Combined Compliance: A

Pragmatic (?) Approach

kevin@thecadencegroup.com

801.358.5748

Kevin Abbott

Combined Compliance

The Cadence Group is a professional services firm specializing in

financial and IT compliance and risk management services. Our

value proposition includes:

Experience

We don’t hire rookies, and

are not in the business of

providing on-the-job

training. We only hire

extremely experienced

professionals.

Flexibility

Enabling clients to

determine how to best

use our expertise and

experienced resources.

We’re flexible and work

with you to achieve the

project goals.

Efficiency

Ensuring engagements

are effectively managed

and efficiently executed.

Part of our job is to make

sure you don’t do too

much, or too little.

Pragmatic Compliance:

Does this concept

really exist?

Combined Compliance

How did we all get

HERE?

Combined Compliance

PaaSIaaS SaaS

Combined Compliance

IaaS – PaaS - SaaS

Customer

Responsibility

Cloud Provider

Responsibility

How does this tie into Compliance?(and why do we do the Compliance Alphabet?)

Combined Compliance

Two sides of the 3rd Party Due

Diligence / Compliance Coin

Consumer of 3rd

Party Services:

Validate their compliance

- What method is best?

- What frameworks?

- How often?

Combined Compliance

3rd Party Service

Provider:

Be compliant & undergo

assessments

- What method is best?

- What frameworks?

- How often?

What Compliance Framework / Program Should

my Company Choose?

Combined Compliance

FDICIA

2017 RSA Security Conference Survey:

Combined Compliance

SOC2 Report48%

CSA STAR Report9%

ISO 27K Certificate

9%

Onsite Audit7%

Send Questionnaires

17%

Other10%

WHAT IS YOUR MOST EFFECTIVE WAY TO ASSESS CLOUD PROVIDER RISK?

What is Combined Compliance?

Combined Compliance

• Evaluating multiple compliance frameworks / standards in one assessment

• Single universe of combined (mapped) controls

• The opposite of a “silo” compliance approach

• Requires understanding and planning

Is there a Pragmatic way to do this?

Recently from the Cloud Security Alliance:

Combined Compliance

“After careful consideration of alternatives, the Cloud Security

Alliance has determined that for most cloud providers, a SOC 2 Type

2 attestation examination conducted in accordance with AICPA

standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls

Matrix (CCM) as additional suitable criteria is likely to meet the

assurance and reporting needs of the majority of users of cloud

services.”

Recently from the AICPA re: SOC2 +

Combined Compliance

“A service organization may request that the service auditor’s report

address either criteria in addition to the applicable trust services

criteria or additional subject matter related to the service

organization’s services using additional suitable criteria related to that

subject matter, or both”

What is SOC Reporting?

Combined Compliance

Service Organization Control (SOC) Reports are third party attestation

report used by customers, prospective customers, and business partners

to gain an understanding of the control environment at a service provider.

Issued by a CPA firm with experience in SOC Reporting.

Various types of SOC reports:• SOC1

• SOC2

• SOC3

• Type 1

• Type 2

SOC Report Types

Combined Compliance

SOC2 PrinciplesA SOC2 Report is based upon the below five Trust Principles. A report must include the Security Principle (Common Criteria), and

may include any or all of the additional principles.

Security

The system is protected

against unauthorized

access, use, or

modification.

28 required (common)

criteria

Availability

The system is available

for operation and use as

committed or agreed.

3 additional criteria

Confidentiality

Information designated as

confidential is protected as

committed or agreed.

8 additional criteria

Privacy

This principle addresses the system’s

collection, use, retention, disclosure,

and disposal of PII in accordance with

commitments and system requirements.

20 additional criteria

Processing Integrity

System processing is

complete, valid, accurate,

timely, and authorized

6 additional criteria

Common Criteria Framework

Combined Compliance

SOC2+ Report Elements

Section 1 –

Audit

Opinion

Opinion expressed over

design (Type I) and

operating effectiveness

(Type II) of additional

criteria

Section 2 –

Service Provider

Assertion

Assertion extends to the

additional criteria

Section 3 –

Service Provider

System Description

Description may include

additional information

related to the new

criteria / subject matter

Section 5 –

Additional

Information

Optional section to

document additional

information from the

service provider.

Option to include additional

controls / criteria mapping

here.

Section 4 –

Control Mapping,

Tests of Controls

Additional control mapping

to the relevant criteria is

documented in this section

Combined Compliance

SOC2 + Options

Combined Compliance

• Selected Trust Principle(s) plus:

– HIPAA

– HITRUST

– CSA STAR

– Other Suitable Criteria (PCI? ISO?)

HIPAA

Combined Compliance

• Generally required for entities that store or

transmit PHI

• Administered / Enforced by the Office of Civil

Rights (OCR) and Department of Health and

Human Services (HHS)

• Framework includes the Security Rule, Privacy

Rule, and Breach Notification

• Lacks good audit reporting vehicle

HITRUST

Combined Compliance

• HITRUST Alliance founded in 2007

• Created a common risk and compliance

framework meant to bridge other frameworks,

including HIPAA

• Certifies Audit firms to perform assessments

CSA STAR

Combined Compliance

• Cloud Security Alliance

• Created mapping document, and resulting

STAR framework to assess cloud provider

security.

Others?

Combined Compliance

• PCI?

• ISO?

• FedRAMP?

Benefits of SOC2+

Combined Compliance

Service Provider Benefits

• SOC2+ report can be customized to meet many (or all) of the

assurance needs of a customer.

• Efficient use of time / resources responding to vendor questionnaires,

on-site audits, multiple external audits, etc.)

Customer Benefits

• Removes the need for on-site audits or lengthy questionnaires

• Assurance from an objective 3rd party auditor over various control

frameworks in one report.

Roadblocks

Combined Compliance

• Overlap in controls?

• Cost?

• Separate Auditor / Audit firms?

www.theCadenceGroup.com

http://www.linkedin.com/company/the-cadence-group

801.358.5748

kevin@thecadencegroup.com

Questions?