reporting to

customers that it has met

established security criteria that

ensure that the system is

protected against Unauthorized

Access

4. Applicability ISMS for the Organization System Description by

Management

5. Period

Covered

Point in Time. i.e. as on a date Period of Time i.e. for the

period ended xxxx (date)

6. Objective Establish, implement, maintain,

and improve the ISMS

Measure a Service Organization

against specific security

principles and criteria

7. Period

Covered

Re-Certified for every 3 years Certified for every 1 year (or 6

months)

8. Audit

Frequency

Surveillance audit conducted

Annually

Continuous monitoring during

the period

9. Certified/

Attested by

ISO Accredited Registrar

Certification

Attestation by a Licensed CPA

10. Nature of

Testing

Design effectiveness Design effectiveness and

operating effectiveness

11. Controls in

report

Details of Controls not provided Details of Controls provided

12. Focus Organization’s ability to maintain

an ISMS

Technology and the processes

behind the security of the

specific service

13. Report Single page Certification Report containing the auditor’s

opinion, management’s

assertion, description of

controls, user control

www.accedere.us info@accedere.us Page 6

considerations, tests of

controls, and results

14. Difficulty to

Achieve

Higher Moderate

15. Structure Information Security Framework Principles and Criteria

SOC 2 for other Compliance & Assurance

The SOC 2 Attestation allows for inclusion of other standards “Additional Subject Matter” such as

Cloud STAR, PCI DSS, ISO 27001 NIST, etc. We can partner with other Auditors such as QSAs and ISO

registrars to conduct testing together eliminating testing redundancy.

SOC 2 and “Additional Subject Matter” engagements can

be undertaken jointly with your existing Auditors. At the

end of the engagement, organizations receive a SOC 2 report

that covers a period of time AND they receive separate

reports covering the other standards-i.e. PCI-DSS (ROC), and /

or ISO 27001 Certificate.

In nut shell use SOC 2 Type II report as the assurance wrapper for

any or all of the following:

• ISO 27001

• CSA CCM

• PCI-DSS

• HIPAA/HITRUST

• NIST 800-53

WHY SOC 2 FOR CLOUD SECURITY

• A Service Organization Controls (SOC) 2 report for privacy is based on American Institute of

Certified Public Accountants (AICPA) SSAE 18 attest standard and Trust Services Criteria.

• SOC 2 is an attest engagement, that applies to engagements in which a practitioner is engaged

to issue an examination of an assertion about subject matter that is the responsibility of another

party (The organization to be reported on e.g. for outsourced services).

• SOC 2 may be applied selectively, specifically covering security and privacy in the scope of the

engagement. GAPP can also be applied for the whole organization or selectively for the

organization’s web site covering online collection of Personally Identifiable Information (PII).

• The AICPA’s SSAE 18 attestation standard allows a CPA to attest to an entity’s compliance with

requirements of specified law. Organizations may be able to have their privacy controls examined

for regulations such as HIPAA, GLBA and other applicable Privacy Laws.

www.accedere.us info@accedere.us Page 7

SOC 2 Type II currently can provide a more reasonable assurance for Cloud Security

due the following reasons:

Additional Benefits of SOC 2 for Cloud

Having a SOC 2 can give your organization a competitive edge. A process driven well defined SOC 2

can reduce the insider threat in your organization. Knowing how much extra value and assurance a

SOC 2 can deliver, many clients find that it makes sense to take steps to ensure a more successful

outcome, including hiring experts who are skilled in helping companies be more thorough and

thoughtful in how they approach their audits.

• Helps in building trust

• Differentiates Your from peers

• Provides management insight into the effectiveness of controls and possible areas for improvement

• Provides an independent assurance by a CPA

• Allows service organization to meet regulatory/contractual requirements

• Provides a level of comfort over control consciousness of the service organization and its services.

• More weightage than an Self-Assessment

• Can include Cloud Control Matrix (CCM)/ other Cloud or any other Compliance requirements.

• Joint audit work serves as the basis for multiple reports that You receive

• Solid detail great standards for your compliance needs

• Inclusion of Cloud standards like CCM

• Little to No Risk – Very high reliability provided by period of time testing

• Specific reports to satisfy everybody

• International Acceptance

Difference between SOC 1 and SOC 2 for Cloud

SOC 1 is applicable for Internal Controls over Finacial Reporting ( ICFR). If your processes are related

to financial data then you may choose SOC 1 reporting. If your processes are realting to Trust Services

Criteria of Security, Availability, Process Intigerty, Confidentiality and/or Privacy then choose SOC 2.

Many Cloud providers may need to choose both.

SOC 2 Type II can cover the entire year and the effectiveness of the controls in place can be reported

It is a Third Party Period- of-Time assessment and so has Accountability

Since it is a period of time assessment, it is more like a continuous compliance with low risk and high reliability

Most other assurance programs or audits are only, at a point in time

Comprehensive Framework for Security & Privacy by AICPA & CICA

Provides a high reliability SOC 2 Seal by AICPA

www.accedere.us info@accedere.us Page 8

WHY SOC 2 FOR CLOUD PRIVACY Violation of privacy laws can lead to civil and/or criminal penalties. For

example:

SOC 2 reporting helps you in providing assurance for compliance in the cloud with

privacy laws. Examples of Cloud providers:

In 2014 Australia has made changes to its Privacy Act that can lead to civil penalties up to $1.7 million for companies

In US, for HIPAA privacy , the criminal provisions can lead to penalties up to $ 250,000 ( Max 1.5 million p.a) and imprisonment of up to 10 years

Countries such as Canada too are reforming the privacy provisions

www.accedere.us info@accedere.us Page 9

SCOPE OF WORK (SOW) FOR SOC 2 FOR CLOUD

Cloud Controls CCM

When following the SOC 2 Attestation route for achieving the CSA STAR Certification Framework it is

required to include the Controls Domains described by the CCM under the SOW. The CSA CCM

provides a controls framework that gives detailed understanding of security concepts and principles

that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud

Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted

security standards, regulations, and controls frameworks.

IT General Controls(ITGC)

The AICPA, SSAE 18 defines the standards used by a service auditor to assess the internal controls of a

service organization. The control objectives and activities vary based on the scope of the SOC2, client

operations and Trust Services Criteria. relationship between the service organization and the user

organizations must be viewed to help determine the controls that should be included in the

engagement by reviewing the Service Level Agreements (SLA) or End User Licencing Agreements

(EULA). The following outlines typical categories for control activities that are included in the

description of controls for some SOC engagements:

• Logical security (security administration / passwords)

• Physical and environmental security

• Network security (firewalls, intrusion prevention)

• Change management

• Data retention and storage

• Disaster recovery / business continuity

• System documentation

www.accedere.us info@accedere.us Page 10

OUR PROJECT EXECUTION METHODOLOGY

Plan Deliver Assess Report Understanding the client

entity and environment

Understanding and

verifying documentation

of existing internal

controls

Evaluate Samples Evaluate additional info

Define scope,

expectations and project

roles

Perform Walkthrough Analyse Samples for

effectiveness

Request clarifications

Readiness Assessment if

required

Assess Risks Request additional

info

System Description and

Management Assertions

is drafted through

inputs from the audit

team by the client

management

Kick off meeting with

Stakeholders

Identifying the control

objectives and controls

in place

Issue draft report

Preliminary interviews /

questionnaires

conducted to gain

understanding of

requirements

Conduct Interviews Incorporate

Management comments

and Issue final report

Client information

request list prepared

and distributed

Request Samples Ongoing support

Analysis of client‐

prepared information

performed and client

feedback provided

Validation of the

implementation of

controls

Answer questions to

Management and User

Auditors

Project timeline

(including estimates of

client hours) / plan

created

Test results

communicated and

exceptions are resolved,

if possible

Update Plan based on

client discussions

www.accedere.us info@accedere.us Page 11

VALUE DELIVERY

Knowing how much extra value and assurance a SOC can deliver, many

clients find that it makes sense to take steps to ensure a more successful

outcome, including hiring experts who are skilled in helping organizations

be more thorough and thoughtful in how they approach their engagement.

Preparing for a SOC reporting engagement is a matter of clear thinking and

smart planning. Working with a cyber security specialized consulting

specialists such as ours, helps you dig into areas such as data security,

incident response, and change management processes and much more.

We provide end to end process for SOC Engagements. With the rapid Cloud adaption and increased

use of BIG DATA, Cloud Security and Privacy concerns are on the rise. We can conduct integrated

information security engagements with privacy engagements.

Some of the advantages of working with us are:

To discuss your specific need please email info@accedere.us

A

End to end process for SOC Reporting & Attest Services

Project management methodology consistently applied to each engagement

B

Efficient service delivery with minimal disruption to operations

Our engagements are executed by senior experienced professionals

C

15 years of Information Security & Cyber Security experience

Reduced time to complete assignments

D

Licensed CPA & Security Professionals to execute projects & provide attest reports

Prompt services with engagements completed in record time

E

Ongoing support. We are with you whenever you need us

Our services are competitively priced than BIG names to provide higher ROI

Disclaimer: The content contained in this document is only for information and should not be

construed as an advice or an opinion. The rules are subject to change and for the latest information please

visit the official websites. In no way Accedere is responsible for the information contained in this document as

a result of its/her/his use or reliance on the information. A formal Scope of Work shall be signed which should

be referred to for any specific services offered.