SlideShare a Scribd company logo

SOC for Cybersecurity Overview

B
Brian Matteson, CISSP CISA

An overview of the SOC for Cyber Security presented at the October Central Ohio ISACA meeting

Technology
1 of 28
SOC and the Cybersecurity Threat October 12, 2017 Dan Vance, Director Brian M. Matteson, Manager
Introductions Dan Vance, CPA Director: Governance, Risk and Compliance  Oversight of SOC, internal audit and compliance  Extensive risk-based audit experience, planning and implementation Brian M Matteson, CISSP, CISA Manager: IT, Security, and IT Audit  Extensive experience in security strategy and architecture  Oversight of IT projects in Columbus market 2
Today’s Agenda  Cybersecurity & the Need for a Framework  SOC Reporting – Background  Cybersecurity Risk Management Reporting Framework  SOC for Cybersecurity Engagement 3
Cybersecurity & the Need for a Framework
 Security incidents and data breaches are a daily occurrence and can do major damage – Equifax – Deloitte – WannaCry ransomware – Sonic Drive-In 5 Reasons Why a Cybersecurity Framework is Needed
1. Increasing number of cyber crimes 6 Source: Verizon 2017 Data Breach Investigations Report Reasons Why a Cybersecurity Framework is Needed, cont.
2. Continued process failures 7 Source: Verizon 2017 Data Breach Investigations Report Reasons Why a Cybersecurity Framework is Needed, cont.
3. Board of Director’s focus on Cyber  How to identify upcoming risks  What policies are needed?  What is their role in this area and what skillsets are required?  How do they obtain comfort? 8 Reasons Why a Cybersecurity Framework is Needed, cont.
4. Rapidly changing regulatory environment  Executive orders  Federal agencies such as the SEC  Banking regulators  State level  International 9 Reasons Why a Cybersecurity Framework is Needed, cont.
Cybersecurity Framework - Principles  Should be principle-based  Ability to leverage existing frameworks  Incent positive action 10
SOC Reporting - Background
A Value Added Service SOC attestation benefits: 1. Build trust with current customers and prospects 2. Assist with validating your risk management model and show business value 3. Find (and close) control/operational gaps 4. Customers are asking for SOC reports 12
Progression of the AICPA SOC Report SAS 70 • Internal controls over financial reporting • No longer referenced SOC 1 • Internal controls over financial reporting SOC 2 & 3 • Controls related to security, availability, confidentiality, processing integrity and/or privacy SOC for Cybersecurity • Cybersecurity risk management framework 13
SOC Reports – Which Report is Right for You? ©2017 American Institute of CPAs Which SOC Report is Right for You? Will report be used by your customers and their auditors to plan/perform and audit of their financial statements? Yes SOC 1 Will report be used by customers/stakeholders to gain confidence and place trust in a service organization’s system? Yes SOC 2 or SOC 3 Do customers need to see details of the testing including the results? Yes SOC 2 Do you need to make the report generally available? Yes SOC 3 SOC for Cybersecurity  A new SOC report where the AICPA has developed a cybersecurity risk management reporting framework. This report is for appropriate for general use  We recommend using this framework to perform an initial readiness review of the effectiveness of your cybersecurity risk management program SOC for Vendor Supply Chains Under Development - An internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand the cybersecurity risk in their supply chains 14
SOC 2 Overview  The SOC 2 is a report on the non-financial controls, or trust service principles associated with: 1. Security 2. Availability 3. Processing Integrity 4. Confidentiality 5. Privacy  SOC 1 and SOC 2 audiences often differ  Industry trends of SOC 2 growth: – Technology – Healthcare – Financial Services – Other 15
Cybersecurity Risk Management Reporting Framework
Cybersecurity Risk Management Program The AICPA defines an entity’s cybersecurity risk management program as “a set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.” 17
SOC Cybersecurity Framework  Released in April 2017  Intended to demonstrate the effectiveness of internal controls aimed at preventing and detecting cybersecurity threats  Leverage cybersecurity frameworks to create a common language for reporting 18
Why Was New SOC Framework Created?  Increase in cyber crimes – focus on cybersecurity programs  Limited industry standards to share reporting on cybersecurity risk management programs  Internal stakeholders (e.g., the Board of Directors) as well as external stakeholders Benefits of SOC for Cybersecurity  Competitive advantage  Providing customers with peace of mind that data is safeguarded  Standardized solution 19
System & Organizational Controls (SOC) - Summary Today, it is common for entities to outsource certain tasks or functions related to their business, even those that are core to their operations. SOC Report Comparison Who are the Users Why What SOC 1  Users’ controller’s office  User auditors Audits of financial statements Controls relevant to user financial reporting SOC 2  Management  Regulators  Others • GRC programs • Oversight • Due Diligence Concerns regarding security, availability, processing integrity, confidentiality or privacy SOC 3 Users with need for confidence in service organization’s controls • Marketing purposes • Detail not required Easy-to-read report on controls SOC for Cyber security Management, analysts, investors, and others whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) the controls within that program were effective in achieving the entity’s cybersecurity objectives based on the control criteria ©2017 American Institute of CPAs 20
SOC for Cybersecurity
Cybersecurity Risk Management Program 22 SOC for Cybersecurity SOC 2 ITGeneralControls Privacy, Processing Integrity Criteria Security, Confidentiality & Availability Criteria Cybersecurity Risk Management Program
Cybersecurity Framework – How it is Different 23 Report Purpose Intended Users Professional Standards Responsible Party Distribution Subject Matter Engagement Criteria
Contents of the Report Components of the Cybersecurity report:  Management’s description  Management’s assertion  Practitioner’s opinion 24 Cybersecurity Framework Key Criteria:  Description Criteria: – Prepare and evaluate presentation of description of cybersecurity risk management program  Control Criteria – Evaluate effectiveness of controls to achieve cybersecurity objectives – May include NIST Cybersecurity Framework and/or revised Trust services criteria
Report Structure – Program Description Total of 9 sections to be addressed: 1. Nature of Business and Operations 2. Nature of Information at Risk 3. The Cybersecurity Risk Management Program Objectives 4. Factors That Have a Significant Effect on Inherent Cybersecurity Risks 5. Description of Cybersecurity Risk Governance Structure 6. Cybersecurity Risk Assessment Process 7. Cybersecurity Communications and the Quality of Cybersecurity Information 8. Monitoring of the Cybersecurity Risk Management Program 9. Cybersecurity Control Processes Disclosures 25
Report Structure – Control Criteria  Leverage a recognized framework when implementing controls – AICPA updated Trust Services Principles and Criteria for use as cybersecurity control framework; or  Alternate, recognized control frameworks – ISO 27001 / 270002 – NIST Cybersecurity Framework 26 26
What Now?  Establish stakeholder expectations  Factor in stakeholder expectations and expected communication plan  Consider undertaking a readiness review to: – Validate you’re using a cybersecurity framework to develop an effective program – Identify potential gaps  Determine next steps including remediation 27
Questions? If you wish to discuss any aspect of this presentation in more detail, please feel free to contact us: Dan Vance dvance@clarkschaefer.com (614) 607-5788 Brian M Matteson bmatteson@clarkschaefer.com (614) 607-5289

Recommended

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 

Recommended

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
Komand
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
Leon Fouche
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
manoharparakh
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 

More Related Content

What's hot

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 

What's hot (20)

Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 

Similar to SOC for Cybersecurity Overview

Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
Scott Baron
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 

Similar to SOC for Cybersecurity Overview (20)

Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdf
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

SOC for Cybersecurity Overview

  • 1. SOC and the Cybersecurity Threat October 12, 2017 Dan Vance, Director Brian M. Matteson, Manager
  • 2. Introductions Dan Vance, CPA Director: Governance, Risk and Compliance  Oversight of SOC, internal audit and compliance  Extensive risk-based audit experience, planning and implementation Brian M Matteson, CISSP, CISA Manager: IT, Security, and IT Audit  Extensive experience in security strategy and architecture  Oversight of IT projects in Columbus market 2
  • 3. Today’s Agenda  Cybersecurity & the Need for a Framework  SOC Reporting – Background  Cybersecurity Risk Management Reporting Framework  SOC for Cybersecurity Engagement 3
  • 4. Cybersecurity & the Need for a Framework
  • 5.  Security incidents and data breaches are a daily occurrence and can do major damage – Equifax – Deloitte – WannaCry ransomware – Sonic Drive-In 5 Reasons Why a Cybersecurity Framework is Needed
  • 6. 1. Increasing number of cyber crimes 6 Source: Verizon 2017 Data Breach Investigations Report Reasons Why a Cybersecurity Framework is Needed, cont.
  • 7. 2. Continued process failures 7 Source: Verizon 2017 Data Breach Investigations Report Reasons Why a Cybersecurity Framework is Needed, cont.
  • 8. 3. Board of Director’s focus on Cyber  How to identify upcoming risks  What policies are needed?  What is their role in this area and what skillsets are required?  How do they obtain comfort? 8 Reasons Why a Cybersecurity Framework is Needed, cont.
  • 9. 4. Rapidly changing regulatory environment  Executive orders  Federal agencies such as the SEC  Banking regulators  State level  International 9 Reasons Why a Cybersecurity Framework is Needed, cont.
  • 10. Cybersecurity Framework - Principles  Should be principle-based  Ability to leverage existing frameworks  Incent positive action 10
  • 11. SOC Reporting - Background
  • 12. A Value Added Service SOC attestation benefits: 1. Build trust with current customers and prospects 2. Assist with validating your risk management model and show business value 3. Find (and close) control/operational gaps 4. Customers are asking for SOC reports 12
  • 13. Progression of the AICPA SOC Report SAS 70 • Internal controls over financial reporting • No longer referenced SOC 1 • Internal controls over financial reporting SOC 2 & 3 • Controls related to security, availability, confidentiality, processing integrity and/or privacy SOC for Cybersecurity • Cybersecurity risk management framework 13
  • 14. SOC Reports – Which Report is Right for You? ©2017 American Institute of CPAs Which SOC Report is Right for You? Will report be used by your customers and their auditors to plan/perform and audit of their financial statements? Yes SOC 1 Will report be used by customers/stakeholders to gain confidence and place trust in a service organization’s system? Yes SOC 2 or SOC 3 Do customers need to see details of the testing including the results? Yes SOC 2 Do you need to make the report generally available? Yes SOC 3 SOC for Cybersecurity  A new SOC report where the AICPA has developed a cybersecurity risk management reporting framework. This report is for appropriate for general use  We recommend using this framework to perform an initial readiness review of the effectiveness of your cybersecurity risk management program SOC for Vendor Supply Chains Under Development - An internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand the cybersecurity risk in their supply chains 14
  • 15. SOC 2 Overview  The SOC 2 is a report on the non-financial controls, or trust service principles associated with: 1. Security 2. Availability 3. Processing Integrity 4. Confidentiality 5. Privacy  SOC 1 and SOC 2 audiences often differ  Industry trends of SOC 2 growth: – Technology – Healthcare – Financial Services – Other 15
  • 17. Cybersecurity Risk Management Program The AICPA defines an entity’s cybersecurity risk management program as “a set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.” 17
  • 18. SOC Cybersecurity Framework  Released in April 2017  Intended to demonstrate the effectiveness of internal controls aimed at preventing and detecting cybersecurity threats  Leverage cybersecurity frameworks to create a common language for reporting 18
  • 19. Why Was New SOC Framework Created?  Increase in cyber crimes – focus on cybersecurity programs  Limited industry standards to share reporting on cybersecurity risk management programs  Internal stakeholders (e.g., the Board of Directors) as well as external stakeholders Benefits of SOC for Cybersecurity  Competitive advantage  Providing customers with peace of mind that data is safeguarded  Standardized solution 19
  • 20. System & Organizational Controls (SOC) - Summary Today, it is common for entities to outsource certain tasks or functions related to their business, even those that are core to their operations. SOC Report Comparison Who are the Users Why What SOC 1  Users’ controller’s office  User auditors Audits of financial statements Controls relevant to user financial reporting SOC 2  Management  Regulators  Others • GRC programs • Oversight • Due Diligence Concerns regarding security, availability, processing integrity, confidentiality or privacy SOC 3 Users with need for confidence in service organization’s controls • Marketing purposes • Detail not required Easy-to-read report on controls SOC for Cyber security Management, analysts, investors, and others whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) the controls within that program were effective in achieving the entity’s cybersecurity objectives based on the control criteria ©2017 American Institute of CPAs 20
  • 22. Cybersecurity Risk Management Program 22 SOC for Cybersecurity SOC 2 ITGeneralControls Privacy, Processing Integrity Criteria Security, Confidentiality & Availability Criteria Cybersecurity Risk Management Program
  • 23. Cybersecurity Framework – How it is Different 23 Report Purpose Intended Users Professional Standards Responsible Party Distribution Subject Matter Engagement Criteria
  • 24. Contents of the Report Components of the Cybersecurity report:  Management’s description  Management’s assertion  Practitioner’s opinion 24 Cybersecurity Framework Key Criteria:  Description Criteria: – Prepare and evaluate presentation of description of cybersecurity risk management program  Control Criteria – Evaluate effectiveness of controls to achieve cybersecurity objectives – May include NIST Cybersecurity Framework and/or revised Trust services criteria
  • 25. Report Structure – Program Description Total of 9 sections to be addressed: 1. Nature of Business and Operations 2. Nature of Information at Risk 3. The Cybersecurity Risk Management Program Objectives 4. Factors That Have a Significant Effect on Inherent Cybersecurity Risks 5. Description of Cybersecurity Risk Governance Structure 6. Cybersecurity Risk Assessment Process 7. Cybersecurity Communications and the Quality of Cybersecurity Information 8. Monitoring of the Cybersecurity Risk Management Program 9. Cybersecurity Control Processes Disclosures 25
  • 26. Report Structure – Control Criteria  Leverage a recognized framework when implementing controls – AICPA updated Trust Services Principles and Criteria for use as cybersecurity control framework; or  Alternate, recognized control frameworks – ISO 27001 / 270002 – NIST Cybersecurity Framework 26 26
  • 27. What Now?  Establish stakeholder expectations  Factor in stakeholder expectations and expected communication plan  Consider undertaking a readiness review to: – Validate you’re using a cybersecurity framework to develop an effective program – Identify potential gaps  Determine next steps including remediation 27
  • 28. Questions? If you wish to discuss any aspect of this presentation in more detail, please feel free to contact us: Dan Vance dvance@clarkschaefer.com (614) 607-5788 Brian M Matteson bmatteson@clarkschaefer.com (614) 607-5289

Editor's Notes

  1. DeAnna Introductions.
  2. Brian Good afternoon everyone. Overview of the agenda
  3. Thank you so much for your time today, are there any questions?