This document summarizes a presentation on SOC reporting and cybersecurity frameworks. It discusses the increasing need for cybersecurity frameworks due to rising data breaches and threats. It provides an overview of different SOC reports, including SOC 1, 2, and 3 reports, and introduces a new SOC for Cybersecurity report. This new report allows entities to demonstrate the effectiveness of controls in their cybersecurity risk management program. The presentation describes the components and structure of the SOC for Cybersecurity report, including describing the entity's cybersecurity risk management program and evaluating the effectiveness of controls. It recommends entities undertake a readiness review to identify gaps and determine next steps.

1. SOC and the Cybersecurity Threat
October 12, 2017
Dan Vance, Director
Brian M. Matteson, Manager

2. Introductions
Dan Vance, CPA
Director: Governance, Risk and Compliance
 Oversight of SOC, internal audit and compliance
 Extensive risk-based audit experience, planning
and implementation
Brian M Matteson, CISSP, CISA
Manager: IT, Security, and IT Audit
 Extensive experience in security strategy and
architecture
 Oversight of IT projects in Columbus market
2

3. Today’s Agenda
 Cybersecurity & the Need for a
Framework
 SOC Reporting – Background
 Cybersecurity Risk Management
Reporting Framework
 SOC for Cybersecurity Engagement
3

4. Cybersecurity & the Need
for a Framework

5.  Security incidents and data breaches are a daily
occurrence and can do major damage
– Equifax
– Deloitte
– WannaCry ransomware
– Sonic Drive-In
5
Reasons Why a Cybersecurity Framework is Needed

6. 1. Increasing number of cyber crimes
6
Source: Verizon 2017 Data Breach Investigations Report
Reasons Why a Cybersecurity Framework is
Needed, cont.

7. 2. Continued process failures
7
Source: Verizon 2017 Data Breach Investigations Report
Reasons Why a Cybersecurity Framework is
Needed, cont.

8. 3. Board of Director’s focus on Cyber
 How to identify upcoming risks
 What policies are needed?
 What is their role in this area and what
skillsets are required?
 How do they obtain comfort?
8
Reasons Why a Cybersecurity Framework is
Needed, cont.

9. 4. Rapidly changing regulatory
environment
 Executive orders
 Federal agencies such as the SEC
 Banking regulators
 State level
 International
9
Reasons Why a Cybersecurity Framework is
Needed, cont.

10. Cybersecurity Framework - Principles
 Should be principle-based
 Ability to leverage existing frameworks
 Incent positive action
10

11. SOC Reporting - Background

12. A Value Added Service
SOC attestation benefits:
1. Build trust with current customers and prospects
2. Assist with validating your risk management model
and show business value
3. Find (and close) control/operational gaps
4. Customers are asking for SOC reports
12

13. Progression of the AICPA SOC Report
SAS 70
• Internal
controls over
financial
reporting
• No longer
referenced
SOC 1
• Internal
controls over
financial
reporting
SOC 2 & 3
• Controls
related to
security,
availability,
confidentiality,
processing
integrity and/or
privacy
SOC for
Cybersecurity
• Cybersecurity
risk
management
framework
13

14. SOC Reports – Which Report is Right for You?
©2017 American Institute of CPAs
Which SOC Report is Right for You?
Will report be used by your customers and their auditors to plan/perform
and audit of their financial statements?
Yes SOC 1
Will report be used by customers/stakeholders to gain confidence and
place trust in a service organization’s system?
Yes SOC 2 or
SOC 3
Do customers need to see details of the testing including the results? Yes SOC 2
Do you need to make the report generally available? Yes SOC 3
SOC for Cybersecurity
 A new SOC report where the AICPA has developed a cybersecurity risk management reporting
framework. This report is for appropriate for general use
 We recommend using this framework to perform an initial readiness review of the effectiveness of
your cybersecurity risk management program
SOC for Vendor Supply Chains
Under Development - An internal controls report on a vendor’s manufacturing processes for
customers of manufacturers and distributors to better understand the cybersecurity risk in their
supply chains
14

15. SOC 2 Overview
 The SOC 2 is a report on the non-financial controls,
or trust service principles associated with:
1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy
 SOC 1 and SOC 2 audiences often differ
 Industry trends of SOC 2 growth:
– Technology
– Healthcare
– Financial Services
– Other
15

16. Cybersecurity Risk Management
Reporting Framework

17. Cybersecurity Risk Management Program
The AICPA defines an entity’s cybersecurity risk
management program as
“a set of policies, processes, and controls
designed to protect information and systems from
security events that could compromise the
achievement of the entity’s cybersecurity
objectives and to detect, respond to, mitigate, and
recover from, on a timely basis, security events
that are not prevented.”
17

18. SOC Cybersecurity Framework
 Released in April 2017
 Intended to demonstrate the effectiveness of
internal controls aimed at preventing and
detecting cybersecurity threats
 Leverage cybersecurity frameworks to create a
common language for reporting
18

19. Why Was New SOC Framework Created?
 Increase in cyber crimes – focus on cybersecurity
programs
 Limited industry standards to share reporting on
cybersecurity risk management programs
 Internal stakeholders (e.g., the Board of Directors) as well
as external stakeholders
Benefits of SOC for Cybersecurity
 Competitive advantage
 Providing customers with peace of mind that data is
safeguarded
 Standardized solution
19

20. System & Organizational Controls (SOC) - Summary
Today, it is
common for
entities to
outsource
certain tasks or
functions
related to their
business, even
those that are
core to their
operations.
SOC Report Comparison
Who are the Users Why What
SOC 1  Users’ controller’s office
 User auditors
Audits of financial
statements
Controls relevant to user financial
reporting
SOC 2  Management
 Regulators
 Others
• GRC programs
• Oversight
• Due Diligence
Concerns regarding security,
availability, processing integrity,
confidentiality or privacy
SOC 3 Users with need for
confidence in service
organization’s controls
• Marketing
purposes
• Detail not
required
Easy-to-read report on controls
SOC
for
Cyber
security
Management, analysts,
investors, and others whose
decisions might be affected
by the effectiveness of the
entity’s cybersecurity risk
management program
To provide
intended users with
information about
an entity’s
cybersecurity risk
management
program for
making informed
decisions
(a) the description of the entity’s
cybersecurity risk management
program was presented in
accordance with the description
criteria and (b) the controls within
that program were effective in
achieving the entity’s cybersecurity
objectives based on the control
criteria
©2017 American Institute of CPAs
20

21. SOC for Cybersecurity

22. Cybersecurity Risk Management Program
22
SOC for Cybersecurity
SOC 2
ITGeneralControls
Privacy,
Processing
Integrity
Criteria
Security,
Confidentiality &
Availability Criteria
Cybersecurity Risk
Management
Program

23. Cybersecurity Framework – How it is Different
23
Report Purpose
Intended Users
Professional Standards
Responsible Party
Distribution
Subject Matter
Engagement Criteria

24. Contents of the Report
Components of the Cybersecurity report:
 Management’s description
 Management’s assertion
 Practitioner’s opinion
24
Cybersecurity Framework Key Criteria:
 Description Criteria:
– Prepare and evaluate presentation of description of
cybersecurity risk management program
 Control Criteria
– Evaluate effectiveness of controls to achieve cybersecurity
objectives
– May include NIST Cybersecurity Framework and/or revised
Trust services criteria

25. Report Structure – Program Description
Total of 9 sections to be addressed:
1. Nature of Business and Operations
2. Nature of Information at Risk
3. The Cybersecurity Risk Management Program Objectives
4. Factors That Have a Significant Effect on Inherent
Cybersecurity Risks
5. Description of Cybersecurity Risk Governance Structure
6. Cybersecurity Risk Assessment Process
7. Cybersecurity Communications and the Quality of
Cybersecurity Information
8. Monitoring of the Cybersecurity Risk Management
Program
9. Cybersecurity Control Processes Disclosures
25

26. Report Structure – Control Criteria
 Leverage a recognized framework when implementing controls
– AICPA updated Trust Services Principles and Criteria for use as
cybersecurity control framework; or
 Alternate, recognized control frameworks
– ISO 27001 / 270002
– NIST Cybersecurity Framework
26
26

27. What Now?
 Establish stakeholder expectations
 Factor in stakeholder expectations and
expected communication plan
 Consider undertaking a readiness review to:
– Validate you’re using a cybersecurity
framework to develop an effective program
– Identify potential gaps
 Determine next steps including remediation
27

28. Questions?
If you wish to discuss any aspect of this presentation in
more detail, please feel free to contact us:
Dan Vance
dvance@clarkschaefer.com
(614) 607-5788
Brian M Matteson
bmatteson@clarkschaefer.com
(614) 607-5289