Combined Compliance: A Pragmatic (?) Approach - … Feb_2017...project goals. Efficiency ......
Transcript of Combined Compliance: A Pragmatic (?) Approach - … Feb_2017...project goals. Efficiency ......
801.358.5748
Kevin Abbott
Combined Compliance
The Cadence Group is a professional services firm specializing in
financial and IT compliance and risk management services. Our
value proposition includes:
Experience
We don’t hire rookies, and
are not in the business of
providing on-the-job
training. We only hire
extremely experienced
professionals.
Flexibility
Enabling clients to
determine how to best
use our expertise and
experienced resources.
We’re flexible and work
with you to achieve the
project goals.
Efficiency
Ensuring engagements
are effectively managed
and efficiently executed.
Part of our job is to make
sure you don’t do too
much, or too little.
Two sides of the 3rd Party Due
Diligence / Compliance Coin
Consumer of 3rd
Party Services:
Validate their compliance
- What method is best?
- What frameworks?
- How often?
Combined Compliance
3rd Party Service
Provider:
Be compliant & undergo
assessments
- What method is best?
- What frameworks?
- How often?
2017 RSA Security Conference Survey:
Combined Compliance
SOC2 Report48%
CSA STAR Report9%
ISO 27K Certificate
9%
Onsite Audit7%
Send Questionnaires
17%
Other10%
WHAT IS YOUR MOST EFFECTIVE WAY TO ASSESS CLOUD PROVIDER RISK?
What is Combined Compliance?
Combined Compliance
• Evaluating multiple compliance frameworks / standards in one assessment
• Single universe of combined (mapped) controls
• The opposite of a “silo” compliance approach
• Requires understanding and planning
Is there a Pragmatic way to do this?
Recently from the Cloud Security Alliance:
Combined Compliance
“After careful consideration of alternatives, the Cloud Security
Alliance has determined that for most cloud providers, a SOC 2 Type
2 attestation examination conducted in accordance with AICPA
standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls
Matrix (CCM) as additional suitable criteria is likely to meet the
assurance and reporting needs of the majority of users of cloud
services.”
Recently from the AICPA re: SOC2 +
Combined Compliance
“A service organization may request that the service auditor’s report
address either criteria in addition to the applicable trust services
criteria or additional subject matter related to the service
organization’s services using additional suitable criteria related to that
subject matter, or both”
What is SOC Reporting?
Combined Compliance
Service Organization Control (SOC) Reports are third party attestation
report used by customers, prospective customers, and business partners
to gain an understanding of the control environment at a service provider.
Issued by a CPA firm with experience in SOC Reporting.
Various types of SOC reports:• SOC1
• SOC2
• SOC3
• Type 1
• Type 2
SOC2 PrinciplesA SOC2 Report is based upon the below five Trust Principles. A report must include the Security Principle (Common Criteria), and
may include any or all of the additional principles.
Security
The system is protected
against unauthorized
access, use, or
modification.
28 required (common)
criteria
Availability
The system is available
for operation and use as
committed or agreed.
3 additional criteria
Confidentiality
Information designated as
confidential is protected as
committed or agreed.
8 additional criteria
Privacy
This principle addresses the system’s
collection, use, retention, disclosure,
and disposal of PII in accordance with
commitments and system requirements.
20 additional criteria
Processing Integrity
System processing is
complete, valid, accurate,
timely, and authorized
6 additional criteria
Common Criteria Framework
Combined Compliance
SOC2+ Report Elements
Section 1 –
Audit
Opinion
Opinion expressed over
design (Type I) and
operating effectiveness
(Type II) of additional
criteria
Section 2 –
Service Provider
Assertion
Assertion extends to the
additional criteria
Section 3 –
Service Provider
System Description
Description may include
additional information
related to the new
criteria / subject matter
Section 5 –
Additional
Information
Optional section to
document additional
information from the
service provider.
Option to include additional
controls / criteria mapping
here.
Section 4 –
Control Mapping,
Tests of Controls
Additional control mapping
to the relevant criteria is
documented in this section
Combined Compliance
SOC2 + Options
Combined Compliance
• Selected Trust Principle(s) plus:
– HIPAA
– HITRUST
– CSA STAR
– Other Suitable Criteria (PCI? ISO?)
HIPAA
Combined Compliance
• Generally required for entities that store or
transmit PHI
• Administered / Enforced by the Office of Civil
Rights (OCR) and Department of Health and
Human Services (HHS)
• Framework includes the Security Rule, Privacy
Rule, and Breach Notification
• Lacks good audit reporting vehicle
HITRUST
Combined Compliance
• HITRUST Alliance founded in 2007
• Created a common risk and compliance
framework meant to bridge other frameworks,
including HIPAA
• Certifies Audit firms to perform assessments
CSA STAR
Combined Compliance
• Cloud Security Alliance
• Created mapping document, and resulting
STAR framework to assess cloud provider
security.
Benefits of SOC2+
Combined Compliance
Service Provider Benefits
• SOC2+ report can be customized to meet many (or all) of the
assurance needs of a customer.
• Efficient use of time / resources responding to vendor questionnaires,
on-site audits, multiple external audits, etc.)
Customer Benefits
• Removes the need for on-site audits or lengthy questionnaires
• Assurance from an objective 3rd party auditor over various control
frameworks in one report.
www.theCadenceGroup.com
http://www.linkedin.com/company/the-cadence-group
801.358.5748
Questions?