IAC 2024 - IA Fast Track to Search Focused AI Solutions
SOC for Cybersecurity Overview
1. SOC and the Cybersecurity Threat
October 12, 2017
Dan Vance, Director
Brian M. Matteson, Manager
2. Introductions
Dan Vance, CPA
Director: Governance, Risk and Compliance
Oversight of SOC, internal audit and compliance
Extensive risk-based audit experience, planning
and implementation
Brian M Matteson, CISSP, CISA
Manager: IT, Security, and IT Audit
Extensive experience in security strategy and
architecture
Oversight of IT projects in Columbus market
2
3. Today’s Agenda
Cybersecurity & the Need for a
Framework
SOC Reporting – Background
Cybersecurity Risk Management
Reporting Framework
SOC for Cybersecurity Engagement
3
5. Security incidents and data breaches are a daily
occurrence and can do major damage
– Equifax
– Deloitte
– WannaCry ransomware
– Sonic Drive-In
5
Reasons Why a Cybersecurity Framework is Needed
6. 1. Increasing number of cyber crimes
6
Source: Verizon 2017 Data Breach Investigations Report
Reasons Why a Cybersecurity Framework is
Needed, cont.
7. 2. Continued process failures
7
Source: Verizon 2017 Data Breach Investigations Report
Reasons Why a Cybersecurity Framework is
Needed, cont.
8. 3. Board of Director’s focus on Cyber
How to identify upcoming risks
What policies are needed?
What is their role in this area and what
skillsets are required?
How do they obtain comfort?
8
Reasons Why a Cybersecurity Framework is
Needed, cont.
9. 4. Rapidly changing regulatory
environment
Executive orders
Federal agencies such as the SEC
Banking regulators
State level
International
9
Reasons Why a Cybersecurity Framework is
Needed, cont.
10. Cybersecurity Framework - Principles
Should be principle-based
Ability to leverage existing frameworks
Incent positive action
10
12. A Value Added Service
SOC attestation benefits:
1. Build trust with current customers and prospects
2. Assist with validating your risk management model
and show business value
3. Find (and close) control/operational gaps
4. Customers are asking for SOC reports
12
13. Progression of the AICPA SOC Report
SAS 70
• Internal
controls over
financial
reporting
• No longer
referenced
SOC 1
• Internal
controls over
financial
reporting
SOC 2 & 3
• Controls
related to
security,
availability,
confidentiality,
processing
integrity and/or
privacy
SOC for
Cybersecurity
• Cybersecurity
risk
management
framework
13
15. SOC 2 Overview
The SOC 2 is a report on the non-financial controls,
or trust service principles associated with:
1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy
SOC 1 and SOC 2 audiences often differ
Industry trends of SOC 2 growth:
– Technology
– Healthcare
– Financial Services
– Other
15
17. Cybersecurity Risk Management Program
The AICPA defines an entity’s cybersecurity risk
management program as
“a set of policies, processes, and controls
designed to protect information and systems from
security events that could compromise the
achievement of the entity’s cybersecurity
objectives and to detect, respond to, mitigate, and
recover from, on a timely basis, security events
that are not prevented.”
17
18. SOC Cybersecurity Framework
Released in April 2017
Intended to demonstrate the effectiveness of
internal controls aimed at preventing and
detecting cybersecurity threats
Leverage cybersecurity frameworks to create a
common language for reporting
18
19. Why Was New SOC Framework Created?
Increase in cyber crimes – focus on cybersecurity
programs
Limited industry standards to share reporting on
cybersecurity risk management programs
Internal stakeholders (e.g., the Board of Directors) as well
as external stakeholders
Benefits of SOC for Cybersecurity
Competitive advantage
Providing customers with peace of mind that data is
safeguarded
Standardized solution
19
22. Cybersecurity Risk Management Program
22
SOC for Cybersecurity
SOC 2
ITGeneralControls
Privacy,
Processing
Integrity
Criteria
Security,
Confidentiality &
Availability Criteria
Cybersecurity Risk
Management
Program
23. Cybersecurity Framework – How it is Different
23
Report Purpose
Intended Users
Professional Standards
Responsible Party
Distribution
Subject Matter
Engagement Criteria
24. Contents of the Report
Components of the Cybersecurity report:
Management’s description
Management’s assertion
Practitioner’s opinion
24
Cybersecurity Framework Key Criteria:
Description Criteria:
– Prepare and evaluate presentation of description of
cybersecurity risk management program
Control Criteria
– Evaluate effectiveness of controls to achieve cybersecurity
objectives
– May include NIST Cybersecurity Framework and/or revised
Trust services criteria
25. Report Structure – Program Description
Total of 9 sections to be addressed:
1. Nature of Business and Operations
2. Nature of Information at Risk
3. The Cybersecurity Risk Management Program Objectives
4. Factors That Have a Significant Effect on Inherent
Cybersecurity Risks
5. Description of Cybersecurity Risk Governance Structure
6. Cybersecurity Risk Assessment Process
7. Cybersecurity Communications and the Quality of
Cybersecurity Information
8. Monitoring of the Cybersecurity Risk Management
Program
9. Cybersecurity Control Processes Disclosures
25
26. Report Structure – Control Criteria
Leverage a recognized framework when implementing controls
– AICPA updated Trust Services Principles and Criteria for use as
cybersecurity control framework; or
Alternate, recognized control frameworks
– ISO 27001 / 270002
– NIST Cybersecurity Framework
26
26
27. What Now?
Establish stakeholder expectations
Factor in stakeholder expectations and
expected communication plan
Consider undertaking a readiness review to:
– Validate you’re using a cybersecurity
framework to develop an effective program
– Identify potential gaps
Determine next steps including remediation
27
28. Questions?
If you wish to discuss any aspect of this presentation in
more detail, please feel free to contact us:
Dan Vance
dvance@clarkschaefer.com
(614) 607-5788
Brian M Matteson
bmatteson@clarkschaefer.com
(614) 607-5289
Editor's Notes
DeAnna
Introductions.
Brian
Good afternoon everyone.
Overview of the agenda
Thank you so much for your time today, are there any questions?