Transcript TPR Cloud Computing SOC 2x

The Unique Alternative to the Big Four®
SOC 2 Reports – A Third Party Risk Management
Tool for Cloud Providers
August 2014
The Unique Alternative to the Big Four®
Agenda
 Overview of Cloud Computing
 Importance of Third Party Risk Management
 SOC Reports – A Method of Third Party Risk Management
 Alignment of Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) and SOC 2
Trust Services Principles (TSP)
 Summary and Conclusion
 Q&A
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
2
The Unique Alternative to the Big Four®
What is Cloud Computing
 Cloud computing is a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources.
 Networks, servers, storage, applications, and services that can be rapidly
provisioned and released with minimal management effort or service provider
interaction.
 This cloud model promotes availability and is composed of five essential
characteristics, three service models, and four deployment models.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
3
The Unique Alternative to the Big Four®
What is Cloud Computing
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
4
The Unique Alternative to the Big Four®
Opportunities
 Cost savings – Customers pay for only the computing resources used. There
are no physical space requirements or utility costs. All dollars are expensed
(that is, receive a U.S. tax benefit).
 Speed of deployment – The time to fulfill requests for computing power and
applications can change from months to weeks, weeks to days, and days to
hours.
 Scalability and better alignment of technology resources – Companies can
scale up or down their capacity without capital expenditures.
 Decreased effort in managing technology – Cloud computing provides the
organization more time to focus on core purpose and goals; more consistent
technology upgrades; and expedited fulfillment of IT resource requests.
 Environmental benefits – Significant adoption of cloud computing should yield
less overall power consumption, carbon emissions, and physical land use.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
5
The Unique Alternative to the Big Four®
Risks
 Some of the typical risks associated with cloud computing are:
 Disruptive force
 Residing in the same risk ecosystem as the cloud service provider (CSP) and other
tenants of the cloud
 Lack of transparency
 Reliability and performance issues
 Vendor lock-in and lack of application portability and interoperability
 Security and compliance concerns
 Creation of high-value cyber-attack targets
 Risk of data leakage
 IT organizational changes
 Viability of the CSP
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
6
The Unique Alternative to the Big Four®
Changes in the Operating Environment With Cloud Computing
 Risks and other cloud computing effects should be incorporated in ERM
programs.
 Organizations can engage cloud computing solutions while bypassing normal
management oversight controls.
 Cloud computing solutions are: a) easily adopted within a short period of time,
b) require a small monetary investment, and c) involve very few personnel.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
7
The Unique Alternative to the Big Four®
Shared Control Environment
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
8
The Unique Alternative to the Big Four®
Risk Levels – Shared Control Environment
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
9
The Unique Alternative to the Big Four®
Shared Control Environment
 Risk Profile Impact of CSPs and
fellow cloud tenants
 Using cloud computing converts an
organization’s internal environment into
a combination of its own internal
environment and the internal
environment of the contracted CSP.
 Why Both?
 Data and processes are hosted in a
shared environment with other cloud
tenants.
 Behavior and events of the CSP and
fellow tenants could have a direct
impact on the organization.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
10
The Unique Alternative to the Big Four®
Cloud Governance
 Cloud governance” refers to the
controls and processes in place for
cloud planning and strategy,
vendor selection, contract
negotiation, implementation,
operation, monitoring and possible
termination and transition of cloud
services.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
11
The Unique Alternative to the Big Four®
Investing in Third Party Risk Management –
Disruption of Service
0%
20%
40%
60%
80%
100%
27%
Experienced at least one disruption
73%
75%
(Japan earthquake)
61%
Disruptions originated below the
immediate tier one supplier
39%
2011
42%
2012
2013
48%
IT or Telecommunication cause
52%
55%
Suffered more than 1m Euro in costs
per incident
79%
21%
15%
Source: “Supply Chain Resilience,” November 2012 and November 2013, Business Continuity Institute
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
12
The Unique Alternative to the Big Four®
Investing in Third Party Risk Management – Data Breach
“On average, third party errors
increased the cost of data breach by
as much as $43 per record in the US”
Cause of Data Breaches
26%
41%
33%
Malicious or criminal attack
Human error
System error
Source: “2013 Cost of Data Breach Study: Global Analysis”, Sponsored by Symantec, May 2013, Ponemon Institute
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
13
The Unique Alternative to the Big Four®
Third-Party Risk Management Concerns
Evaluating technology controls to protect data
Determining protection of intellectual property
Gaining assurance on compliance with laws and
regulations
Monitoring third party risk management practices
Identifying or aggregating risks
Obtaining internal audit coverage of key risk areas
None
Collecting financial performance or other information
Minimal
Monitoring financial viability
Some
High
Evaluating quality of products
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
120.0%
Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
14
The Unique Alternative to the Big Four®
Third Party Risk Management Activities
 Vendor management activities performed should be based on risk associated
with the vendor
 In order to ensure the risks with outsourcing cloud services are properly
addressed organizations should consider performing the following activities:




Review cloud provider’s policies and procedures
Request cloud provider respond to internal control questionnaires
Perform an onsite review of cloud provider operations
Review a Service Organization Control (SOC) Report

Organizations can use SOC reports to obtain a level of comfort over a cloud provider’s controls
related to security, availability, processing integrity, confidentiality and privacy controls.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
15
The Unique Alternative to the Big Four®
Service Organization Controls (SOC) Reports – Overview
 AICPA created separate reports on internal controls over financial reporting and
reports on other types of controls.
 The AICPA has added additional reporting options. The three reporting options
now are:
 SOC 1
 SOC 2
 SOC 3
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
16
The Unique Alternative to the Big Four®
Types of SOC Reports
SOC 1
• Internal
controls
related to
financial
reporting
SSAE 16/ AT
801
Audit | Tax | Advisory | Risk | Performance
SOC 3
SOC 2
• Trust
Services
Principles
• Restricted
Use Report
• Trust
Services
Principles
• General
use report
AT 101
© 2014 Crowe Horwath LLP
17
The Unique Alternative to the Big Four®
Who May Need to Issue a SOC 2 Report?
 Organizations that need to demonstrate how they process transactions and/or
data on behalf of their customers
 Organizations that need to demonstrate how their security controls operate
 Organizations that need to demonstrate how their controls related to system
availability function
 Organizations that need to demonstrate how their controls related to data privacy
or confidentiality operate
 A Cloud Service Provider Fits These Characteristics!
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
18
The Unique Alternative to the Big Four®
Trust Services Principles
Security – The system is
protected against unauthorized
access (both physical and
logical).
Availability – The system is
available for operation and use
as committed or agreed to.
Confidentiality – Information
designated as confidential is
protected as committed or
agreed to.
Audit | Tax | Advisory | Risk | Performance
Processing Integrity – System
processing is complete,
accurate, timely, and authorized.
Privacy – Personal information is
collected, used, retained, disclosed,
and destroyed in conformity with the
commitments in the entity’s privacy
notice and with criteria set forth in
generally accepted privacy principles
(GAPP) issued by the AICPA and the
Canadian Institute of Chartered
Accountants (CICA).
© 2014 Crowe Horwath LLP
19
The Unique Alternative to the Big Four®
Relationship Between Principles, Criteria and Controls
Principle
Criteria
Controls
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
20
The Unique Alternative to the Big Four®
Example Criteria and Illustrative Controls
Security Principle - Criteria 3.3
 Procedures exist to restrict physical access to the defined system including, but not limited
to, facilities, backup media, and other system components such as firewalls, routers, and
servers.
Illustrative Controls:
 Physical access to the computer rooms, which house the entity's IT resources, servers,
and related hardware such as firewalls and routers, is restricted to authorized individuals
by card key systems and monitored by video surveillance.
 Physical access cards are managed by building security staff. Access card usage is
logged. Logs are maintained and reviewed by building security staff.
 Requests for physical access privileges to the entity's computer facilities require the
approval of the manager of computer operations.
 Documented procedures exist for the identification and escalation of potential physical
security breaches.
 Offsite media are stored in locked containers in secured facilities. Physical access to these
containers is restricted to facilities personnel and employees authorized by the manager of
computer operations.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
21
The Unique Alternative to the Big Four®
Example Criteria and Illustrative Controls
Security Principle - Criteria 3.4
 Procedures exist to protect against unauthorized access to system resources.
Illustrative Controls:
 Login sessions are terminated after three unsuccessful login attempts. Virtual private
networking (VPN) software is used to permit remote access by authorized users. Users are
authenticated by the VPN server through specific "client" software and user ID and
passwords.
 Firewalls are used and configured to prevent unauthorized access. Firewall events are
logged and reviewed daily by the security administrator.
 Unneeded network services (for example, telnet, ftp, and http) are deactivated on the
entity's servers. A listing of the required and authorized services is maintained by the IT
department. This list is reviewed by entity management on a routine basis for its
appropriateness for the current operating conditions.
 Intrusion detection systems are used to provide continuous monitoring of the entity's
network and early identification of potential security breaches.
 The entity contracts with third parties to conduct periodic security reviews and vulnerability
assessments. Results and recommendations for improvement are reported to
management.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
22
The Unique Alternative to the Big Four®
SOC Report Sections
SOC 2 Report Sections
Service Auditor’s Opinion
Management’s Assertion
Description of Systems
Test Results
Complementary Controls
Other Information
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
23
The Unique Alternative to the Big Four®
Cloud Control Matrix (CCM)
 Developed by the Cloud Security Alliance (CSA)
 Establishes a controls framework for cloud providers to follow
 Based on industry accepted control frameworks such as ISO 27001/27002, ISACA COBIT
and NIST
 Provides guidance in the following domains:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Application and Interface Security
Audit Assurance and Compliance
Business Continuity Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information Lifecycle Management
Datacenter Security
Encryption and Key Management
Governance and Risk Management
Human Resources
Identify and Access Management
Infrastructure & Virtualization Security
Interoperability & Portability
Mobile Security
Security Incident Management, E-Discovery & Cloud Forensics
Supply Chain Management, Transparency and Accountability
Threat and Vulnerability Management
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
24
The Unique Alternative to the Big Four®
CCM Controls Map to SOC 2 Criteria
CCM - Change Control and Configuration Management
 Control Specification:
 Policies and procedures shall be established, and supporting business processes and
technical measures implemented, to ensure the development and/or acquisition of new
data, physical or virtual applications, infrastructure network and systems components,
or any corporate, operations and/or datacenter facilities have been pre-authorized by
the organization's business leadership or other accountable business role or function.
 SOC 2 TSP Criteria:
 (S3.10.0) Design, acquisition, implementation, configuration, modification, and
management of infrastructure and software are consistent with defined system security
policies.
 (S3.12.0) Procedures exist to maintain system components, including configurations
consistent with the defined system security policies.
 (S3.13.0) Procedures exist to provide that only authorized, tested, and documented
changes are made to the system.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
25
The Unique Alternative to the Big Four®
CCM Controls Map to SOC 2 Criteria
CCM – Datacenter Security
 Control Specification:
 Physical access to information assets and functions by users and support personnel
shall be restricted.
 SOC 2 TSP Criteria:
 (S3.4.0) Procedures exist to restrict physical access to the defined system including,
but not limited to, facilities, backup media, and other system components such as
firewalls, routers, and servers.
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
26
The Unique Alternative to the Big Four®
SOC Report Review
Organizations should obtain and formally review SOC reports.
The review should focus on the following:
 Report Type
 Type 1 or Type 2
 Areas of Coverage/Scope
 Opinion
 Unqualified or Qualified
 Subservice Organizations
 Description of Systems Content
 Test Results/Impact of Exceptions Noted
 Evaluation of User Control Considerations
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
27
The Unique Alternative to the Big Four®
Summary and Conclusion
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
28
The Unique Alternative to the Big Four®
Questions
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
29
The Unique Alternative to the Big Four®
For more information, contact:
Jeff Palgon
Direct 404.442.1623
[email protected]
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate
and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any
other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or
any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member
of Crowe Horwath International. © 2014 Crowe Horwath LLP
Audit | Tax | Advisory | Risk | Performance
© 2014 Crowe Horwath LLP
30