EXECUTIVE EDUCATION SERIES:Outsourcing Services to a Third Party –Privacy Impacts and SOC ReportingPresented by: Sharehold...
Co-presented by2#MHMwebinar ‹#› To view this webinar in full screen mode, click on viewoptions in the upper right hand co...
Co-presented by3#MHMwebinar ‹#› This webinar is eligiblefor CPE credit. To receivecredit, you will need toanswer periodic...
Co-presented by4#MHMwebinarJohn Robichaud, CPAShareholder617.761.0546 | jrobichaud@cbiztofias.comLocated in our Boston off...
Co-presented by5#MHMwebinar Full-service, multi-disciplinary law firm 450 attorneys and senior professionals Offices ac...
Co-presented by6#MHMwebinar Antitrust & Federal Regulation Bankruptcy, Restructuring &Commercial Law Communications Co...
Co-presented by7#MHMwebinar Construction Education Energy & Clean Technology Financial Services Health Care Insuranc...
Co-presented by8#MHMwebinar ‹#›Today’s Agenda123456Outsourcing OverviewLandscape and impact of privacy laws and regulation...
OUTSOURCING OVERVIEWOpportunities, Reasons, Benefits and Challenges
Co-presented by10#MHMwebinar ‹#› Continually growing wide range of opportunities fororganizations to outsource, including...
Co-presented by11#MHMwebinar ‹#› Many reasons and benefits, including: Pressure to reduce costs Leverage experts specia...
Co-presented by12#MHMwebinar ‹#›Outsourcing Overview – ChallengesDue Diligence Compliance Oversight
LANDSCAPE ANDIMPACT OF PRIVACY LAWS ANDREGULATIONS
Co-presented by14#MHMwebinarPrivacy Laws and Regulations Compelled disclosure to the government: Electronic Communicatio...
Co-presented by15#MHMwebinarPrivacy Laws and Regulations Data security issues and data breach notification: Certain Fede...
Co-presented by16#MHMwebinarPrivacy Laws and Regulations Payment Card Industry (PCI) Prevent disclosure of online credit...
Co-presented by17#MHMwebinarPrivacy Laws and Regulations Continued FDIC Meet regulatory requirements around core vendors...
PRIVACY COMPLIANCECHALLENGES AND COMMONPITFALLS
Co-presented by19#MHMwebinarAssuming Third Party Vendors Are CoveringCompliance IssuesUnder many privacy laws,there exists...
Co-presented by20#MHMwebinarCommon Pitfalls and Repercussions Lack of Standard ProcessCase study: A Ponemon Institute stu...
Co-presented by21#MHMwebinarCommon Pitfalls and Repercussions Volume of vendors Simply keeping track of all privacy info...
Co-presented by22#MHMwebinarCommon Pitfalls and Repercussions New HIPAA Omnibus Rule If you handle protected healthinfor...
Co-presented by23#MHMwebinarFailure to do Third Party Due DiligenceWhat if the vendor goes out of business?Does the third ...
EMERGING PRIVACY LEGAL ANDREGULATORY COMPLIANCEISSUES
Co-presented by25#MHMwebinarCloud If a company stores information on the cloud,they face the threat of FTC enforcement if...
Co-presented by26#MHMwebinarCloud CONTRACT! Almost all issues can be dealt with contractually Where data is stored Wha...
Co-presented by27#MHMwebinarOff Shore Vendors Problems associated with digital technology Internet file sharing networks...
Co-presented by28#MHMwebinarVendor Assessment “Ignorance is not a valid defense” Regulators and executive manage expect ...
Co-presented by29#MHMwebinarLooking Ahead Use of third-party vendors for business functions has become astandard business...
NAVIGATING REPORTING FROMTHIRD PARTY SERVICEPROVIDERSDue Diligence and Oversight Compliance Challenges, andRelying on Repo...
Co-presented by31#MHMwebinar ‹#› Performing due diligence and compliance oversight atthird party service providers can be...
Co-presented by32#MHMwebinar ‹#› Internally prepared reports and self assessments Certifications Seals Externally prep...
AICPA SERVICE ORGANIZATIONCONTROLS REPORTSSOC 1 -3 Reports
Co-presented by34#MHMwebinar ‹#› SOC1 versus SOC2 versus SOC3 andOption for Web Site Seal Type 1 point in time versus ty...
Co-presented by35#MHMwebinar ‹#› SOC1 – Report on Controls at a Service Organization Relevantto User Entities’ Internal C...
Co-presented by36#MHMwebinar ‹#› Internal control over financial reporting Scope includes: Classes of transactions Pro...
Co-presented by37#MHMwebinar ‹#› Covers transaction processing controls, and supportinginformation technology controls re...
Co-presented by38#MHMwebinar ‹#› Operational controls Scope includes Infrastructure Procedures People Data Covers a...
Co-presented by39#MHMwebinar ‹#› Intended to meet the needs of a broad range of users thatneed information and assurance ...
Co-presented by40#MHMwebinar ‹#› Covers same individual and combined Trust ServicesPrinciples and Criteria as SOC2 Does ...
Co-presented by41#MHMwebinar ‹#› Type 1 is a point in time examination and report opining onthe suitability of design of ...
TRUST SERVICESSecurity, Availability, Processing Integrity, Confidentiality andPrivacy Principles and Criteria(Framework f...
Co-presented by43#MHMwebinar ‹#›Security, Availability, ProcessingIntegrity, Confidentiality andPrivacy Principles and Cri...
Co-presented by44#MHMwebinar ‹#› Policies – The service provider has defined and documentits policies particular to each ...
Co-presented by45#MHMwebinar ‹#› Security – The system is protected against unauthorizedaccess (both physical and logical...
Co-presented by46#MHMwebinar ‹#› Most commonly requested area of coverage Security criteria is also included in the othe...
Co-presented by47#MHMwebinar ‹#› IT security policy Security awareness and communication Risk assessment Logical acces...
Co-presented by48#MHMwebinar ‹#› Commonly requested areas of coverage, particularlywhere availability, disaster recovery ...
Co-presented by49#MHMwebinar ‹#› Includes security criteria Availability policy Backup and restoration Environmental c...
Co-presented by50#MHMwebinar ‹#› Potentially applicable for a wide variety of non financial andfinancial services whereve...
Co-presented by51#MHMwebinar ‹#› Most applicable where the user requires additionalassurance regarding the service provid...
Co-presented by52#MHMwebinar ‹#› Most applicable where the service provider interacts directlywith end users, and gathers...
Co-presented by53#MHMwebinar ‹#› Management Notice Choice and consent Collection Use and retention Access Disclosur...
Co-presented by54#MHMwebinar ‹#› Provides secure encrypted emailservice 2011–2012 SOC3 on security andconfidentiality 2...
Co-presented by55#MHMwebinar ‹#›Questions?
Co-presented by56#MHMwebinar ‹#›If You Enjoyed This Webinar… Join us for these related EES courses: June 27: Accounting ...
Co-presented by57#MHMwebinarJohn Robichaud, CPAShareholder617.761.0546 | jrobichaud@cbiztofias.comLocated in our Boston of...
Co-presented by58#MHMwebinar ‹#›Connect with Mayer Hoffman McCannlinkedin.com/company/mayer-hoffman-mccann-p.c.@mhm_pcyout...
Upcoming SlideShare
Loading in …5
×

Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting

624
-1

Published on

Join MHM for a rebroadcast of this presentation on Aug. 20. More information at http://www.mhm-pc.com.

Taking advantage of opportunities to outsource services and functions to third party providers can create legal, compliance, due diligence and audit oversight challenges in an environment where privacy laws can vary by jurisdiction and be interpreted unpredictably. Even the most conscientious company can make a false step as it captures, uses, transfers, and discloses personal information with third party service providers.

The extent of privacy laws, regulations and related compliance, security, control and breach reporting responsibilities can be daunting for any company. These challenges are further compounded when a company uses third party service providers. Because it is often impractical and not cost effective to perform their own onsite due diligence and oversight auditing, companies frequently seek assurance reporting from their third party service providers about their controls and privacy compliance as part of their due diligence and oversight.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
624
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting

  1. 1. EXECUTIVE EDUCATION SERIES:Outsourcing Services to a Third Party –Privacy Impacts and SOC ReportingPresented by: Shareholder John Robichaud andGuest Presenter Cynthia Larose of Mintz LevinMay 2, 2013
  2. 2. Co-presented by2#MHMwebinar ‹#› To view this webinar in full screen mode, click on viewoptions in the upper right hand corner. Click the Support tab for technical assistance. If you have a question during the presentation, please usethe Q&A feature at the bottom of your screen.Before We Get Started…
  3. 3. Co-presented by3#MHMwebinar ‹#› This webinar is eligiblefor CPE credit. To receivecredit, you will need toanswer periodic pollingquestions throughout thewebinar. External participants willreceive their CPEcertificate via emailimmediately following thewebinar.CPE Credit
  4. 4. Co-presented by4#MHMwebinarJohn Robichaud, CPAShareholder617.761.0546 | jrobichaud@cbiztofias.comLocated in our Boston office, John specializes in service organization control(SOC) reporting, specialized agreed upon procedures, privacy, risk assessmentsand enterprise risk management, internal controls and project management. Heworks with a wide variety clients — many from service organizations, nonprofits,financial services and technology industries.‹#›Today’s PresentersCynthia Larose, CIPPMintz Levin617.348.1732 | CJLarose@mintz.comCynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair ofthe Privacy & Security practice, and a Certified Information Privacy Professional(CIPP/US). Cynthia represents companies in information, communications, andtechnology, including e-commerce and other electronic transactions. Shecounsels clients through all stages of the “corporate lifecycle,” from start-upsthrough mid- and later-stage financings to IPO, and has broad experience intechnology and business law, including online contracting issues, licensing,domain name issues, software development, and complex outsourcingtransactions.
  5. 5. Co-presented by5#MHMwebinar Full-service, multi-disciplinary law firm 450 attorneys and senior professionals Offices across the country, and in the UK: Liaison office in Israel International network of contacts Government relations, public policy and real estate project developmentconsulting affiliate – ML StrategiesAbout Mintz Levin Boston New York Washington, DC Stamford Los Angeles San Diego San Francisco London
  6. 6. Co-presented by6#MHMwebinar Antitrust & Federal Regulation Bankruptcy, Restructuring &Commercial Law Communications Consumer Product Safety Corporate & Securities Corporate Compliance &Investigations Employment, Labor & Benefits Environmental Law Government Law & Contracts Health Law Immigration Intellectual Property International Litigation Privacy & Security Private Client Private Equity Project Development & Finance Public Finance Real Estate Tax White Collar Criminal DefenseA Full-Service Firm
  7. 7. Co-presented by7#MHMwebinar Construction Education Energy & Clean Technology Financial Services Health Care Insurance Internet & E-commerce Life Sciences Manufacturing Nonprofits Professional Services Real Estate Retail & Consumer Products Sports, Arts & Entertainment Technology, Communications &Media Transportation, Shipping &LogisticsRepresentative Industries We Serve
  8. 8. Co-presented by8#MHMwebinar ‹#›Today’s Agenda123456Outsourcing OverviewLandscape and impact of privacy laws and regulationsPrivacy compliance challenges and common pitfallsEmergency privacy legal and regulatory complianceissuesNavigating reporting from third party service providersAICPA Service Organization Control Reports7 Trust Services
  9. 9. OUTSOURCING OVERVIEWOpportunities, Reasons, Benefits and Challenges
  10. 10. Co-presented by10#MHMwebinar ‹#› Continually growing wide range of opportunities fororganizations to outsource, including: Payroll Human resources and benefits administration Accounting Printing distribution Warehousing and fulfillment Call center and customer support Data center and application hosting Software as a Service Platform as a Service Infrastructure as a ServiceOutsourcing Overview - Opportunities
  11. 11. Co-presented by11#MHMwebinar ‹#› Many reasons and benefits, including: Pressure to reduce costs Leverage experts specialized in the outsourced serviceoffering Potential availability of more sophisticated resources Availability of a virtual workforce Meet short-term demands or needs Lack of resources to support a business process or functionOutsourcing Overview – Reasons and Benefits
  12. 12. Co-presented by12#MHMwebinar ‹#›Outsourcing Overview – ChallengesDue Diligence Compliance Oversight
  13. 13. LANDSCAPE ANDIMPACT OF PRIVACY LAWS ANDREGULATIONS
  14. 14. Co-presented by14#MHMwebinarPrivacy Laws and Regulations Compelled disclosure to the government: Electronic Communications Privacy Act (ECPA) 1986 Protests electronic communications while in transit and while held instorage from disclosure Different levels of protection based on outdated distinctions on storagesuch as "electronic storage" or storage by a "remote computing service" orhow old the data is Stored Communications Act (SCA) USA Patriot Act Enacted in 2001, amended in 2005 Allows FBI access to certain business records with a court order National Security Letters can also obtain records Warrants and Subpoenas
  15. 15. Co-presented by15#MHMwebinarPrivacy Laws and Regulations Data security issues and data breach notification: Certain Federal Laws and Regulations impose industry-specific data securityor breach notification obligations Educational Institutions- Family Educational Rights and Privacy Act (FERPA) Financial Institutions- Gramm-Leach-Bliley ACT (GLBA) Prevent disclosure of non publicpersonal information Health Care- Health InsurancePortability and Accountability Act (HIPAA)and (HITECH)
  16. 16. Co-presented by16#MHMwebinarPrivacy Laws and Regulations Payment Card Industry (PCI) Prevent disclosure of online credit card and account information FTC Breach Disclosure Requirement Section 5 of the FTC Act Data Security Standard (DSS) Clinical Laboratory Improvement Amendments (CLIA) Applies to health care organizations NYSE Rule 340
  17. 17. Co-presented by17#MHMwebinarPrivacy Laws and Regulations Continued FDIC Meet regulatory requirements around core vendors Publicly traded companies- Sarbanes Oxley (SOX) Generally, an entity cannot contract away its obligation to comply with theseindustry-specific regimes State Laws and Regulations Avoid requirements to disclose data comprised at a vendor Depending on where your organization does business Examples: MA, CA, TX, and MI have their own privacy and security laws
  18. 18. PRIVACY COMPLIANCECHALLENGES AND COMMONPITFALLS
  19. 19. Co-presented by19#MHMwebinarAssuming Third Party Vendors Are CoveringCompliance IssuesUnder many privacy laws,there exists no formalcompliance violation if acompany fails to monitor theactivities of its vendors."Voluntary" obligation tomonitor creates risks for thecompany, committing tofollow through if oversight isnot effective.Case study: A medicaltranscriptionist in Pakistanthreatened to post patientnames and information on theInternet unless given betterpay. The story receivedglobal coverage resulting inserious reputational damageto the hospital.Why Monitor? Why Not?
  20. 20. Co-presented by20#MHMwebinarCommon Pitfalls and Repercussions Lack of Standard ProcessCase study: A Ponemon Institute study revealed a difference in view betweencloud providers and users about who is primarily responsible for security inthe cloud. 69% of third party vendors saw their users as responsible for theirown security. Only 35% of these users saw themselves as responsible.This confusion about who is responsible for data security leads users tocomplacent behavior. Failure to manage vendors Companies spend millions on their own internal compliance challenges butprovide all the same info to vendors. Vendors could give low priority to safeguarding this information.
  21. 21. Co-presented by21#MHMwebinarCommon Pitfalls and Repercussions Volume of vendors Simply keeping track of all privacy information spurs a concern forerror/breaches. Larger vendors dealing with substantial volume of personal date faceshigher risks than other vendors with more manageable information. Mitigation Issues How will a company interact if a vendor breaches privacy? Vendors should be contractually committed to take all reasonable action dictatedby the company.
  22. 22. Co-presented by22#MHMwebinarCommon Pitfalls and Repercussions New HIPAA Omnibus Rule If you handle protected healthinformation, you have HIPAAliability HIPAA breaches generate severenegative publicity not to mentionfines and civil penalties – alsopossible class actions. Many lawsuits have been filedagainst healthcare providers thatbreach PHI that can seekdamages in the millions. Total breach costs have grownevery year since 2006.
  23. 23. Co-presented by23#MHMwebinarFailure to do Third Party Due DiligenceWhat if the vendor goes out of business?Does the third party have a disasterrecovery plan?What is the vendor’s identity theftprotection plan?
  24. 24. EMERGING PRIVACY LEGAL ANDREGULATORY COMPLIANCEISSUES
  25. 25. Co-presented by25#MHMwebinarCloud If a company stores information on the cloud,they face the threat of FTC enforcement iftheir representations to consumers aboutwhere/how information is stored and secureddoes not match their actual practices Who owns data on the cloud? Can a cloud provider use the data for its ownpurposes? Under what circumstances can the customerobtain a copy of information stored in thecloud? What happens when service to the cloud isinterrupted?
  26. 26. Co-presented by26#MHMwebinarCloud CONTRACT! Almost all issues can be dealt with contractually Where data is stored What security standards the cloud provider adheres to• Segregated data• Does the cloud conform to industry standards?• Do outside auditors confirm its security practices? Who is liable for a data breach Regulatory compliance and indemnification responsibilities Ownership/control of information and cloud maintenance
  27. 27. Co-presented by27#MHMwebinarOff Shore Vendors Problems associated with digital technology Internet file sharing networks make it much easier to tradesecrets, proprietary products, plans and schematics Much of theft takes place outside of the United States Vendors may be "offshore" Creates perception that U.S. privacy rules do not apply toother countries (See Pakistani case study) Companies must evaluate how best to enforce contractualobligations KNOW YOUR VENDOR
  28. 28. Co-presented by28#MHMwebinarVendor Assessment “Ignorance is not a valid defense” Regulators and executive manage expect you to understand,manage, and reduce risk. Perform a cost/benefit analysis when choosing a provider. Ask: What is the reputational risk to your company ifsomething goes wrong? How sensitive is this stored data?Average costper record:$198Averageincident:$6.3 million
  29. 29. Co-presented by29#MHMwebinarLooking Ahead Use of third-party vendors for business functions has become astandard business practice, but security still varies greatly. Organizations must be extremely vigilant in assessing risks totheir data even if they reside at a vendor location. Ask: "Once we share our information assets with third-partyvendors, will we still be in compliance?" MUST vet your vendors and carefully monitor theirsecurity/privacy control environments over extended period oftime.
  30. 30. NAVIGATING REPORTING FROMTHIRD PARTY SERVICEPROVIDERSDue Diligence and Oversight Compliance Challenges, andRelying on Reporting from Service Providers
  31. 31. Co-presented by31#MHMwebinar ‹#› Performing due diligence and compliance oversight atthird party service providers can be a challenge orimpractical because of: Limited management and resource bandwidth Cost Timing Contractual restrictions Organizations often end up needing to rely onreporting provided by the third party service provider.Reporting from Third Party Service Providers
  32. 32. Co-presented by32#MHMwebinar ‹#› Internally prepared reports and self assessments Certifications Seals Externally prepared reports and assessments againstan alphabet soup of standards, including: PCI DSS ISO FISMA NIST HIPPA AICPA Service Organization Control (SOC) ReportsReporting from Third Party Service Providers
  33. 33. AICPA SERVICE ORGANIZATIONCONTROLS REPORTSSOC 1 -3 Reports
  34. 34. Co-presented by34#MHMwebinar ‹#› SOC1 versus SOC2 versus SOC3 andOption for Web Site Seal Type 1 point in time versus type 2operating period examinations and reports Trust Services Security, Availability, ProcessingIntegrity, Confidentiality and Privacy Principles andCriteriaAICPA SOC Reports
  35. 35. Co-presented by35#MHMwebinar ‹#› SOC1 – Report on Controls at a Service Organization Relevantto User Entities’ Internal Controls Over Financial Reporting -replacement of SAS 70 and performed under SSAE 16 SOC2 – Report on Controls at a Service Organization Relevantto Security, Availability, Processing Integrity, Confidentiality orPrivacy in accordance with AT Section 101 and Trust ServicesPrinciples, Criteria and Illustrated Controls in TSP section100(long form report) SOC3 – Report on Controls at a Service Organization Relevantto Security, Availability, Processing Integrity, Confidentiality orPrivacy in accordance with AT Section 101 and Trust ServicesPrinciples, Criteria and Illustrated Controls in TSP section 100(short form report with web site seal option)SOC 1 – 3 Reports
  36. 36. Co-presented by36#MHMwebinar ‹#› Internal control over financial reporting Scope includes: Classes of transactions Procedures for processing andreporting transactions Accounting records of the system Handling significant events, andconditions other than transactions Report preparation for users Other aspects relevant to processing,and reporting user transactionsSOC 1
  37. 37. Co-presented by37#MHMwebinar ‹#› Covers transaction processing controls, and supportinginformation technology controls relevant to the financialtransaction processing and reporting services Based on control objectives that are defined by the serviceprovider and can vary depending on the type of service provided Restricted report – intended solely for the information and use ofthe service provider, their user entities (customers) and the userentities’ auditor in planning their audit of the user entitySOC1 - Continued
  38. 38. Co-presented by38#MHMwebinar ‹#› Operational controls Scope includes Infrastructure Procedures People Data Covers any one or combination of the Trust ServicesSecurity, Availability, Processing Integrity, Confidentialityand Privacy Principles and CriteriaSOC2
  39. 39. Co-presented by39#MHMwebinar ‹#› Intended to meet the needs of a broad range of users thatneed information and assurance about controls at a serviceprovider that affect the security, availability, processingintegrity, confidentiality and privacy Restricted report with a broader range of intended users,including: Existing users Prospective users Regulators Business partners Endorsed by the Cloud Security AllianceSOC2 - Continued
  40. 40. Co-presented by40#MHMwebinar ‹#› Covers same individual and combined Trust ServicesPrinciples and Criteria as SOC2 Does not include detail description of the design of controlsand tests of controls performed by the service auditor Provides a service auditor’s opinion on whether the serviceprovider maintains effective controls over its systems Unrestricted report intended for users that don’t require amore thorough report Web site seal option if no carved out subservice providersand an unqualified opinionSOC3
  41. 41. Co-presented by41#MHMwebinar ‹#› Type 1 is a point in time examination and report opining onthe suitability of design of controls and description with notest of operating effectiveness of controls. Type 2 is an examination and report opining on the suitablyof design of controls and description, and operatingeffectiveness of controls with reported tests and resultscovering a period of time, which is: Six months or greater for a SOC1 Two months or greater for a SOC2 and SOC3 Based on the usability of coverage period for the intendedrecipients of the reportType 1 versus Type 2
  42. 42. TRUST SERVICESSecurity, Availability, Processing Integrity, Confidentiality andPrivacy Principles and Criteria(Framework for SOC2 and SOC3 Reporting)
  43. 43. Co-presented by43#MHMwebinar ‹#›Security, Availability, ProcessingIntegrity, Confidentiality andPrivacy Principles and Criteriaaddress risks and controls of ITenabled systems and privacyprograms with illustratedbenchmark control best practices.Trust Services Principles and Criteria
  44. 44. Co-presented by44#MHMwebinar ‹#› Policies – The service provider has defined and documentits policies particular to each principle, which addressmanagement’s intent, objectives, requirements,responsibilities and standards. Communication – The service provider has communicatedits defined policies to responsible parties and users of thesystem. Procedures – The service provider has placed proceduresinto operation to achieve its principles in accordance withits defined policies. Monitoring – The service provider monitors the system andtakes action to maintain compliance with its definedpolicies.Trust Services Principles and Criteria Continued
  45. 45. Co-presented by45#MHMwebinar ‹#› Security – The system is protected against unauthorizedaccess (both physical and logical). Availability – The system is available for operation and useas committed and agreed. Processing Integrity – System processing is complete,accurate timely and authorized. Confidentiality – Information designated as confidential isprotected as committed or agreed. Privacy – Personal information is collected, used, retained,disclosed and destroyed in conformity with thecommitments in the entity’s privacy notice and with thecriteria set forth in the AICPA’s and CICA’ GenerallyAccepted Privacy Principles.Trust Services Principles and Criteria Continued
  46. 46. Co-presented by46#MHMwebinar ‹#› Most commonly requested area of coverage Security criteria is also included in the other principlesbecause security controls are inherent critical parts ofeffective availability, processing integrity, confidentialityand privacy controls Applicable to all outsourced environments, particularlywhen enterprise users require assurance regarding theservice provider’s security controls for any system, andnonfinancial or financial serviceSecurity
  47. 47. Co-presented by47#MHMwebinar ‹#› IT security policy Security awareness and communication Risk assessment Logical access Physical access Security monitoring User authentication Incident management Asset classification and management System development and maintenance Personnel security Configuration management Change management Monitoring and complianceSecurity Continued
  48. 48. Co-presented by48#MHMwebinar ‹#› Commonly requested areas of coverage, particularlywhere availability, disaster recovery and businesscontinuity management are provided as critical parts ofthe service providers standard service offering. Most applicable where enterprise users requireassurance regarding processes to achieve systemavailability service level agreements as well as disasterrecovery and business continuity management, whichcannot be covered as part of a SOC1 report.Availability
  49. 49. Co-presented by49#MHMwebinar ‹#› Includes security criteria Availability policy Backup and restoration Environmental controls Disaster recovery Business continuitymanagementAvailability Continued
  50. 50. Co-presented by50#MHMwebinar ‹#› Potentially applicable for a wide variety of non financial andfinancial services wherever assurance is required as to thecompleteness, accuracy, timeliness and authorization ofsystem processing Includes security criteria System processing integrity policies Completeness, accuracy, timeliness and authorization ofinputs, system processing and outputs Information tracing from source to dispositionProcessing Integrity
  51. 51. Co-presented by51#MHMwebinar ‹#› Most applicable where the user requires additionalassurance regarding the service provider’s practices forprotecting sensitive business information Includes security criteria Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures including tothird parties Confidentiality of information insystems developmentConfidentiality
  52. 52. Co-presented by52#MHMwebinar ‹#› Most applicable where the service provider interacts directlywith end users, and gathers their personnel information Can also be performed when service provider is asecondary or intermediary recipient of personnelinformation but requires more complicated disclosures inregard to span of responsibilities for personnel informationbetween all involved parties Provides a vehicle for demonstrating the effectiveness of aservice provider’s controls for maintaining the privacy ofinformationPrivacy
  53. 53. Co-presented by53#MHMwebinar ‹#› Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring andenforcementPrivacy Continued
  54. 54. Co-presented by54#MHMwebinar ‹#› Provides secure encrypted emailservice 2011–2012 SOC3 on security andconfidentiality 2012–2013 SOC2 on security,confidentiality and privacyZiptr
  55. 55. Co-presented by55#MHMwebinar ‹#›Questions?
  56. 56. Co-presented by56#MHMwebinar ‹#›If You Enjoyed This Webinar… Join us for these related EES courses: June 27: Accounting and Finance Issues of TechnologyCompanies August 20: Outsourcing Services to a Third Party — PrivacyImpacts and Service Organization Control Reporting Read this related MHM Messenger MHM Messenger 23-12: Evolving Business Practices SpurTransition from SAS 70 to SOC Reports
  57. 57. Co-presented by57#MHMwebinarJohn Robichaud, CPAShareholder617.761.0546 | jrobichaud@cbiztofias.comLocated in our Boston office, John specializes in service organization control(SOC) reporting, specialized agreed upon procedures, privacy, risk assessmentsand enterprise risk management, internal controls and project management. Heworks with a wide variety clients — many from service organizations, nonprofits,financial services and technology industries.‹#›Today’s PresentersCynthia Larose, CIPPMintz Levin617.348.1732 | CJLarose@mintz.comCynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair ofthe Privacy & Security practice, and a Certified Information Privacy Professional(CIPP/US). Cynthia represents companies in information, communications, andtechnology, including e-commerce and other electronic transactions. Shecounsels clients through all stages of the “corporate lifecycle,” from start-upsthrough mid- and later-stage financings to IPO, and has broad experience intechnology and business law, including online contracting issues, licensing,domain name issues, software development, and complex outsourcingtransactions.
  58. 58. Co-presented by58#MHMwebinar ‹#›Connect with Mayer Hoffman McCannlinkedin.com/company/mayer-hoffman-mccann-p.c.@mhm_pcyoutube.com/mayerhoffmanmccanngplus.to/mhmpcblog.mhm-pc.comslideshare.net/mhmpcfacebook.com/mhmpc
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×