SlideShare a Scribd company logo

SOC 2 presentation. Overview of SOC 2 assessment

Download as PPTX, PDF
M
Modu9

What is SOC2. Overview of SOC2 and approach on how to implement.

Technology
1 of 22
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting
Contents © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 1  Introduction  SOC Assurance Reporting – Overview & Market Trends  Effectively using SOC reports  Conclusion  Q/A
Speed to Market Improve Working Capital Reduce Invested Capital Reduce Cost of Goods Sold Reduce SG&A Cloud Impact on Business Opportunities to Leverage Commoditized Enterprise Applications and Economies of Scale Virtualized Business Models Virtualized Technology Virtualized Processes Virtualized Organization Internet-based data access & exchange © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 2 Internet-based access to low cost computing & applications + Cloud Environment =
KPMG Recent Survey 68% 40% 9% 6% 10% 7% 0% 40% 28% 20% 60% 80% 100% Already using Cloud Planning to do so within next 2 years Planning to do so Planning to do so No, not at this time Not sure what the in 2-3 years in 3+ years plans are 68% Over 2/3 Are Already Using Cloud or Plan To In Next 2 Years © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 3
Key Security Challenges Security has been the greatest concern surrounding Cloud Adoption at enterprises © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 4
Complexity and Exposure define assurance model Employees, Private Intranet Internal External Strangers, Public Internet Proprietary, Distributed, Complex Cloud Computing Model Exposure Reliance on Internal Controls Need for Increased assurance Private Cloud Outsourced Data Center Traditional Familiar, Simple External Portal Virtual Private Cloud Public Cloud Corporate Data Center © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 5
Service Organization Control Assurance Reporting – O • verview and Market Trends
Service Organization Control (SOC) Assurance Reporting Scope/Focus Report Summary Applicability Internal Control Over Financial Reporting (ICOFR) ISAE3402 / SOC1* Detailed report for users and their auditors  Focused on financial reporting risks and controls specified by the service provider.  Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. Operational Controls ISAE3000/ SOC2SM Detailed report for user organizations, their auditors, and specified parties  Focused on Trust Services Principles: - Security - Availability - Confidentiality - Processing Integrity and/or - Privacy.  Applicable to a broader variety of systems. ISAE3000 / SOC3SM** Short report that can be more generally distributed, with the option of displaying a web site seal * Sometimes also referred to as an SSAE 16, AT 801 ** Sometimes also referred to as a SysTrust, WebTrust, or Trust Services report © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 7
Type 1 and Type 2 Reports © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 8  Point in time reports (Type 1) reports cover the suitability of design of controls as of a point in time. The Type I report is a snapshot in time.  Period of time (Type 2) reports cover the suitability of design and operating effectiveness of controls over a period of time, typically 6 or 12 months.  For example, a service organization providing a new service might start by completing an initial SOC2 Type 1 examination and then complete recurring SOC2 Type 2 examinations. Generally, when talking about a service organization control report, a Type II report is meant. A Type I report should be seen as an informative report.
Contrasting SOC2/SOC3 and SOC1 Report Scope © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 9 Attribute SOC2/SOC3 SOC1 Required Focus  Operational Controls  ICOFR Defined Scope of System  Infrastructure  Software  Procedures  People  Data  Classes of transactions  Procedures for processing and reporting transactions  Accounting records of the system  Handling of significant events and conditions other than transactions  Report preparation for users  Other aspects relevant to processing and reporting user transactions Control Domains Covered  Security  Availability  Confidentiality  Processing Integrity and/or  Privacy  Transaction processing controls  Supporting IT general controls Level of Standardization  Principles selected by service provider.  Pre-defined criteria used rather than control objectives.  Control objectives defined by service provider and may vary depending on the type of service provided.
Applicability of Trust Services Principles © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 10 Domain Trust Services Principle Trends Regarding Applicability Security  The system is protected against unauthorized access (both physical and logical).  Most commonly requested area of coverage.  Security criteria are also incorporated into the other principles because security controls provide a foundation for the other domains.  Applicable to all outsourced environments, particularly where enterprise users require assurance regarding the service provider’s security controls for any system, non- financial or financial. Availability  The system is available for operation and use as committed or agreed.  Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering.  Most applicable where enterprise users require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which cannot be covered as part of SOC1 reports
Applicability of Trust Services Principles (continued) © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 11 Domain Trust Services Principle Trends Regarding Applicability Confidentiality  Information designated as confidential is protected as committed or agreed.  Most applicable where the user requires additional assurance regarding the service provider’s practices for protecting sensitive business information.  Applicable where a service provider is entrusted to maintain the confidentiality of an enterprise customer’s data of all types. Processing Integrity  System processing is complete, accurate, timely, and authorized.  Potentially applicable for a wide variety of non-financial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing. Privacy  Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles and regulatory frameworks.  Most applicable where the service provider interacts directly with end users and gathers their personal information.  Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program.
SOC2/SOC3 Criteria Summary © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 12 Security  Security policies  Security awareness and communication  Risk assessment  Threat identification  Information classification  Logical access  Physical access  Security monitoring  Incident management  Encryption  Personnel  Systems development and maintenance  Configuration management  Change management  Monitoring / compliance Availability Confidentiality Processing Integrity Privacy  Availability policy  Backup and restoration  Environmental controls  Disaster recovery  Confidentiality policy  Confidentiality of inputs, data processing, and outputs  Information disclosures  Confidentiality of Information in systems development  System processing integrity policies  Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs  Information tracing from source to disposition  Management  Notice  Choice and consent  Collection  Use and retention  Access  Disclosure to third parties  Quality  Monitoring and enforcement
Contrasting the level of detail provided by SOC 2 and SOC 3 reports © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 13 SOC 2 SOC 3 Common benefits Detailed examination based on defined Criteria for Security, Availability, Confidentiality, Processing Integrity, and/ or Privacy  Report includes a brief system description  Report includes management’s assertion regarding controls Where subservice providers are used, management may include its monitoring controls over of those operations. Unique benefits SOC 2 is more flexible than SOC 3 for the service provider in that it permits carve out of supporting services provided by subservice providers. SOC 2 includes detail on the service provider’s controls as well as the auditor’s detailed test procedures, and test results, enabling the reader of the report to assess the service provider at a more granular level. SOC 3 provides an overall conclusion on whether the service provider achieved the stated Trust Services Criteria, and the user does not need to digest pages of detailed control descriptions, and test procedures. If the service provider meets all of the Criteria, it may choose to display the SOC 3 seal on its Web site which links to the SOC 3 report. Potential drawbacks  The user may need to obtain additional reports from significant subservice providers to gain comfort over their activities. The user may not want to review the detail of the report (controls, tests, etc.) rather than an overall conclusion. Service providers may not be willing to share a detailed report due to concerns regarding disclosing sensitive information (i.e., detailed security controls). SOC 3 does not permit carve-out of significant subservice provider activities. If it is not feasible to cover those activities as part of the service provider’s audit, SOC 3 is not an available option. If one or more of the Criteria are not met, the service provider would not be able to display the SOC 3 seal until the issue(s) are corrected, and re-audited.
SOC report structure © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 14 Traditional SAS 70 SOC1 SOC 2 SOC 3 Auditor’s Opinion Auditor’s Opinion Auditor’s Opinion Auditor’s Opinion - Management Assertion Management Assertion Management Assertion System Description (including controls) System Description (including controls) System Description (including controls) System Description (including controls) Control objectives Control objectives Criteria Criteria (referenced) Control activities Control activities Control activities - Tests of operating effectiveness* Tests of operating effectiveness* Tests of operating effectiveness* - Results of tests* Results of tests* Results of tests* - Other Information (if applicable) Other Information (if applicable) Other Information (if applicable) - * Note: Applicable for Type 2 reports
Effectively Using SOC Reports
SOC Reports for Different Scenarios SOC1 Financial Reporting Controls SOC2/SOC3 Operational Controls  Financial services  Asset management and custody services  Healthcare claims processing  Payroll processing  Payment processing  Cloud ERP service  Data center co-location  IT systems management  Cloud-based services (SaaS, PaaS, IaaS)  HR services  Security services  Email, collaboration and communications  Any service where customers’ primary concern is security, availability or privacy Security Processing Integrity Availability Confidentiality Privacy Financial Process and Supporting System Controls © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 16
Using SOC Reports to Streamline Vendor Questionnaire Processing and Assist with Regulatory Compliance © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 17  The SOC2 report can serve as a tool to:  Answer questions that would ordinarily be included in vendor questionnaires  Assist user organizations in addressing regulatory compliance requirements such as those imposed by SOX-404 and Data Protection law and other local regulatory requirements (i.e.BoG Governors’s act 2577/2006)  As shown below, the service provider could include a mapping table in the Other Information section of the SOC2 report showing how their controls align with common vendor security questionnaire topics or the requirements of a specific standard/regulation (for example, ISO 27001/27002). SAMPLE – Relation of Service Provider’s Controls to ISO 27001/27002 Control Objectives Service Provider has developed its controls to align with the ISO 27001/27002 control objectives. Included below is a mapping of the ISO 27001/27002 topics to related Service Provider controls covered in this report. ISO 27001/27002 Control Objective Topics Related Service Provider Controls A.5.1 Information security policy 1.01.01, 1.02.01 A.6.1 Internal organization 1.03.01 A.6.2 External parties 1.02.02 … …
Our IT Attestation Methodology The following diagram provides an overview of our ITAttestation approach. It reflects our “Manage to Success” philosophy for first year audits. • Define the audit scope. Select relevant principles/criteria and determine which systems, processes, and groups are in scope. • Identify key controls that are in place or needed to address the audit objectives or criteria. • Conduct interviews; review system documentation, policies, and procedures; and perform focused tests to identify any significant gaps. • Provide recommendations to address identified gaps. Readiness Review © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 18 Remediation • Conduct periodic meetings or conference calls to review remediation progress and answer any questions. • Plan the timing of the audit. Attestation • Provide documentation requests and schedule interviews. • Perform test procedures to determine whether controls are properly designed and operating effectively to achieve the audit objective or criteria. • Issue KPMG’s examination report. • Provide a management report reflecting any observations and recommendations.
Conclusion © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 19 Service Organization User Organization - Provide a competitive advantage - The SO can avoid unexpected audits - Assist in building trust & confidence - SOC2/3 can incorporate other publically available frameworks such as ISO 2700x, PCI/ etc. - Provide an independent assessment - Assist with regulatory compliance - Reduce the possibility of additional audit costs - Increase audit efficiency ISAE 3402 ISAE 3000
Q & A
Thank You © 2013 KPMG Advisors AE, a Greek Societe Anonyme and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").

Recommended

Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Knowledge Group
 
Zimory White Paper: Security in the Cloud pt 1/2
Zimory White Paper: Security in the Cloud pt 1/2Zimory White Paper: Security in the Cloud pt 1/2
Zimory White Paper: Security in the Cloud pt 1/2Zimory
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 

Recommended

Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Knowledge Group
 
Zimory White Paper: Security in the Cloud pt 1/2
Zimory White Paper: Security in the Cloud pt 1/2Zimory White Paper: Security in the Cloud pt 1/2
Zimory White Paper: Security in the Cloud pt 1/2Zimory
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Scott Satterwhite
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET Journal
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Evolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesEvolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesHugo Rodrigues
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
DFS22_Main Stage_Thomas Meyer_KPMG_041022
DFS22_Main Stage_Thomas Meyer_KPMG_041022DFS22_Main Stage_Thomas Meyer_KPMG_041022
DFS22_Main Stage_Thomas Meyer_KPMG_041022FinTech Belgium
 
Internal Audit
Internal AuditInternal Audit
Internal AuditNigel Robinson
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Amazon Web Services
 
Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Mark Skilton
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Iaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd Iaetsd
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment reportAhmad El Tawil
 
CNL Software PSIM Presentation - Information Management within Physical Security
CNL Software PSIM Presentation - Information Management within Physical SecurityCNL Software PSIM Presentation - Information Management within Physical Security
CNL Software PSIM Presentation - Information Management within Physical SecurityAdlan Hussain
 
Escrow Presentation
Escrow PresentationEscrow Presentation
Escrow Presentationlucydavidson
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Amazon Web Services
 
Protect Intellectual Property While Offshore Outsourcing
Protect Intellectual Property While Offshore OutsourcingProtect Intellectual Property While Offshore Outsourcing
Protect Intellectual Property While Offshore OutsourcingR Systems International
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxvrickens
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

More Related Content

Similar to SOC 2 presentation. Overview of SOC 2 assessment

Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Scott Satterwhite
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET Journal
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Evolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesEvolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesHugo Rodrigues
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
DFS22_Main Stage_Thomas Meyer_KPMG_041022
DFS22_Main Stage_Thomas Meyer_KPMG_041022DFS22_Main Stage_Thomas Meyer_KPMG_041022
DFS22_Main Stage_Thomas Meyer_KPMG_041022FinTech Belgium
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Amazon Web Services
 
Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Mark Skilton
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Iaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd Iaetsd
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment reportAhmad El Tawil
 
CNL Software PSIM Presentation - Information Management within Physical Security
CNL Software PSIM Presentation - Information Management within Physical SecurityCNL Software PSIM Presentation - Information Management within Physical Security
CNL Software PSIM Presentation - Information Management within Physical SecurityAdlan Hussain
 
Escrow Presentation
Escrow PresentationEscrow Presentation
Escrow Presentationlucydavidson
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Amazon Web Services
 
Protect Intellectual Property While Offshore Outsourcing
Protect Intellectual Property While Offshore OutsourcingProtect Intellectual Property While Offshore Outsourcing
Protect Intellectual Property While Offshore OutsourcingR Systems International
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxvrickens
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
 

Similar to SOC 2 presentation. Overview of SOC 2 assessment (20)

Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Evolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesEvolution security controls towards Cloud Services
Evolution security controls towards Cloud Services
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
DFS22_Main Stage_Thomas Meyer_KPMG_041022
DFS22_Main Stage_Thomas Meyer_KPMG_041022DFS22_Main Stage_Thomas Meyer_KPMG_041022
DFS22_Main Stage_Thomas Meyer_KPMG_041022
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both
 
Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
Iaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems using
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment report
 
CNL Software PSIM Presentation - Information Management within Physical Security
CNL Software PSIM Presentation - Information Management within Physical SecurityCNL Software PSIM Presentation - Information Management within Physical Security
CNL Software PSIM Presentation - Information Management within Physical Security
 
Escrow Presentation
Escrow PresentationEscrow Presentation
Escrow Presentation
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
 
Protect Intellectual Property While Offshore Outsourcing
Protect Intellectual Property While Offshore OutsourcingProtect Intellectual Property While Offshore Outsourcing
Protect Intellectual Property While Offshore Outsourcing
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

SOC 2 presentation. Overview of SOC 2 assessment

  • 1. IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting
  • 2. Contents © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 1  Introduction  SOC Assurance Reporting – Overview & Market Trends  Effectively using SOC reports  Conclusion  Q/A
  • 3. Speed to Market Improve Working Capital Reduce Invested Capital Reduce Cost of Goods Sold Reduce SG&A Cloud Impact on Business Opportunities to Leverage Commoditized Enterprise Applications and Economies of Scale Virtualized Business Models Virtualized Technology Virtualized Processes Virtualized Organization Internet-based data access & exchange © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 2 Internet-based access to low cost computing & applications + Cloud Environment =
  • 4. KPMG Recent Survey 68% 40% 9% 6% 10% 7% 0% 40% 28% 20% 60% 80% 100% Already using Cloud Planning to do so within next 2 years Planning to do so Planning to do so No, not at this time Not sure what the in 2-3 years in 3+ years plans are 68% Over 2/3 Are Already Using Cloud or Plan To In Next 2 Years © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 3
  • 5. Key Security Challenges Security has been the greatest concern surrounding Cloud Adoption at enterprises © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 4
  • 6. Complexity and Exposure define assurance model Employees, Private Intranet Internal External Strangers, Public Internet Proprietary, Distributed, Complex Cloud Computing Model Exposure Reliance on Internal Controls Need for Increased assurance Private Cloud Outsourced Data Center Traditional Familiar, Simple External Portal Virtual Private Cloud Public Cloud Corporate Data Center © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 5
  • 7. Service Organization Control Assurance Reporting – O • verview and Market Trends
  • 8. Service Organization Control (SOC) Assurance Reporting Scope/Focus Report Summary Applicability Internal Control Over Financial Reporting (ICOFR) ISAE3402 / SOC1* Detailed report for users and their auditors  Focused on financial reporting risks and controls specified by the service provider.  Most applicable when the service provider performs financial transaction processing or supports transaction processing systems. Operational Controls ISAE3000/ SOC2SM Detailed report for user organizations, their auditors, and specified parties  Focused on Trust Services Principles: - Security - Availability - Confidentiality - Processing Integrity and/or - Privacy.  Applicable to a broader variety of systems. ISAE3000 / SOC3SM** Short report that can be more generally distributed, with the option of displaying a web site seal * Sometimes also referred to as an SSAE 16, AT 801 ** Sometimes also referred to as a SysTrust, WebTrust, or Trust Services report © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 7
  • 9. Type 1 and Type 2 Reports © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 8  Point in time reports (Type 1) reports cover the suitability of design of controls as of a point in time. The Type I report is a snapshot in time.  Period of time (Type 2) reports cover the suitability of design and operating effectiveness of controls over a period of time, typically 6 or 12 months.  For example, a service organization providing a new service might start by completing an initial SOC2 Type 1 examination and then complete recurring SOC2 Type 2 examinations. Generally, when talking about a service organization control report, a Type II report is meant. A Type I report should be seen as an informative report.
  • 10. Contrasting SOC2/SOC3 and SOC1 Report Scope © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 9 Attribute SOC2/SOC3 SOC1 Required Focus  Operational Controls  ICOFR Defined Scope of System  Infrastructure  Software  Procedures  People  Data  Classes of transactions  Procedures for processing and reporting transactions  Accounting records of the system  Handling of significant events and conditions other than transactions  Report preparation for users  Other aspects relevant to processing and reporting user transactions Control Domains Covered  Security  Availability  Confidentiality  Processing Integrity and/or  Privacy  Transaction processing controls  Supporting IT general controls Level of Standardization  Principles selected by service provider.  Pre-defined criteria used rather than control objectives.  Control objectives defined by service provider and may vary depending on the type of service provided.
  • 11. Applicability of Trust Services Principles © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 10 Domain Trust Services Principle Trends Regarding Applicability Security  The system is protected against unauthorized access (both physical and logical).  Most commonly requested area of coverage.  Security criteria are also incorporated into the other principles because security controls provide a foundation for the other domains.  Applicable to all outsourced environments, particularly where enterprise users require assurance regarding the service provider’s security controls for any system, non- financial or financial. Availability  The system is available for operation and use as committed or agreed.  Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering.  Most applicable where enterprise users require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which cannot be covered as part of SOC1 reports
  • 12. Applicability of Trust Services Principles (continued) © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 11 Domain Trust Services Principle Trends Regarding Applicability Confidentiality  Information designated as confidential is protected as committed or agreed.  Most applicable where the user requires additional assurance regarding the service provider’s practices for protecting sensitive business information.  Applicable where a service provider is entrusted to maintain the confidentiality of an enterprise customer’s data of all types. Processing Integrity  System processing is complete, accurate, timely, and authorized.  Potentially applicable for a wide variety of non-financial and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing. Privacy  Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles and regulatory frameworks.  Most applicable where the service provider interacts directly with end users and gathers their personal information.  Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program.
  • 13. SOC2/SOC3 Criteria Summary © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 12 Security  Security policies  Security awareness and communication  Risk assessment  Threat identification  Information classification  Logical access  Physical access  Security monitoring  Incident management  Encryption  Personnel  Systems development and maintenance  Configuration management  Change management  Monitoring / compliance Availability Confidentiality Processing Integrity Privacy  Availability policy  Backup and restoration  Environmental controls  Disaster recovery  Confidentiality policy  Confidentiality of inputs, data processing, and outputs  Information disclosures  Confidentiality of Information in systems development  System processing integrity policies  Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs  Information tracing from source to disposition  Management  Notice  Choice and consent  Collection  Use and retention  Access  Disclosure to third parties  Quality  Monitoring and enforcement
  • 14. Contrasting the level of detail provided by SOC 2 and SOC 3 reports © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 13 SOC 2 SOC 3 Common benefits Detailed examination based on defined Criteria for Security, Availability, Confidentiality, Processing Integrity, and/ or Privacy  Report includes a brief system description  Report includes management’s assertion regarding controls Where subservice providers are used, management may include its monitoring controls over of those operations. Unique benefits SOC 2 is more flexible than SOC 3 for the service provider in that it permits carve out of supporting services provided by subservice providers. SOC 2 includes detail on the service provider’s controls as well as the auditor’s detailed test procedures, and test results, enabling the reader of the report to assess the service provider at a more granular level. SOC 3 provides an overall conclusion on whether the service provider achieved the stated Trust Services Criteria, and the user does not need to digest pages of detailed control descriptions, and test procedures. If the service provider meets all of the Criteria, it may choose to display the SOC 3 seal on its Web site which links to the SOC 3 report. Potential drawbacks  The user may need to obtain additional reports from significant subservice providers to gain comfort over their activities. The user may not want to review the detail of the report (controls, tests, etc.) rather than an overall conclusion. Service providers may not be willing to share a detailed report due to concerns regarding disclosing sensitive information (i.e., detailed security controls). SOC 3 does not permit carve-out of significant subservice provider activities. If it is not feasible to cover those activities as part of the service provider’s audit, SOC 3 is not an available option. If one or more of the Criteria are not met, the service provider would not be able to display the SOC 3 seal until the issue(s) are corrected, and re-audited.
  • 15. SOC report structure © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 14 Traditional SAS 70 SOC1 SOC 2 SOC 3 Auditor’s Opinion Auditor’s Opinion Auditor’s Opinion Auditor’s Opinion - Management Assertion Management Assertion Management Assertion System Description (including controls) System Description (including controls) System Description (including controls) System Description (including controls) Control objectives Control objectives Criteria Criteria (referenced) Control activities Control activities Control activities - Tests of operating effectiveness* Tests of operating effectiveness* Tests of operating effectiveness* - Results of tests* Results of tests* Results of tests* - Other Information (if applicable) Other Information (if applicable) Other Information (if applicable) - * Note: Applicable for Type 2 reports
  • 17. SOC Reports for Different Scenarios SOC1 Financial Reporting Controls SOC2/SOC3 Operational Controls  Financial services  Asset management and custody services  Healthcare claims processing  Payroll processing  Payment processing  Cloud ERP service  Data center co-location  IT systems management  Cloud-based services (SaaS, PaaS, IaaS)  HR services  Security services  Email, collaboration and communications  Any service where customers’ primary concern is security, availability or privacy Security Processing Integrity Availability Confidentiality Privacy Financial Process and Supporting System Controls © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 16
  • 18. Using SOC Reports to Streamline Vendor Questionnaire Processing and Assist with Regulatory Compliance © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 17  The SOC2 report can serve as a tool to:  Answer questions that would ordinarily be included in vendor questionnaires  Assist user organizations in addressing regulatory compliance requirements such as those imposed by SOX-404 and Data Protection law and other local regulatory requirements (i.e.BoG Governors’s act 2577/2006)  As shown below, the service provider could include a mapping table in the Other Information section of the SOC2 report showing how their controls align with common vendor security questionnaire topics or the requirements of a specific standard/regulation (for example, ISO 27001/27002). SAMPLE – Relation of Service Provider’s Controls to ISO 27001/27002 Control Objectives Service Provider has developed its controls to align with the ISO 27001/27002 control objectives. Included below is a mapping of the ISO 27001/27002 topics to related Service Provider controls covered in this report. ISO 27001/27002 Control Objective Topics Related Service Provider Controls A.5.1 Information security policy 1.01.01, 1.02.01 A.6.1 Internal organization 1.03.01 A.6.2 External parties 1.02.02 … …
  • 19. Our IT Attestation Methodology The following diagram provides an overview of our ITAttestation approach. It reflects our “Manage to Success” philosophy for first year audits. • Define the audit scope. Select relevant principles/criteria and determine which systems, processes, and groups are in scope. • Identify key controls that are in place or needed to address the audit objectives or criteria. • Conduct interviews; review system documentation, policies, and procedures; and perform focused tests to identify any significant gaps. • Provide recommendations to address identified gaps. Readiness Review © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 18 Remediation • Conduct periodic meetings or conference calls to review remediation progress and answer any questions. • Plan the timing of the audit. Attestation • Provide documentation requests and schedule interviews. • Perform test procedures to determine whether controls are properly designed and operating effectively to achieve the audit objective or criteria. • Issue KPMG’s examination report. • Provide a management report reflecting any observations and recommendations.
  • 20. Conclusion © 2013 KPMG AdvisorsAE, a Greek Societe Anonyme and a memberfirmof the KPMG network of independent memberfirmsaffiliatedwith KPMG InternationalCooperative("KPMG International"),a Swiss entity. All rights reserved. 19 Service Organization User Organization - Provide a competitive advantage - The SO can avoid unexpected audits - Assist in building trust & confidence - SOC2/3 can incorporate other publically available frameworks such as ISO 2700x, PCI/ etc. - Provide an independent assessment - Assist with regulatory compliance - Reduce the possibility of additional audit costs - Increase audit efficiency ISAE 3402 ISAE 3000
  • 21. Q & A
  • 22. Thank You © 2013 KPMG Advisors AE, a Greek Societe Anonyme and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").