welcome to the advisory institute webcastcolor).pdf · webcast presentation and cpe credit...

1

Welcome to theAdvisory Institute

Webcast

Enhancing Vendor Risk and Compliance Management Using SOC 2SM and SOC 3SM Reports

Tuesday, July 23, 201312:00 PM–1:00 PM ET

Help Desk Hotline1-877-398-1471

(Outside the United States, +1-954-969-3342)

Webcast presentation and CPE credit

“Supporting Materials” link on screen:

– Download a copy of today’s presentation/slide deck in color or black and white and our most recent thought leadership piece

CPE regulations require that online participants take part in online questions

– Must respond to a minimum of four questions per 50 minutes

– Polling questions will appear on your media player

– Results will be reviewed in the aggregate; no responses will be tracked back to any individual or organization

– Do not view the presentation on slide show mode – polling questions will not

© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700

1

appear

2

Submit questions to our speakers; call Help Desk

Questions for speakers:

– Use the “ask question” bar on your screen to submit questions to our presenters

– Type question; click “Submit”

– Submit questions for our presenters at any time during the Webcast

Webcast Help Desk:

– 1-877-398-1471

– Outside the United States +1-954-969-3342


2

Today’s agenda and presenters

Agenda

– SOC reporting overview

– Guidance for user organizations

Presenters

– Sandy Torchia, Partner and Global SOC Attestation Leader, KPMG LLP (Philadelphia PA)

(customers)

– Guidance for service organizations

– SOC2 enhanced reporting

– Key takeaways

– Q&A

(Philadelphia, PA)

– Mark Lundin, Partner and SOC2/SOC3 Attestation Leader, KPMG LLP (San Francisco, CA)

– Reema Anand, IT Attestation Director, KPMG LLP (Silicon Valley, CA)


3

3

SOC reporting overview

Overview of Service Organization Control (SOC) reports

Scope/Focus Report Summary Applicability Timing

Internal Control Over

Detailed report for users and their auditors

Focused on financial reporting risks and controls specified by the service provider

Period ofControl Over Financial Reporting (ICOFR)

SOC1 (Sometimes also referred to as anSSAE16 or ISAE3402 report)

Most applicable when the service provider performs financial transaction processing or supports transaction processing systems

Period of Time Report

(Type 2)

Point in Time Report

(Type 1)

Operational

SOC2

Detailed report for user organizations, their auditors, and specified parties

Focused on Trust Services principles:– Security

– Availability

ConfidentialityShort report that can


5

Operational Controls

– Confidentiality

– Processing Integrity, and/or

– Privacy

Applicable to a broad variety of systems

SOC3

Short report that can be more generally distributed, with the option of displaying a Web site seal

4

Contrasting SOC2/SOC3 and SOC1 report scope

Attribute SOC2/SOC3 SOC1

Required Focus Operational controls ICOFR

Defined Scope of System

Infrastructure

Software

Classes of transactions

Procedures for processing and

Procedures

People

Data

reporting transactions

Accounting records of the system

Handling of significant events and conditions other than transactions

Report preparation for users

Other aspects relevant to processing and reporting user transactions

Control Domains Covered

Security

Availability

Transaction processing controls

Supporting IT general controls


6

Confidentiality

Processing Integrity, and/or Privacy

Level of Standardization Principles selected by service provider

Predefined criteria used rather than control objectives

Control objectives defined by service provider and may vary depending on the type of service provided

Comparison of SOC reports structure

SOC1 SOC2 SOC3

Auditor’s opinion Auditor’s opinion Auditor’s opinion

Management assertion Management assertion Management assertion

Description of system and controls

Description of system and controls

Description of system

Control objectives and controls

Tests of operating effectiveness and results of

Criteria and controls

Tests of operating effectiveness and results

of tests (for Type 2)

Criteria incorporated by reference


7

effectiveness and results of tests (for Type 2)

of tests (for Type 2)

Other information(optional)

Other information(optional)

N/A

5

SOC reports for different scenarios

SOC1 Financial Reporting Controls

SOC2/SOC3Operational Controls

Financial services

Asset management

Cloud ERP service

Data center co-location

Cloud-based services (SaaS, PaaS, IaaS)

Asset management and custody services

Healthcare claims processing

Payroll processing

Payment processing

Data center co-location

IT systems management HR services

Security services

E-mail, collaboration, and communications

Any service where customers’ primary concern is security,


8

availability, or privacy

Financial Process and Supporting System Controls

SecurityAvailability

ConfidentialityProcessing Integrity

Privacy

Guidance for user organizations (customers)

6

Customer perspective

Each company has its own set of internal policies and procedures, control frameworks, vendor management questionnaires and approaches, regulatory requirements, and risk appetite. Fitting an outsourced service provider into the company’s model is challenging.

Completion of due diligence reviews, vendor audits, and analysis of detailed questionnaires can be time consuming and can delay important business initiatives.

Companies want their vendor risk management programs to be efficient and effective, highlighting concerns, demonstrating due diligence, and providing IT and business executives comfort that they are managing their risk exposure.

Companies and their service providers need tools to help them streamline these efforts while driving greater consistency and assurance.


10

g g y

Requesting the most meaningful reports

Factors to Consider

Report with Higher Degree of Relevance

SOC1 SOC2 SOC3

Financial transaction

IT and other non-financial

Type of Service

transactionprocessing

non-financialprocessing systems

Objective ICOFR

Vendor risk managementIT governance

Information securityPrivacy

IT infrastructure supporting financial and other systems


11

Level of Detail Needed

High, focused on financial

processing controls

High, focused on technology, security

controls

Low, focused on technology, security

controls

Relevant Other Standards/

FrameworksSOX

ISO 27001CSA CCMPCI DSS

HIPAA Security

7

Buyers of outsourced services – Risk assessment

Key Activities Description

Risk Assessment of

Consider and prioritize key risks arising from the scope of outsourced services (e.g., financial controls, personally indentifying information, access to systems).

Review outsourced service contracts to determine whether the terms require appropriate performance and compliance with standardsRisk Assessment of

Services Contractsappropriate performance and compliance with standards.

Assess contract terms for audit rights, service provider support, and sufficiency of reports.

Assess contract terms for appropriate risk mitigation requirements and change control procedures to address evolving needs.

Identify Relevant Reports

Assess whether SOC reports have been obtained in the past.

Determine whether SOC1, SOC2, and/or SOC3 reports should be requested.

For SOC2/SOC3, determine which principles are most relevant.

Revise terms of existing contracts to address any deficiencies in required control standards and performance audit terms reporting and issue resolution


12

Restructure Terms of Existing Services

Contracts

control standards and performance, audit terms, reporting, and issue resolution.

Consider flexibility for change, mandatory change, and allocation of cost in light of the services delivery model and service provider solution.

Consider remedies for breach.

Capture Lessons Learned

Establish the framework for discipline in contracting for new services and for renewing or rebidding services.

Buyers of outsourced services – Manage the life cycle

Key Activities Description

Policies and Procedures for Contracting

Set protocols for procurement activities, support from compliance and legal, and requirements for vendors (e.g., request appropriate SOC reports as part of the due diligence process for assessing new providers of outsourced services).g outsourced services).

Confirm repositories of current requirements and processes for change.

Policies and Procedures for Vendor Monitoring

Determine frequency with which key outsourced services providers will be assessed.

Establish processes for regular receipt of SOC reports, review and discussion with the service provider, and remediation or change. (Refer to the next set of slides for report review considerations.)

Procurement Due Diligence

Weave reporting requirements into due diligence; modify questionnaires and assessment procedures.


13

Communication Plan

Communicate scope, reporting, and timing requirements to service providers.

Work with each service provider to establish an effective and efficient process.

Execute Across the Services Life cycle

Apply processes to new services, ongoing services, and renewal and rebid transactions.

8

SOC report evaluation considerations

Topic Report Evaluation Considerations

1. Scope Is the included scope of services and locations relevant

based on the services you receive from the service provider?provider?

2. Type of Report

Is the report a SOC1, SOC2, SOC3, or other report?

Is the report a point in time (Type 1) or period of time (Type 2) report?

3. Period of Coverage and Report Timing

How well do the period of coverage and report timing meet your needs?

Is the opinion unqualified (clean) or was it qualified (noting


14

4. Opinion

Is the opinion unqualified (clean) or was it qualified (noting control objectives or criteria not achieved)?

To what extent do any such qualifications impact the user organization?

SOC report evaluation considerations (continued)


5. Audit Firm Does the audit firm have a good reputation for providing

this type of assurance services?

If b i i ti d t l

6. Subservice Organizations

If subservice organizations are used, are controls over these operations included or excluded from scope?

If excluded, is additional assurance needed from the subservice organization (e.g., through a separate SOC report)?

7. Principles/Objectives

Do the selected SOC1 control objectives or SOC2/SOC3 principles sufficiently cover your assurance needs/requirements?


15

needs/requirements?

8. Description of Control Activities

Does the SOC1/SOC2 report provide sufficient detail regarding control activities to meet your needs?

9

SOC report evaluation considerations (continued)


9. Test Procedures

Are the auditor’s SOC1/SOC2 test procedures sufficient to meet your needs?

If t t ti d tand Test Results If any test exceptions and management responses are included in the report, is there an impact to the user organization and is follow-up warranted?

10.Complementary User Entity Controls

If complementary user entity controls are identified, are the applicable user entity controls in place at your organization?

11. Changes During the Period

Were there any significant changes in systems, subservice providers, or controls noted and is there any impact to the user organization?


16

user organization?

12.Other Information

Does the report include other helpful information (e.g., how the service provider’s controls relate to other industry standards or frameworks such as ISO 27001, Cloud Security Alliance, FISMA, HIPAA Security Rule, etc.)?

Guidance for service organizations

10

Service organization perspective

A fundamental value of many outsourced services is that customers benefit from a common set of technology, processes, and standards. Service providers strive to build their solutions and set standards that will substantially meet the needs of their target customers.

The compliance teams at many service providers are burdened with an increasing volume of customer audits and detailed questionnaires that vary widely in terms of scope, focus, relevance, and depth.

Service providers expend considerable effort to complete SOC examinations and want to help customers leverage their investment in third-party assurance.

Service providers want to make it easier for companies to do business with them. Service providers want to help their customers achieve their vendor risk


18

p pmanagement and compliance objectives in a way that is efficient and effective for both parties.

Typical SOC2/SOC3 scoping considerations

Services/applications provided

Supporting infrastructure

Locations

Subservice providers

Applicable principles

Potential transition from SOC1 to SOC2

Enhanced reporting–inclusion of other information regarding alignment with other standards/frameworks


19

11

Communication regarding the service provider’sSOC reporting program

Customers sometimes want a security-focused report but request an SSAE16, SOC1, or SAS 70 (obsolete) report.

Customers sometimes make requests that reference other industry standards or frameworks.

Service providers should clearly communicate with their customers who may require SOC reports:

– What type of report(s) they will provide

– What principles are covered

– The fact that the report covers design and operating effectiveness of controls for a specified period, typically 6 or 12 months (for Type 2 reports)

– If other information related to one or more other standards/frameworks is


20

included

– How the SOC2 report addresses the customers’ areas of interest

Service providers will sometimes complete both SOC1 and SOC2 reports if certain services have a very direct impact to customers’ internal control over financial reporting and are also very important from a security/availability perspective.

SOC2/SOC3 principles and criteria –Summary and discussion of applicability

Security

Security policies

Security awareness and communication

Risk assessment

Logical access

Physical access

Security monitoring

I id

Personnel

Systems development and maintenance

Configuration management

Threat identification

Information classification

Incident management

Encryption

g g

Change management

Monitoring / compliance

Availability Processing Integrity Confidentiality Privacy

Availability policy

Backup and restoration

Environmental controls

Disaster recovery

System processing integrity policies

Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs

Confidentiality policy

Confidentiality of inputs, data processing, and outputs

Information disclosures

Confidentiality of

Management

Notice

Choice and consent

Collection

Use and retention


21

outputs

Information tracing from source to disposition

Confidentiality of information in systems development

Use and retention

Access

Disclosure to third parties

Security for privacy

Quality

Monitoring and enforcement

12

SOC2 enhanced reporting

SOC2 enhanced reporting

Where there are common customer requirements/requests, it may be beneficial for the service provider to include additional details in the SOC2 report to demonstrate alignment with one or more relevant standards/frameworks (e.g., ISO 27001, Cloud Security Alliance Cloud Controls Matrix, PCI-DSS, etc.).

If the referenced standards/frameworks are more detailed than the SOC2 Trust Services criteria, it may be necessary to include more granular controls within the SOC2 report to enable a more complete mapping.necessary to include more granular controls within the SOC2 report to enable a more complete mapping.

SAMPLE – Relation of Service Provider’s Controls to <specify standard/framework>

Service Provider has developed its controls to align with the <specify standard/framework>. Included below is a mapping of the <specify standard/framework> topics to related Service Provider controls covered in this report.

Specific Topics/Requirements from

<specify standard/framework>

SOC2 Criteria Related Service Provider Controls

S 1 1 1 01 1 02 C t l d i ti i l d d


23

Sec 1.1 1.01, 1.02 Control description included.

Sec 1.2 1.03 Control description included.

Sec 1.3 1.02 Control description included.

13

Mapping to ISO 27001 controls

Ref. Approx. # of

Requirements Domain SOC2/SOC3 Primary Reference

A.5 2 Security policy Security

A.6 11 Organization of information security Security

A 7 5 Asset management SecurityA.7 5 Asset management Security

A.8 9 Human resources security Security

A.9 13 Physical and environmental security Security

A.10 32 Communications and operations management

Security

A.11 25 Access control Security

A.12 16 Information systems acquisition, development and maintenance

Security

A.13 5 Information security incident management

Security


24

A.14 5 Business continuity management Availability

A.15 10 Compliance Security

Total 133

An enhanced SOC2 report can show how the service provider’s SOC2 controls to achieve the security and availability criteria align with the ISO 27001 control objective topics.

Mapping to CSA Cloud Controls Matrix (CCM) v1.3

Ref. Approx. # of


CO 6 Compliance Security

DG 8 Data Governance Security

FS 8 Facility Security SecurityFS 8 Facility Security Security

HR 3 Human Resources Security

IS 34 Information Security Security

LG 2 Legal Security

OM 4 Operations Management Security

RI 5 Risk Management Security

RM 5 Release Management Security

RS 8 Resiliency Availability

SA 15 Security Architecture Security


25

Total 98

An enhanced SOC2 report can show how the service provider’s SOC2 controls to achieve the security and availability criteria align with the CSA CCM requirements.

14

Mapping to PCI Data Security Standard (DSS) v2.0

Ref. Approx. # of


1 18 Firewall Security

2 7 System passwords Security

3 16 Stored cardholder data Security

4 2 Encryption Security

5 2 Antivirus Security

6 19 Development and maintenance Security

7 7 Access restrictions Security

8 20 Unique IDs Security

9 16 Physical access Security

10 26 Monitoring Security


26

11 8 Testing Security

12 33 Information security policy Security

Total 174

An enhanced SOC2 report can show how the service provider’s SOC2 controls to achieve the security and availability criteria align with the PCI DSS requirements.

Key takeaways

Companies want their vendor risk management programs to be efficient and effective, highlighting concerns, demonstrating due diligence, and providing IT and business executives comfort that they are managing their risk exposure.

Service providers want to make it easier for companies to do business with them by Service providers want to make it easier for companies to do business with them by helping their customers achieve their vendor risk management and compliance objectives in a way that is efficient and effective for both parties.

Service providers expend considerable effort to complete SOC examinations and want to help customers leverage their investment in third-party assurance.

Companies and their service providers need tools to help them streamline these efforts while driving greater consistency and assurance.

Th h SOC2 t h th i t d d SOC2 ti h d


27

Thorough SOC2 reports, whether using standard SOC2 reporting or enhanced reporting, can be highly effective tools for service providers and their customers to help manage risk and compliance obligations.

15

New KPMG white paper

Effectively using SOC2 reports for increased assurance over cloud service providers

– Scheduled for release – end of August 2013

– We will send a link to all Webcast attendees.


28

Presenters’ Contact Details

Sandy TorchiaPartner, KPMG [email protected]

Mark LundinPartner, KPMG [email protected]

Reema AnandDirector, KPMG LLP408-367-7638reemaanand@kpmg com


29

[email protected]

16

Q&A

Institute Webcast series

Webcast replays are located in the “Events” section of the Web site –www.kpmginstitutes.com/advisory-institute/

A replay of this webcast will be available on the web site within three business days

Register for institute – http://www.kpmginstitutes.com/advisory-institute/


31

17

Thank you

© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”) a Swiss entity All rights reservedInternational ), a Swiss entity. All rights reserved. NDPPS 188700

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

welcome to the advisory institute webcastcolor).pdf · webcast presentation and cpe credit...

Documents