What is a Point of Focus?

In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria. As such, one of the enhancements to SOC 2 reporting includes points of focus, which will assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. Points of focus are meant to be references, not requirements because not all points of focus will be applicable to all organizations. These points of focus serve as a type of checklist for management, providing clarity on how organizations can ensure that they are SOC 2 compliant. Let’s look at an example of points of focus under the security category.

Specific Points of Focus

For example, CC1.1, under the common criteria and COSO’s control environment component, states, “The entity demonstrates a commitment to integrity and ethical values.” The specific points of focus for this include the following:

  • Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
  • Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
  • Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
  • Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
  • Considers Contractors and Vendor Employees in Demonstrating Its Commitment – Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.

Organizations pursuing SOC 2 compliance would then choose to follow the guidance of the points of focus that apply to them. This ensures that their controls demonstrate the organization’s commitment to integrity and ethical values.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

One of the enhancements to the SOC 2 Trust Services Criteria in 2017 has to do with the inclusion of points of focus. The criteria now include points of focus, given by the AICPA, that really give you important characteristics about the criteria. These are not requirements; these are not things that you have to do, but they’re very helpful to reference. You can go into our Online Audit Manager and check out the resources in order to find these points of focus. One of the things that’s been very helpful about it is, many times in the SOC 2 criteria, you would read it and you wouldn’t really understand, at first glance, what it was talking about. The points of focus are there to help you understand the context of what the criteria is seeking to accomplish and how you might implement that within your own organization.

[/av_toggle]

[/av_toggle_container]

New Elements of SOC 2

In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Updates to the COSO Internal Control Framework

The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.

What are the 17 Principles of Internal Control?

The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:

What are the 17 Principles of Internal Control?

The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.

One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.

You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.

[/av_toggle]

[/av_toggle_container]

business people walking

Most business owners understand the importance of Business Continuity and Disaster Recovery Plans. These documented sets of policies and procedures can be a lifeline to organizations following a disaster because they determine loss of operations, reputation, and revenue. But how does the cloud impact Business Continuity and Disaster Recovery Plans?

Myths about Business Continuity and Disaster Recovery Plans for the Cloud

When it comes to Business Continuity and Disaster Recovery Plans for the cloud, we often hear this feedback:

  • “I don’t have to worry about Business Continuity and Disaster Recovery Plans because my cloud provider does those for me.”
  • “We don’t need to test our Business Continuity and Disaster Recovery Plans, we’ve thought it through.”
  • “Our cloud service provider is taking care of our availability concerns.”
  • “Everything is in the cloud, so we aren’t at risk.”

Myths about Business Continuity and Disaster Recovery Plans for the CloudThese myths about Business Continuity and Disaster Recovery Plans for the cloud are hurting businesses. This way of thinking couldn’t be further from the truth. Business Continuity and Disaster Recovery Plans are not simply a technology roadmap; they describe how to recover business operations, which includes people and processes. How could a cloud service provider determine how your people and processes will recover?

Everything can’t possibly be in the cloud. Physical office locations, employees, weather patterns, heating and cooling systems, power regulation — these things don’t exist in the cloud. The shared responsibility model accounts for this. Microsoft Azure’s guidance states, “Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”

Organizations operating under the lift and shift methodology of moving an operation to the cloud without redesign or thought are not accounting for their people and processes. Cloud service providers cannot take care of all business continuity and disaster recovery needs. The lift and shift mindset cultivates complacency, which is a dangerous spot to be in.

What Should Business Continuity and Disaster Recovery Plans for the Cloud Include?

Business Continuity and Disaster Recovery Plans define an organization’s processes for protecting and recovering its business in the event of a disaster, such as a hurricane, flood, tornado, power outage, etc. With consideration to cloud computing, Business Continuity and Disaster Recovery Plans should answer:

  • How will your organization stay running in the event of a disaster?
  • How does your deployment model impact your level of risk?
  • How do your people and processes fit into cloud security?
  • Where will employees continue to carry out their work duties?
  • How will incident response be communicated throughout your organization?

To create Business Continuity and Disaster Recovery Plans, organizations must still go through these four basic steps:

  1. Conduct a Business Impact Analysis.
  2. Determine a recovery strategy based off the results of the Business Impact Analysis.
  3. Put a documented plan into place.
  4. Test it! Testing BC/DR Plans for the cloud is technologically easier.

About Michael Burke

Michael Burke of KirkpatrickPriceMichael Burke is an Information Security Specialist with KirkpatrickPrice with over 25 years of experience in the information technology industry. Michael holds a PhD in Information Technology from Capella University. He is a member of the EC-Council, the International Information Systems Security Certification Consortium, and the Project Management Institute. Michael also holds CISSP, CCISO, QSA, and CCSFP certifications.

More Resources

Business Continuity and Disaster Recovery Planning Checklist

3 Steps for an Effective Disaster Recovery Plan

Cloud Security: Business Continuity and Disaster Recovery Planning Checklist

Cloud Security: The Good, The Bad, and The Ugly

Auditor Insights: Day-to-Day Operations of Internal AuditInternal audit provides a level of monitoring which is generally not available when working with a third-party auditor. If you’re going on a long road trip, how likely are you to hop in the car and start driving? You’re not – most people will take the car to the shop for an oil change and overall inspection. If the road trip is the audit engagement, the practice of taking the car to the shop equates to the usage of an internal audit function to ensure the car (the organization) is ready for the road trip (the third-party assessment).

So, you’ve recognized the value of an internal audit program, you have senior management’s support, you’ve developed an internal audit program, and now you’re implementing it. What does internal audit require on a day-to-day basis?

What Does an Internal Audit Require on a Day-to-Day Basis?

Part of your internal audit team should consist of project management personnel and operational auditors. Project management personnel are responsible for the execution of audit functions which translate activity at the operational level to information driven by reporting requirements established by executive management. Operational auditors are responsible for the execution of audit activities including compliance requirement identification, testing, evidence evaluation, and reporting. By now, though, you may be wondering what this team does on a day-to-day basis. The duties performed by internal auditors normally include:

  • Objectively review your organization’s business processes. This is the process of providing a non-biased assessment of the completeness and adequacy of an organization’s business processes with a focus on the effectiveness and efficiency of the process.
  • Evaluate the efficiency of risk management procedures that are currently in place. What one individual or business considers to be an acceptable risk may not be so reasonable to executive management. Internal audit represents management’s interests while evaluating risk decisions and handling techniques.
  • Protect against fraud and theft of the organization’s assets. Again, while serving as a representative of executive management, internal audit can identify and bring to light incidents of fraud, waste, and abuse.
  • Ensure that the organization is complying with relevant laws and regulations. Internal audit can create control mappings which translate legal, regulatory, or ethical requirements into actionable controls, which can be evaluated for compliance with defined requirements. For each separate legal statute or contractual obligation, a control can specifically address the organization’s business processes and translate business activities into measurable actions which support compliance.
  • Make recommendations on how to improve internal controls and governance processes. Based on control reviews, evidence collection, and interviews, internal audit can provide insights regarding how improving controls or the supporting process may better assess the organization’s compliance levels.

How Does an Internal Audit Team Work with a Third-Party Auditor?

Internal audit can be a valuable resource when working with third-party auditors since internal audit can supply the third-party auditor with control objectives used by the organization as well as the mappings to common frameworks for assessment. This activity allows third-party auditors to better understand the assessment activities performed by the organization and provide an assessment or opinion of the organization’s compliance efforts.

About Richard Rieben

Richard Rieben of KirkpatrickpriceRichard Rieben has 20 years of experience in the information technology field, including operations and project management experience. Motivated by empowering and inspiring his clients, Richard enjoys improving processes based on incremental improvement. Richard currently serves as Director of Audit Operations at KirkpatrickPrice, where he leads a team of Information Security Specialists. Richard holds CCSFP, PCI QSA, GSNA, CISSP, CompTIA CSA+, CompTIA CASP, CompTIA Network+, CompTIA Project+, CompTIA Security+, Certified Scrum Master, PMP, and FITSP-M certifications.

More Internal Audit Resources

What is the Purpose of a Risk Assessment?

Most information security frameworks require a formally documented, annual risk assessment. You will see this requirement over and over again in your pursuit of SOC 1, SOC 2, PCI DSS, HIPAA, or HITRUST CSF compliance. But what exactly is a risk assessment and why is it so important to information security frameworks? Let’s find out.

What is a Risk Assessment?

A risk assessment is a methodology used to identify, assess, and prioritize organizational risk. Without a risk assessment, organizations can be left unaware of where their critical assets live and what the risks to those assets are. Risk assessments evaluate the likelihood and impact of those threats actually happening and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack.

One way to look at a formal risk assessment process is that your organization is now being proactive rather than reactive. If you have the opportunity to anticipate a potential security incident and address the potential adverse impacts, chances are you will be successful and save your business from any operational and reputational loss.

In relation to a SOC 1 audit, the controls that you select to be tested and described in your SOC 1 report need to be based off of your risk assessment. You must determine what risks you’re facing in the achievement of your control objectives and then you must implement the controls in order to address that risk.

What is a Risk Assessment? - Learn The 5 Steps to a Risk Assessment

5 Steps to a Risk Assessment

A risk assessment is a systematic process of evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. The risk assessment process must be a continual, monitored process to be effective. So, where do you begin? The five steps to a risk assessment include:

  1. Conduct Risk Assessment Survey – Input from management and department heads is vital to the risk assessment process. This survey is an avenue to document specific risks or threats within a department.
  2. Identify Risks – The purpose of a risk assessment is to evaluate something like an IT system and ask, what are the risks to hardware, software, data, and IT personnel? What are the potential adverse events, like fire, human error, bomb threats, or flooding? What’s the potential for a loss of integrity, availability, or confidentiality in your systems?
  3. Assess Risk Importance and Risk Likelihood – What is the likelihood of a specific event having a negative impact on an asset? This can be expressed subjectively or quantitatively (High, Medium, Low or 1, 2, 3).
  4. Create a Risk Management Action Plan – Based on your analysis of which assets are valuable and which threats are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk.
  5. Implement a Risk Management Plan – Now that you’ve completed the first four steps to a risk assessment, you’ve developed an effective way to identify and manage risk. Now, it’s time to train your team and implement these controls.

Want to learn more about how KirkpatrickPrice’s risk assessment services can help secure your business? Contact us today.

More Risk Assessment Resources

Risk Assessment Guide and Matrix

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Information Security Management Series: Risk Assessment

CFPB Readiness Series: Making Risk Assessment Work For You

What is Risk Management?

A risk assessment is an important component of an SSAE 18 (recently updated from SSAE 16) because the controls that you select to describe in your report and that the auditor will test must be based on that assessment of risk. You must determine what risks you’re facing in the achievement of your control objectives and then you must implement the controls in order to address those risk. We get these questions all the time – What is the purpose of a risk assessment? What are the steps to a risk assessment?What should go into a report? What controls should we have in place? The answer to that is: What risks are you trying to address? That’s part of our process so that we can help you identify what those risks are. Understand the concept of risk assessment and why it’s so important for the SOC 1. That really and truly is the thing that determines what goes into your report.