PROCESS IMRPOVEMENT DIVISION OTE GROUP · OTE GROUP 4 Key Services Fixed Mobile Broad-band Pay TV...
Transcript of PROCESS IMRPOVEMENT DIVISION OTE GROUP · OTE GROUP 4 Key Services Fixed Mobile Broad-band Pay TV...
OTE GROUP
4
Key Services
Fixed Mobile
Broad-
bandPay TV
ICT
OTE Groupat a Glance
2 Countries of Operation: GR,RO
Subsidiary Companies
≈ €4 Billion
Revenues
≈20,000
Employees
Shareholding Structure:
45% Deutsche Telekom
5% Greek State
50% Public
To ensure….▪ system reliability,
availability, and
integrity
▪ Security and build
trust To protect them
from…• disclosure of private and
confidential data
• system failures due to
disasters impacting
service
To demonstrate ▪ compliance with
robust frameworks of
internal controls
▪ Implementation of
best practices
CUSTOMER NEED
SOC is known as Service Organization Controls Reports (ISAE 3402 or SSAE 16) issued to certify organisations
managing customer’s mission critical systems, storing & processing confidential customer information for
multiple customers.
SOC is an independent attestation report provided by Chartered or Certified Public Accountants to provide
clients of a service organisation and their independent auditors with information on policies, procedures and
controls that may be relevant to their internal control structure and their financial statements.
SOC is used by customer’s auditors to understand controls related to a service that is likely to be relevant to
clients' internal control, as it relates to financial reporting in order to reduce or eliminate audit procedures at
the service organisation.
SOC can be used by customers to understand the design adequacy and operating effectiveness of their
service provider’s controls for the outsourced services offered.
SOC is increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards N° 70,
Service Organisations (SAS 70) in 1992.
SOC requires annual assessment to ensure operation of the established control environment
SOC in Detail
SOC Definition
SOC Scope
What’s in it for
the customer?
SOC & Auditors
SOC is a market
trend
SOC is
continually
assessed
Management is
required to provide written
assertion on effectiveness of
controls & acknowledges
responsibility with regards to
sanctions
SOC REPORTS & TYPES
Type I: Cover the suitability of Design of controls as of a point in time (snapshot)
Type II: Cover the suitability of Design & Operating Effectiveness of controls over a period of time, typically 6 or 12 months
SOC11
SOC22
SOC33
TYPE I TYPE II
Ensures Effectiveness of organization's control environment that affect Customer’s
Financial Reporting
Ensure Effectiveness of organization's control environment relevant to Security,
Availability, Processing Integrity, Confidentiality or Privacy Requirements
Scope: Financial Process & a basic scope of IT controls (ITGCs) related to the
Statutory Financial Statements Report
Scope: Trust Service Principles
❑ Security – the System is protected against unauthorized access (physical & logical)
❑ Availability - the System is available for operation and use as committed or agreed.
❑ Confidentiality - information designated as confidential is protected as committed
or agreed
❑ Processing Integrity - system processing is complete, accurate, timely & authorized.
❑ Privacy – Personal information is collected , used, retained, disclosed and disposed
of in conformity with required criteria
Same as SOC 2 without including detailed testing description – Used for marketing
purposes
For Internal Use ONLY
For Internal Use ONLY
Can be Posted
WHY SOC ?
Can be used to replace other audits
(SOX, internal controls audit, statutory etc.) as it
provides independent assurance by Chartered
AuditorsThe results of
auditor’s procedures are disclosed in the
issued report
Satisfies customer's external audit
requirements
Controls over financial reporting,
security, data, privacy are evaluated, tested
& reported The evaluation
criteria may be
customized as the service
organization is
responsible for describing
the controls that will be
disclosed in the service
auditor's report
IMPLEMENTATION APPROACH
CERTIFICATION
INTERNAL
MANAGEMENT
ASSESMENT
RECOMMENDATION
PLANGAP ANALYSIS
CONTROL MATRIX
& PROCESSESRISKS
IMPLEMENTATION AND CERTIFICATION
OUR ISSUED SOC REPORTS |ROADMAP
OTE Existing
Control
Environment
Management Testing |
Assess Control Existence,
Design & Operating
Effectiveness for Managed
IT Services
2014
SOC 1 Type 2 Report
| Managed IT
Services (TMNL)
To be Continued…
Feb 2015 Nov 2015
SOC 2 Type 1 Report
| Managed IT
Services (TMNL)
Jan 2017
April 2016
SOC 2 Type 2 Report
| Managed IT
Services (TMNL)
SOC 1 Type 2 Report
| Managed IT
Services
(TMNL | CCH)
June 2017
SOC 2 Type 2 Report
| Managed IT
Services
(TMNL | CCH)
October 2018
Management
Testing for New
Service: 1st Level
Support
Jan 2019
SOC 1 Type 2 Report |
Managed IT Services
(TMNL | CCH | FRAPORT)
SOC 2 Type 2 Report
| First Level IT
Support Services
End of May
2019May 2019
Management Testing
for New Service:
Managed Security
Services
OUR ISSUED SOC REPORTS AT A GLANCE
Scope Status
▪ The first SOC 1 Type 2 Report was issued on February 2015 only for TMNL
▪ IT Services offered to CCH were included in SOC 1 Type 2 Report issued on January 2017
▪ IT Services offered to Fraport were included in SOC 1 Type 2 Report on January 2019
SOC 1 Type 2
Report
TMNL,
CCH,
Fraport
TMNL,
CCH
CCH
CCH
Customer
01.07 – 31.12 / 2018
Period
01.01 – 31.12 / 2018
01.01 – 31.12 / 2018
01.01 – 31.12 / 2019
Managed IT
Services
SOC 2 Type 2
SOC 2 Type 2
▪First SOC 2 Type 2 Report was issued on April 2016 only for TMNL
▪ IT Services offered to CCH were included in the SOC 2 Type 2 Report issued on June 2017
Managed IT
Services
First Level IT Support
Services
Managed Security
ServicesSOC 2 Type 2
▪First SOC 2 Type 2 Report for the service will be issued end of May 2019
▪First SOC 2 Type 2 Report for the service will be issued end of January 2020
SOC 2 Type 1Managed IT
Services
TMNL November 2015 ▪First SOC 2 Type 1 Report was issued on November 2015 only for TMNL
* Our reports are being based on the ISAE 3402 assurance standard. Though, the SSAE 16 standard may also be used if otherwise selectedhttp://isae3402.com/ or http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization%27sManagement.aspx
UNIFIED CONTROL MATRIX
LEV
ELS
OF S
ER
VIC
E
LEVEL 0: CONTROLS
BASELINE FOR MARKET
SCOPE: Internal & External
Systems
Physical & Logical Security
| Service Management
In scope: HW / SW /
Database / Network / Data
Centers / VMs
LEVEL 1: MINIMUM
CONTROLS FOR
PROVIDING SERVICE SCOPE: Service Provider
Controls (ICT Services) /
Internal Systems for internal
services
SCOPE: Internal Systems & as
a Service Provider with data
classified as handling
Confidential / Private
LEVEL 2: CONTROLS TO
ENSURE DATA
CONFIDENTIALITY &
PRIVACY
LEVEL 3: SPECIALIZED
SECURITY CONTROLSSCOPE: Internal Systems &
Network dedicated for the
provision of the service
Difficulty|cost |effort|
risk |maturity
IMPLEMENTATION
OPTIONS
SC
OP
E
OUR BENEFITS FROM SOC IN TERMS OF PROCESSES (1/2)In
tern
ally
De
sig
ne
d
Establishes a formally structured Internal Control Environment for the services rendered through Common processes incorporating requirements of all frameworks / Common Framework approach of service rendering rolled-out in all customers
Leverages customer understanding of our processes through a single best description of the services rendered and the processes to support them (Service Description Documentation)
Ensures fully alignment with the established Internal Control System – Ensures avoiding overlapping and operational inefficiencies, further enhances the value of controls & reduces auditor costs in common areas with statutory audit
Enhances Organization Culture related to the provision of assurance of services offered to the customers Ensures Continuous awareness & Cross Functional Cooperation, break off silos
Ensures Systematic monitoring of Processes & Controls Operation & Creates opportunities for Continuous Improvement
Facilitates implementation & systematic review of ISO 27001, ISO 20000, ISO 31000, ISO 9001, PCI, GDPR by implementing a common integrated approach for all certification standards
Fosters Process & Controls Discipline by engaging Business Owners in its implementation and maintenance & creates a Culture of Ownership
Provides Competitive advantage in ICT Tenders / Enforces brand reputation and customers trust via the validity of a secure operation environment incorporating the relevant control points.
Ensures legal & regulatory compliance.
Reinforces company’s overall Strategy & Objectives and GRC approach
Reduces duplication and produces internal efficiency
Only One external audit performed for all our customers
OUR BENEFITS FROM SOC IN TERMS OF PROCESSES (2/2)
Inte
rna
lly
De
sig
ne
d
Needs
continuous
internal
management
assessment
and annual
by the
external
auditor
01 0302 04 05 06 07It is a high
cost
certification
Requires
alignment
and clear
specification
& agreement
of services
rendered
with the
customer at
the stage of
contract
signing
PMO role to
coordinate
internal &
external
activities
Cross
functional
cooperation
Specific
predefined
process
framework
through which
to offer a
common
service that
satisfies
differentiated
customer
needs
Common
Asset
Inventory
Tool
AREAS TO CONSIDER
Process Analytics High level monitoring
dashboards (automate where
possible/users to perform audit of
controls)
1
2
3 One common report for all customers
Managed improvements by creating
company wide projects
NEXT STEPS