Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting
-
Upload
mayer-hoffman-mccann-pc -
Category
Economy & Finance
-
view
754 -
download
1
description
Transcript of Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting
![Page 1: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/1.jpg)
EXECUTIVE EDUCATION SERIES: Outsourcing Services to a Third Party –
Privacy Impacts and SOC Reporting
Presented by: Shareholder John Robichaud and Guest Presenter Cynthia Larose of Mintz Levin
May 2, 2013
![Page 2: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/2.jpg)
Co-presented by 2 #MHMwebinar ‹#›
To view this webinar in full screen mode, click on view options in the upper right hand corner.
Click the Support tab for technical assistance.
If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.
Before We Get Started…
![Page 3: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/3.jpg)
Co-presented by 3 #MHMwebinar ‹#›
This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic polling questions throughout the webinar.
External participants will receive their CPE certificate via email immediately following the webinar.
CPE Credit
![Page 4: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/4.jpg)
Co-presented by 4 #MHMwebinar
John Robichaud, CPA Shareholder 617.761.0546 | [email protected] Located in our Boston office, John specializes in service organization control (SOC) reporting, specialized agreed upon procedures, privacy, risk assessments and enterprise risk management, internal controls and project management. He works with a wide variety clients — many from service organizations, nonprofits, financial services and technology industries.
‹#›
Today’s Presenters
Cynthia Larose, CIPP Mintz Levin 617.348.1732 | [email protected] Cynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP/US). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.
![Page 5: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/5.jpg)
Co-presented by 5 #MHMwebinar
Full-service, multi-disciplinary law firm
450 attorneys and senior professionals
Offices across the country, and in the UK:
Liaison office in Israel
International network of contacts
Government relations, public policy and real estate project development consulting affiliate – ML Strategies
About Mintz Levin
Boston New York Washington, DC Stamford
Los Angeles San Diego San Francisco London
![Page 6: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/6.jpg)
Co-presented by 6 #MHMwebinar
Antitrust & Federal Regulation
Bankruptcy, Restructuring & Commercial Law
Communications
Consumer Product Safety
Corporate & Securities
Corporate Compliance & Investigations
Employment, Labor & Benefits
Environmental Law
Government Law & Contracts
Health Law
Immigration
Intellectual Property
International
Litigation
Privacy & Security
Private Client
Private Equity
Project Development & Finance
Public Finance
Real Estate
Tax
White Collar Criminal Defense
A Full-Service Firm
![Page 7: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/7.jpg)
Co-presented by 7 #MHMwebinar
Construction
Education
Energy & Clean Technology
Financial Services
Health Care
Insurance
Internet & E-commerce
Life Sciences
Manufacturing
Nonprofits
Professional Services
Real Estate
Retail & Consumer Products
Sports, Arts & Entertainment
Technology, Communications & Media
Transportation, Shipping & Logistics
Representative Industries We Serve
![Page 8: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/8.jpg)
Co-presented by 8 #MHMwebinar ‹#›
Today’s Agenda
1
2
3
4
5
6
Outsourcing Overview
Landscape and impact of privacy laws and regulations
Privacy compliance challenges and common pitfalls
Emergency privacy legal and regulatory compliance issues
Navigating reporting from third party service providers
AICPA Service Organization Control Reports
7 Trust Services
![Page 9: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/9.jpg)
OUTSOURCING OVERVIEW
Opportunities, Reasons, Benefits and Challenges
![Page 10: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/10.jpg)
Co-presented by 10 #MHMwebinar ‹#›
Continually growing wide range of opportunities for organizations to outsource, including: Payroll Human resources and benefits administration Accounting Printing distribution Warehousing and fulfillment Call center and customer support Data center and application hosting Software as a Service Platform as a Service Infrastructure as a Service
Outsourcing Overview - Opportunities
![Page 11: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/11.jpg)
Co-presented by 11 #MHMwebinar ‹#›
Many reasons and benefits, including: Pressure to reduce costs Leverage experts specialized in the outsourced service
offering Potential availability of more sophisticated resources Availability of a virtual workforce Meet short-term demands or needs Lack of resources to support a business process or function
Outsourcing Overview – Reasons and Benefits
![Page 12: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/12.jpg)
Co-presented by 12 #MHMwebinar ‹#›
Outsourcing Overview – Challenges
Due Diligence Compliance Oversight
![Page 13: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/13.jpg)
LANDSCAPE AND IMPACT OF PRIVACY LAWS AND
REGULATIONS
![Page 14: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/14.jpg)
Co-presented by 14 #MHMwebinar
Privacy Laws and Regulations Compelled disclosure to the government:
Electronic Communications Privacy Act (ECPA) 1986
Protests electronic communications while in transit and while held in storage from disclosure
Different levels of protection based on outdated distinctions on storage such as "electronic storage" or storage by a "remote computing service" or how old the data is
Stored Communications Act (SCA)
USA Patriot Act
Enacted in 2001, amended in 2005
Allows FBI access to certain business records with a court order
National Security Letters can also obtain records
Warrants and Subpoenas
![Page 15: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/15.jpg)
Co-presented by 15 #MHMwebinar
Privacy Laws and Regulations
Data security issues and data breach notification: Certain Federal Laws and Regulations impose industry-specific data security
or breach notification obligations
Educational Institutions- Family Educational Rights and Privacy Act (FERPA)
Financial Institutions- Gramm-Leach-Bliley ACT (GLBA)
Prevent disclosure of non public personal information
Health Care- Health Insurance Portability and Accountability Act (HIPAA) and (HITECH)
![Page 16: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/16.jpg)
Co-presented by 16 #MHMwebinar
Privacy Laws and Regulations
Payment Card Industry (PCI) Prevent disclosure of online credit card and account information
FTC Breach Disclosure Requirement
Section 5 of the FTC Act
Data Security Standard (DSS)
Clinical Laboratory Improvement Amendments (CLIA) Applies to health care organizations
NYSE Rule 340
![Page 17: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/17.jpg)
Co-presented by 17 #MHMwebinar
Privacy Laws and Regulations Continued
FDIC Meet regulatory requirements around core vendors
Publicly traded companies- Sarbanes Oxley (SOX) Generally, an entity cannot contract away its obligation to comply with these
industry-specific regimes
State Laws and Regulations Avoid requirements to disclose data comprised at a vendor
Depending on where your organization does business
Examples: MA, CA, TX, and MI have their own privacy and security laws
![Page 18: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/18.jpg)
PRIVACY COMPLIANCE CHALLENGES AND COMMON
PITFALLS
![Page 19: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/19.jpg)
Co-presented by 19 #MHMwebinar
Assuming Third Party Vendors Are Covering Compliance Issues
Under many privacy laws, there exists no formal compliance violation if a company fails to monitor the activities of it's vendors. "Voluntary" obligation to monitor creates risks for the company, committing to follow through if oversight is not effective.
Case study: A medical transcriptionist in Pakistan threatened to post patient names and information on the Internet unless given better pay. The story received global coverage resulting in serious reputational damage to the hospital.
Why Monitor? Why Not?
![Page 20: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/20.jpg)
Co-presented by 20 #MHMwebinar
Common Pitfalls and Repercussions
Lack of Standard Process Case study: A Ponemon Institute study revealed a difference in view between cloud providers and users about who is primarily responsible for security in the cloud. 69% of third party vendors saw their users as responsible for their own security. Only 35% of these users saw themselves as responsible.
This confusion about who is responsible for data security leads users to complacent behavior.
Failure to manage vendors Companies spend millions on their own internal compliance challenges but
provide all the same info to vendors.
Vendors could give low priority to safeguarding this information.
![Page 21: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/21.jpg)
Co-presented by 21 #MHMwebinar
Common Pitfalls and Repercussions
Volume of vendors Simply keeping track of all privacy information spurs a concern for
error/breaches.
Larger vendors dealing with substantial volume of personal date faces higher risks than other vendors with more manageable information.
Mitigation Issues How will a company interact if a vendor breaches privacy?
Vendors should be contractually committed to take all reasonable action dictated by the company.
![Page 22: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/22.jpg)
Co-presented by 22 #MHMwebinar
Common Pitfalls and Repercussions
New HIPAA Omnibus Rule If you handle protected health
information, you have HIPAA liability
HIPAA breaches generate severe negative publicity not to mention fines and civil penalties – also possible class actions.
Many lawsuits have been filed against healthcare providers that breach PHI that can seek damages in the millions.
Total breach costs have grown every year since 2006.
![Page 23: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/23.jpg)
Co-presented by 23 #MHMwebinar
Failure to do Third Party Due Diligence
What if the vendor goes out of business?
Does the third party have a disaster recovery plan?
What is the vendor’s identity theft protection plan?
![Page 24: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/24.jpg)
EMERGING PRIVACY LEGAL AND REGULATORY COMPLIANCE
ISSUES
![Page 25: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/25.jpg)
Co-presented by 25 #MHMwebinar
Cloud
If a company stores information on the cloud, they face the threat of FTC enforcement if their representations to consumers about where/how information is stored and secured does not match their actual practices
Who owns data on the cloud?
Can a cloud provider use the data for its own purposes?
Under what circumstances can the customer obtain a copy of information stored in the cloud?
What happens when service to the cloud is interrupted?
![Page 26: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/26.jpg)
Co-presented by 26 #MHMwebinar
Cloud
CONTRACT!
Almost all issues can be dealt with contractually Where data is stored
What security standards the cloud provider adheres to • Segregated data
• Does the cloud conform to industry standards?
• Do outside auditors confirm its security practices?
Who is liable for a data breach
Regulatory compliance and indemnification responsibilities
Ownership/control of information and cloud maintenance
![Page 27: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/27.jpg)
Co-presented by 27 #MHMwebinar
Off Shore Vendors
Problems associated with digital technology
Internet file sharing networks make it much easier to trade secrets, proprietary products, plans and schematics
Much of theft takes place outside of the United States
Vendors may be "offshore"
Creates perception that U.S. privacy rules do not apply to other countries (See Pakistani case study)
Companies must evaluate how best to enforce contractual obligations
KNOW YOUR VENDOR
![Page 28: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/28.jpg)
Co-presented by 28 #MHMwebinar
Vendor Assessment
“Ignorance is not a valid defense”
Regulators and executive manage expect you to understand, manage, and reduce risk.
Perform a cost/benefit analysis when choosing a provider.
Ask: What is the reputational risk to your company if something goes wrong? How sensitive is this stored data?
Average cost per record:
$198
Average incident:
$6.3 million
![Page 29: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/29.jpg)
Co-presented by 29 #MHMwebinar
Looking Ahead
Use of third-party vendors for business functions has become a standard business practice, but security still varies greatly.
Organizations must be extremely vigilant in assessing risks to their data even if they reside at a vendor location.
Ask: "Once we share our information assets with third-party vendors, will we still be in compliance?"
MUST vet your vendors and carefully monitor their security/privacy control environments over extended period of time.
![Page 30: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/30.jpg)
NAVIGATING REPORTING FROM THIRD PARTY SERVICE
PROVIDERS
Due Diligence and Oversight Compliance Challenges, and Relying on Reporting from Service Providers
![Page 31: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/31.jpg)
Co-presented by 31 #MHMwebinar ‹#›
Performing due diligence and compliance oversight at third party service providers can be a challenge or impractical because of: Limited management and resource bandwidth Cost Timing Contractual restrictions
Organizations often end up needing to rely on reporting provided by the third party service provider.
Reporting from Third Party Service Providers
![Page 32: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/32.jpg)
Co-presented by 32 #MHMwebinar ‹#›
Internally prepared reports and self assessments Certifications Seals Externally prepared reports and assessments against
an alphabet soup of standards, including: PCI DSS ISO FISMA NIST HIPPA
AICPA Service Organization Control (SOC) Reports
Reporting from Third Party Service Providers
![Page 33: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/33.jpg)
AICPA SERVICE ORGANIZATION CONTROLS REPORTS
SOC 1 -3 Reports
![Page 34: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/34.jpg)
Co-presented by 34 #MHMwebinar ‹#›
SOC1 versus SOC2 versus SOC3 and Option for Web Site Seal
Type 1 point in time versus type 2 operating period examinations and reports
Trust Services Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria
AICPA SOC Reports
![Page 35: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/35.jpg)
Co-presented by 35 #MHMwebinar ‹#›
SOC1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls Over Financial Reporting - replacement of SAS 70 and performed under SSAE 16
SOC2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AT Section 101 and Trust Services Principles, Criteria and Illustrated Controls in TSP section100 (long form report)
SOC3 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AT Section 101 and Trust Services Principles, Criteria and Illustrated Controls in TSP section 100 (short form report with web site seal option)
SOC 1 – 3 Reports
![Page 36: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/36.jpg)
Co-presented by 36 #MHMwebinar ‹#›
Internal control over financial reporting Scope includes: Classes of transactions Procedures for processing and
reporting transactions Accounting records of the system Handling significant events, and
conditions other than transactions Report preparation for users Other aspects relevant to processing,
and reporting user transactions
SOC 1
![Page 37: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/37.jpg)
Co-presented by 37 #MHMwebinar ‹#›
Covers transaction processing controls, and supporting information technology controls relevant to the financial transaction processing and reporting services
Based on control objectives that are defined by the service provider and can vary depending on the type of service provided
Restricted report – intended solely for the information and use of the service provider, their user entities (customers) and the user entities’ auditor in planning their audit of the user entity
SOC1 - Continued
![Page 38: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/38.jpg)
Co-presented by 38 #MHMwebinar ‹#›
Operational controls Scope includes Infrastructure Procedures People Data
Covers any one or combination of the Trust Services Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria
SOC2
![Page 39: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/39.jpg)
Co-presented by 39 #MHMwebinar ‹#›
Intended to meet the needs of a broad range of users that need information and assurance about controls at a service provider that affect the security, availability, processing integrity, confidentiality and privacy
Restricted report with a broader range of intended users, including: Existing users Prospective users Regulators Business partners
Endorsed by the Cloud Security Alliance
SOC2 - Continued
![Page 40: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/40.jpg)
Co-presented by 40 #MHMwebinar ‹#›
Covers same individual and combined Trust Services Principles and Criteria as SOC2
Does not include detail description of the design of controls and tests of controls performed by the service auditor
Provides a service auditor’s opinion on whether the service provider maintains effective controls over its systems
Unrestricted report intended for users that don’t require a more thorough report
Web site seal option if no carved out subservice providers and an unqualified opinion
SOC3
![Page 41: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/41.jpg)
Co-presented by 41 #MHMwebinar ‹#›
Type 1 is a point in time examination and report opining on the suitability of design of controls and description with no test of operating effectiveness of controls.
Type 2 is an examination and report opining on the suitably of design of controls and description, and operating effectiveness of controls with reported tests and results covering a period of time, which is: Six months or greater for a SOC1 Two months or greater for a SOC2 and SOC3 Based on the usability of coverage period for the intended
recipients of the report
Type 1 versus Type 2
![Page 42: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/42.jpg)
TRUST SERVICES
Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria
(Framework for SOC2 and SOC3 Reporting)
![Page 43: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/43.jpg)
Co-presented by 43 #MHMwebinar ‹#›
Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria address risks and controls of IT enabled systems and privacy programs with illustrated benchmark control best practices.
Trust Services Principles and Criteria
![Page 44: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/44.jpg)
Co-presented by 44 #MHMwebinar ‹#›
Policies – The service provider has defined and document its policies particular to each principle, which address management’s intent, objectives, requirements, responsibilities and standards.
Communication – The service provider has communicated its defined policies to responsible parties and users of the system.
Procedures – The service provider has placed procedures into operation to achieve its principles in accordance with its defined policies.
Monitoring – The service provider monitors the system and takes action to maintain compliance with its defined policies.
Trust Services Principles and Criteria Continued
![Page 45: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/45.jpg)
Co-presented by 45 #MHMwebinar ‹#›
Security – The system is protected against unauthorized access (both physical and logical).
Availability – The system is available for operation and use as committed and agreed.
Processing Integrity – System processing is complete, accurate timely and authorized.
Confidentiality – Information designated as confidential is protected as committed or agreed.
Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in the AICPA’s and CICA’ Generally Accepted Privacy Principles.
Trust Services Principles and Criteria Continued
![Page 46: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/46.jpg)
Co-presented by 46 #MHMwebinar ‹#›
Most commonly requested area of coverage
Security criteria is also included in the other principles because security controls are inherent critical parts of effective availability, processing integrity, confidentiality and privacy controls
Applicable to all outsourced environments, particularly when enterprise users require assurance regarding the service provider’s security controls for any system, and nonfinancial or financial service
Security
![Page 47: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/47.jpg)
Co-presented by 47 #MHMwebinar ‹#›
IT security policy Security awareness and communication Risk assessment Logical access Physical access Security monitoring User authentication Incident management Asset classification and management System development and maintenance Personnel security Configuration management Change management Monitoring and compliance
Security Continued
![Page 48: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/48.jpg)
Co-presented by 48 #MHMwebinar ‹#›
Commonly requested areas of coverage, particularly where availability, disaster recovery and business continuity management are provided as critical parts of the service providers standard service offering.
Most applicable where enterprise users require assurance regarding processes to achieve system availability service level agreements as well as disaster recovery and business continuity management, which cannot be covered as part of a SOC1 report.
Availability
![Page 49: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/49.jpg)
Co-presented by 49 #MHMwebinar ‹#›
Includes security criteria Availability policy Backup and restoration Environmental controls Disaster recovery Business continuity
management
Availability Continued
![Page 50: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/50.jpg)
Co-presented by 50 #MHMwebinar ‹#›
Potentially applicable for a wide variety of non financial and financial services wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing
Includes security criteria
System processing integrity policies
Completeness, accuracy, timeliness and authorization of inputs, system processing and outputs
Information tracing from source to disposition
Processing Integrity
![Page 51: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/51.jpg)
Co-presented by 51 #MHMwebinar ‹#›
Most applicable where the user requires additional assurance regarding the service provider’s practices for protecting sensitive business information
Includes security criteria Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures including to
third parties Confidentiality of information in
systems development
Confidentiality
![Page 52: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/52.jpg)
Co-presented by 52 #MHMwebinar ‹#›
Most applicable where the service provider interacts directly with end users, and gathers their personnel information
Can also be performed when service provider is a secondary or intermediary recipient of personnel information but requires more complicated disclosures in regard to span of responsibilities for personnel information between all involved parties
Provides a vehicle for demonstrating the effectiveness of a service provider’s controls for maintaining the privacy of information
Privacy
![Page 53: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/53.jpg)
Co-presented by 53 #MHMwebinar ‹#›
Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and
enforcement
Privacy Continued
![Page 54: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/54.jpg)
Co-presented by 54 #MHMwebinar ‹#›
Provides secure encrypted email service
2011–2012 SOC3 on security and confidentiality
2012–2013 SOC2 on security, confidentiality and privacy
Ziptr
![Page 55: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/55.jpg)
Co-presented by 55 #MHMwebinar ‹#›
Questions?
![Page 56: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/56.jpg)
Co-presented by 56 #MHMwebinar ‹#›
If You Enjoyed This Webinar…
Join us for these related EES courses: June 27: Accounting and Finance Issues of Technology
Companies August 20: Outsourcing Services to a Third Party — Privacy
Impacts and Service Organization Control Reporting
Read this related MHM Messenger MHM Messenger 23-12: Evolving Business Practices Spur
Transition from SAS 70 to SOC Reports
![Page 57: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/57.jpg)
Co-presented by 57 #MHMwebinar
John Robichaud, CPA Shareholder 617.761.0546 | [email protected] Located in our Boston office, John specializes in service organization control (SOC) reporting, specialized agreed upon procedures, privacy, risk assessments and enterprise risk management, internal controls and project management. He works with a wide variety clients — many from service organizations, nonprofits, financial services and technology industries.
‹#›
Today’s Presenters
Cynthia Larose, CIPP Mintz Levin 617.348.1732 | [email protected] Cynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP/US). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.
![Page 58: Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting](https://reader034.fdocuments.in/reader034/viewer/2022051609/546cb25baf795971298b5006/html5/thumbnails/58.jpg)
Co-presented by 58 #MHMwebinar ‹#›
Connect with Mayer Hoffman McCann
linkedin.com/company/ mayer-hoffman-mccann-p.c.
@mhm_pc
youtube.com/ mayerhoffmanmccann
gplus.to/mhmpc
blog.mhm-pc.com
slideshare.net/mhmpc
facebook.com/mhmpc