welcome to the advisory institute webcastcolor).pdf · webcast presentation and cpe credit...
TRANSCRIPT
1
Welcome to theAdvisory Institute
Webcast
Enhancing Vendor Risk and Compliance Management Using SOC 2SM and SOC 3SM Reports
Tuesday, July 23, 201312:00 PM–1:00 PM ET
Help Desk Hotline1-877-398-1471
(Outside the United States, +1-954-969-3342)
Webcast presentation and CPE credit
“Supporting Materials” link on screen:
– Download a copy of today’s presentation/slide deck in color or black and white and our most recent thought leadership piece
CPE regulations require that online participants take part in online questions
– Must respond to a minimum of four questions per 50 minutes
– Polling questions will appear on your media player
– Results will be reviewed in the aggregate; no responses will be tracked back to any individual or organization
– Do not view the presentation on slide show mode – polling questions will not
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
1
appear
2
Submit questions to our speakers; call Help Desk
Questions for speakers:
– Use the “ask question” bar on your screen to submit questions to our presenters
– Type question; click “Submit”
– Submit questions for our presenters at any time during the Webcast
Webcast Help Desk:
– 1-877-398-1471
– Outside the United States +1-954-969-3342
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
2
Today’s agenda and presenters
Agenda
– SOC reporting overview
– Guidance for user organizations
Presenters
– Sandy Torchia, Partner and Global SOC Attestation Leader, KPMG LLP (Philadelphia PA)
(customers)
– Guidance for service organizations
– SOC2 enhanced reporting
– Key takeaways
– Q&A
(Philadelphia, PA)
– Mark Lundin, Partner and SOC2/SOC3 Attestation Leader, KPMG LLP (San Francisco, CA)
– Reema Anand, IT Attestation Director, KPMG LLP (Silicon Valley, CA)
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
3
3
SOC reporting overview
Overview of Service Organization Control (SOC) reports
Scope/Focus Report Summary Applicability Timing
Internal Control Over
Detailed report for users and their auditors
Focused on financial reporting risks and controls specified by the service provider
Period ofControl Over Financial Reporting (ICOFR)
SOC1 (Sometimes also referred to as anSSAE16 or ISAE3402 report)
Most applicable when the service provider performs financial transaction processing or supports transaction processing systems
Period of Time Report
(Type 2)
Point in Time Report
(Type 1)
Operational
SOC2
Detailed report for user organizations, their auditors, and specified parties
Focused on Trust Services principles:– Security
– Availability
ConfidentialityShort report that can
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
5
Operational Controls
– Confidentiality
– Processing Integrity, and/or
– Privacy
Applicable to a broad variety of systems
SOC3
Short report that can be more generally distributed, with the option of displaying a Web site seal
4
Contrasting SOC2/SOC3 and SOC1 report scope
Attribute SOC2/SOC3 SOC1
Required Focus Operational controls ICOFR
Defined Scope of System
Infrastructure
Software
Classes of transactions
Procedures for processing and
Procedures
People
Data
reporting transactions
Accounting records of the system
Handling of significant events and conditions other than transactions
Report preparation for users
Other aspects relevant to processing and reporting user transactions
Control Domains Covered
Security
Availability
Transaction processing controls
Supporting IT general controls
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
6
Confidentiality
Processing Integrity, and/or Privacy
Level of Standardization Principles selected by service provider
Predefined criteria used rather than control objectives
Control objectives defined by service provider and may vary depending on the type of service provided
Comparison of SOC reports structure
SOC1 SOC2 SOC3
Auditor’s opinion Auditor’s opinion Auditor’s opinion
Management assertion Management assertion Management assertion
Description of system and controls
Description of system and controls
Description of system
Control objectives and controls
Tests of operating effectiveness and results of
Criteria and controls
Tests of operating effectiveness and results
of tests (for Type 2)
Criteria incorporated by reference
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
7
effectiveness and results of tests (for Type 2)
of tests (for Type 2)
Other information(optional)
Other information(optional)
N/A
5
SOC reports for different scenarios
SOC1 Financial Reporting Controls
SOC2/SOC3Operational Controls
Financial services
Asset management
Cloud ERP service
Data center co-location
Cloud-based services (SaaS, PaaS, IaaS)
Asset management and custody services
Healthcare claims processing
Payroll processing
Payment processing
Data center co-location
IT systems management HR services
Security services
E-mail, collaboration, and communications
Any service where customers’ primary concern is security,
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
8
availability, or privacy
Financial Process and Supporting System Controls
SecurityAvailability
ConfidentialityProcessing Integrity
Privacy
Guidance for user organizations (customers)
6
Customer perspective
Each company has its own set of internal policies and procedures, control frameworks, vendor management questionnaires and approaches, regulatory requirements, and risk appetite. Fitting an outsourced service provider into the company’s model is challenging.
Completion of due diligence reviews, vendor audits, and analysis of detailed questionnaires can be time consuming and can delay important business initiatives.
Companies want their vendor risk management programs to be efficient and effective, highlighting concerns, demonstrating due diligence, and providing IT and business executives comfort that they are managing their risk exposure.
Companies and their service providers need tools to help them streamline these efforts while driving greater consistency and assurance.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
10
g g y
Requesting the most meaningful reports
Factors to Consider
Report with Higher Degree of Relevance
SOC1 SOC2 SOC3
Financial transaction
IT and other non-financial
Type of Service
transactionprocessing
non-financialprocessing systems
Objective ICOFR
Vendor risk managementIT governance
Information securityPrivacy
IT infrastructure supporting financial and other systems
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
11
Level of Detail Needed
High, focused on financial
processing controls
High, focused on technology, security
controls
Low, focused on technology, security
controls
Relevant Other Standards/
FrameworksSOX
ISO 27001CSA CCMPCI DSS
HIPAA Security
7
Buyers of outsourced services – Risk assessment
Key Activities Description
Risk Assessment of
Consider and prioritize key risks arising from the scope of outsourced services (e.g., financial controls, personally indentifying information, access to systems).
Review outsourced service contracts to determine whether the terms require appropriate performance and compliance with standardsRisk Assessment of
Services Contractsappropriate performance and compliance with standards.
Assess contract terms for audit rights, service provider support, and sufficiency of reports.
Assess contract terms for appropriate risk mitigation requirements and change control procedures to address evolving needs.
Identify Relevant Reports
Assess whether SOC reports have been obtained in the past.
Determine whether SOC1, SOC2, and/or SOC3 reports should be requested.
For SOC2/SOC3, determine which principles are most relevant.
Revise terms of existing contracts to address any deficiencies in required control standards and performance audit terms reporting and issue resolution
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
12
Restructure Terms of Existing Services
Contracts
control standards and performance, audit terms, reporting, and issue resolution.
Consider flexibility for change, mandatory change, and allocation of cost in light of the services delivery model and service provider solution.
Consider remedies for breach.
Capture Lessons Learned
Establish the framework for discipline in contracting for new services and for renewing or rebidding services.
Buyers of outsourced services – Manage the life cycle
Key Activities Description
Policies and Procedures for Contracting
Set protocols for procurement activities, support from compliance and legal, and requirements for vendors (e.g., request appropriate SOC reports as part of the due diligence process for assessing new providers of outsourced services).g outsourced services).
Confirm repositories of current requirements and processes for change.
Policies and Procedures for Vendor Monitoring
Determine frequency with which key outsourced services providers will be assessed.
Establish processes for regular receipt of SOC reports, review and discussion with the service provider, and remediation or change. (Refer to the next set of slides for report review considerations.)
Procurement Due Diligence
Weave reporting requirements into due diligence; modify questionnaires and assessment procedures.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
13
Communication Plan
Communicate scope, reporting, and timing requirements to service providers.
Work with each service provider to establish an effective and efficient process.
Execute Across the Services Life cycle
Apply processes to new services, ongoing services, and renewal and rebid transactions.
8
SOC report evaluation considerations
Topic Report Evaluation Considerations
1. Scope Is the included scope of services and locations relevant
based on the services you receive from the service provider?provider?
2. Type of Report
Is the report a SOC1, SOC2, SOC3, or other report?
Is the report a point in time (Type 1) or period of time (Type 2) report?
3. Period of Coverage and Report Timing
How well do the period of coverage and report timing meet your needs?
Is the opinion unqualified (clean) or was it qualified (noting
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
14
4. Opinion
Is the opinion unqualified (clean) or was it qualified (noting control objectives or criteria not achieved)?
To what extent do any such qualifications impact the user organization?
SOC report evaluation considerations (continued)
Topic Report Evaluation Considerations
5. Audit Firm Does the audit firm have a good reputation for providing
this type of assurance services?
If b i i ti d t l
6. Subservice Organizations
If subservice organizations are used, are controls over these operations included or excluded from scope?
If excluded, is additional assurance needed from the subservice organization (e.g., through a separate SOC report)?
7. Principles/Objectives
Do the selected SOC1 control objectives or SOC2/SOC3 principles sufficiently cover your assurance needs/requirements?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
15
needs/requirements?
8. Description of Control Activities
Does the SOC1/SOC2 report provide sufficient detail regarding control activities to meet your needs?
9
SOC report evaluation considerations (continued)
Topic Report Evaluation Considerations
9. Test Procedures
Are the auditor’s SOC1/SOC2 test procedures sufficient to meet your needs?
If t t ti d tand Test Results If any test exceptions and management responses are included in the report, is there an impact to the user organization and is follow-up warranted?
10.Complementary User Entity Controls
If complementary user entity controls are identified, are the applicable user entity controls in place at your organization?
11. Changes During the Period
Were there any significant changes in systems, subservice providers, or controls noted and is there any impact to the user organization?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
16
user organization?
12.Other Information
Does the report include other helpful information (e.g., how the service provider’s controls relate to other industry standards or frameworks such as ISO 27001, Cloud Security Alliance, FISMA, HIPAA Security Rule, etc.)?
Guidance for service organizations
10
Service organization perspective
A fundamental value of many outsourced services is that customers benefit from a common set of technology, processes, and standards. Service providers strive to build their solutions and set standards that will substantially meet the needs of their target customers.
The compliance teams at many service providers are burdened with an increasing volume of customer audits and detailed questionnaires that vary widely in terms of scope, focus, relevance, and depth.
Service providers expend considerable effort to complete SOC examinations and want to help customers leverage their investment in third-party assurance.
Service providers want to make it easier for companies to do business with them. Service providers want to help their customers achieve their vendor risk
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
18
p pmanagement and compliance objectives in a way that is efficient and effective for both parties.
Typical SOC2/SOC3 scoping considerations
Services/applications provided
Supporting infrastructure
Locations
Subservice providers
Applicable principles
Potential transition from SOC1 to SOC2
Enhanced reporting–inclusion of other information regarding alignment with other standards/frameworks
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
19
11
Communication regarding the service provider’sSOC reporting program
Customers sometimes want a security-focused report but request an SSAE16, SOC1, or SAS 70 (obsolete) report.
Customers sometimes make requests that reference other industry standards or frameworks.
Service providers should clearly communicate with their customers who may require SOC reports:
– What type of report(s) they will provide
– What principles are covered
– The fact that the report covers design and operating effectiveness of controls for a specified period, typically 6 or 12 months (for Type 2 reports)
– If other information related to one or more other standards/frameworks is
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
20
included
– How the SOC2 report addresses the customers’ areas of interest
Service providers will sometimes complete both SOC1 and SOC2 reports if certain services have a very direct impact to customers’ internal control over financial reporting and are also very important from a security/availability perspective.
SOC2/SOC3 principles and criteria –Summary and discussion of applicability
Security
Security policies
Security awareness and communication
Risk assessment
Logical access
Physical access
Security monitoring
I id
Personnel
Systems development and maintenance
Configuration management
Threat identification
Information classification
Incident management
Encryption
g g
Change management
Monitoring / compliance
Availability Processing Integrity Confidentiality Privacy
Availability policy
Backup and restoration
Environmental controls
Disaster recovery
System processing integrity policies
Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs
Confidentiality policy
Confidentiality of inputs, data processing, and outputs
Information disclosures
Confidentiality of
Management
Notice
Choice and consent
Collection
Use and retention
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
21
outputs
Information tracing from source to disposition
Confidentiality of information in systems development
Use and retention
Access
Disclosure to third parties
Security for privacy
Quality
Monitoring and enforcement
12
SOC2 enhanced reporting
SOC2 enhanced reporting
Where there are common customer requirements/requests, it may be beneficial for the service provider to include additional details in the SOC2 report to demonstrate alignment with one or more relevant standards/frameworks (e.g., ISO 27001, Cloud Security Alliance Cloud Controls Matrix, PCI-DSS, etc.).
If the referenced standards/frameworks are more detailed than the SOC2 Trust Services criteria, it may be necessary to include more granular controls within the SOC2 report to enable a more complete mapping.necessary to include more granular controls within the SOC2 report to enable a more complete mapping.
SAMPLE – Relation of Service Provider’s Controls to <specify standard/framework>
Service Provider has developed its controls to align with the <specify standard/framework>. Included below is a mapping of the <specify standard/framework> topics to related Service Provider controls covered in this report.
Specific Topics/Requirements from
<specify standard/framework>
SOC2 Criteria Related Service Provider Controls
S 1 1 1 01 1 02 C t l d i ti i l d d
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
23
Sec 1.1 1.01, 1.02 Control description included.
Sec 1.2 1.03 Control description included.
Sec 1.3 1.02 Control description included.
13
Mapping to ISO 27001 controls
Ref. Approx. # of
Requirements Domain SOC2/SOC3 Primary Reference
A.5 2 Security policy Security
A.6 11 Organization of information security Security
A 7 5 Asset management SecurityA.7 5 Asset management Security
A.8 9 Human resources security Security
A.9 13 Physical and environmental security Security
A.10 32 Communications and operations management
Security
A.11 25 Access control Security
A.12 16 Information systems acquisition, development and maintenance
Security
A.13 5 Information security incident management
Security
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
24
A.14 5 Business continuity management Availability
A.15 10 Compliance Security
Total 133
An enhanced SOC2 report can show how the service provider’s SOC2 controls to achieve the security and availability criteria align with the ISO 27001 control objective topics.
Mapping to CSA Cloud Controls Matrix (CCM) v1.3
Ref. Approx. # of
Requirements Domain SOC2/SOC3 Primary Reference
CO 6 Compliance Security
DG 8 Data Governance Security
FS 8 Facility Security SecurityFS 8 Facility Security Security
HR 3 Human Resources Security
IS 34 Information Security Security
LG 2 Legal Security
OM 4 Operations Management Security
RI 5 Risk Management Security
RM 5 Release Management Security
RS 8 Resiliency Availability
SA 15 Security Architecture Security
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
25
Total 98
An enhanced SOC2 report can show how the service provider’s SOC2 controls to achieve the security and availability criteria align with the CSA CCM requirements.
14
Mapping to PCI Data Security Standard (DSS) v2.0
Ref. Approx. # of
Requirements Domain SOC2/SOC3 Primary Reference
1 18 Firewall Security
2 7 System passwords Security
3 16 Stored cardholder data Security
4 2 Encryption Security
5 2 Antivirus Security
6 19 Development and maintenance Security
7 7 Access restrictions Security
8 20 Unique IDs Security
9 16 Physical access Security
10 26 Monitoring Security
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
26
11 8 Testing Security
12 33 Information security policy Security
Total 174
An enhanced SOC2 report can show how the service provider’s SOC2 controls to achieve the security and availability criteria align with the PCI DSS requirements.
Key takeaways
Companies want their vendor risk management programs to be efficient and effective, highlighting concerns, demonstrating due diligence, and providing IT and business executives comfort that they are managing their risk exposure.
Service providers want to make it easier for companies to do business with them by Service providers want to make it easier for companies to do business with them by helping their customers achieve their vendor risk management and compliance objectives in a way that is efficient and effective for both parties.
Service providers expend considerable effort to complete SOC examinations and want to help customers leverage their investment in third-party assurance.
Companies and their service providers need tools to help them streamline these efforts while driving greater consistency and assurance.
Th h SOC2 t h th i t d d SOC2 ti h d
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
27
Thorough SOC2 reports, whether using standard SOC2 reporting or enhanced reporting, can be highly effective tools for service providers and their customers to help manage risk and compliance obligations.
15
New KPMG white paper
Effectively using SOC2 reports for increased assurance over cloud service providers
– Scheduled for release – end of August 2013
– We will send a link to all Webcast attendees.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
28
Presenters’ Contact Details
Sandy TorchiaPartner, KPMG [email protected]
Mark LundinPartner, KPMG [email protected]
Reema AnandDirector, KPMG LLP408-367-7638reemaanand@kpmg com
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
29
16
Q&A
Institute Webcast series
Webcast replays are located in the “Events” section of the Web site –www.kpmginstitutes.com/advisory-institute/
A replay of this webcast will be available on the web site within three business days
Register for institute – http://www.kpmginstitutes.com/advisory-institute/
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 188700
31
17
Thank you
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”) a Swiss entity All rights reservedInternational ), a Swiss entity. All rights reserved. NDPPS 188700
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.