SOC 2 and You | 1

Overview & Updates

SOC 2 and You

SOC 2 and You | 2

Introduction

SOC 2 and You | 3

Debbie Zaller

Principal

Completed SOC projects: 945

Danny Manimbo

Manager

Completed SOC projects: 185

Instructors

SOC 2 and You | 4

Agenda 01. Background / Overview of SOC 2

02. The AICPA Framework

03. Purpose and Scope

04. The Anatomy

05. Considerations

06. Mapping – Other Standards

07. Q/A

SOC 2 and You | 5

Background & Overview 01

SOC 2 and You | 6

Growth & Popularity

SOC 2 and You | 7

Service Auditors

SOC 2 and You | 8

Service Providers

SOC 2 and You | 9 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved

User Entities

SOC 2 and You | 10

Why Do You Need a SOC Report?

Regulatory requirements

User entity mandates

Vendor management programs

Due diligence

Independent 3rd party opinion

Competition and market

SOC 2 and You | 11

Overview

• What is a SOC 2 report?

• How does a SOC 2 differ from a SOC 1 report

• SOC 2 versus SOC 3

SOC 2 and You | 12

Overview of the AICPA Framework 02

SOC 2 and You | 13

AICPA SOC Framework

Applicable SOC-1 SOC-2 SOC-3

Standard/Guidance SSAE 16:

AICPA Guide (2013)

AT 101:

AICPA Guide (2013)

AT 101:

Technical Practice Aid

(2014)

Scope ICFR Security/Systems, Privacy Security/Systems, Privacy

Criteria Control Objectives Trust Services

Principles/GAPP

Trust Services

Principles/GAPP

Usage of report User auditor, user entity,

management of SO Knowledgeable parties Anyone

SOC 2 and You | 14

Purpose & Scope 03

SOC 2 and You | 15

Purpose

• What SOC 2 does cover?

• What SOC 2 does cover?

SOC 2 and You | 16

• System

• Boundaries

• Commitments

• System Requirements

Scope

SOC 2 and You | 17

Principles

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

SOC 2 and You | 18

Common Criteria (Security):

1: Organization & Mgmt

2: Communications

3: Risk Mgmt & Controls

4: Monitoring of Controls

5: Logical and Physical Access

6: System Operations

7: Change Management

Principles

SOC 2 and You | 19

Availability Common Criteria: +3

Processing Integrity Common Criteria: +6

Confidentiality Common Criteria: +6

Privacy Common Criteria: +74

Principles

SOC 2 and You | 20

• Type 1

• Type 2

Report Type

SOC 2 and You | 21

The Anatomy 04

SOC 2 and You | 22

Report Structure

Service Auditor’s Report – “The Opinion”

Management’s Assertion

Description of the System

Tests of Controls and Corresponding Results

Additional Information – Provided by Service Organization

SOC 2 and You | 23

Unqualified vs. Qualified

Service Auditor’s Report

SOC 2 and You | 24

• Commitment - suitability and accuracy

• Subservice organizations

Management’s Assertion

SOC 2 and You | 25

• Management’s objective description of the

services provided to user entities

• Components of a System Description

System Description

SOC 2 and You | 26

• Test procedures

• Results

• Deviations / Exceptions

Test of Controls / Results

SOC 2 and You | 27

Intended Use

• Management of service organization

• User entities of the services

• Other knowledgeable parties

SOC 2 and You | 28

Considerations 05

SOC 2 and You | 29

Relevance To The User

• RFP requirements

• Customer mandates

• Regulatory needs

• Vendor management process

SOC 2 and You | 30

Understanding Reporting • SOC 1 vs. SOC 2

• AT 101

• AT 601

• Agreed Upon Procedures

• Readiness Assessment

• PCI

SOC 2 and You | 31

Education & Preparedness • Contracts, RFP, SLA

• AICPA website

• Training and awareness

• Executive communication

• Discussion with service auditor

SOC 2 and You | 32

Control Environment • Start-up

• Developing systems

• No customers yet

• Lack of documentation /evidence

• No monitoring of controls

SOC 2 and You | 33

Carve-out Vs Inclusive • Subservice organization

• Carve-out method emphasis

• Inclusive method requirements

SOC 2 and You | 34

• Identify in-scope services

• Select physical locations

• Identify subservice organizations

• Identify risks

• Document processes

• Identify control activities

• Identify timeline

Risk Assessment & Scope

SOC 2 and You | 35

• Internally

• Service auditors

Readiness Assessment

SOC 2 and You | 36

• Policies / Procedures

• Segregation of duties

• Monitoring

Remediation

SOC 2 and You | 37

• Licensed CPA firm

• Independent

• Single vendor approach

• Audit team

Audit Firm Selection

SOC 2 and You | 38

Mapping to Other Standards 06

SOC 2 and You | 39

• SOC 1

• ISO 27001

• HIPAA

• HITRUST

• PCI

Other Standards

SOC 2 and You | 40

Questions & Answers 07

SOC 2 and You | 41

Join Us Next Time

Locking Up Your Cloud Environment:

Get Vital Information on ISO 27017 and ISO 27018

March 25th

www.schellmanco.com/resources

SOC 2 and You | 42

Debbie Zaller

debbie.zaller@schellmanco.com

866.254.0000 ext. 117

Danny Manimbo

danny.manimbo@schellmanco.com

866.254.0000 ext. 110

THANK YOU