Sarah Harvey, Author at KirkpatrickPrice

Newest Addition to the SOC Suite

The AICPA recently added a new offering to its SOC suite: SOC for Cybersecurity. The difference between SOC 1, SOC 2, and SOC 3 has always been fairly clear-cut based on factors like internal control over financial reporting, the Trust Services Criteria, and restricted report use. Now, we have a new player in the game.

What’s the Difference Between SOC for Cybersecurity and SOC 2?

How does SOC for Cybersecurity differ from the other SOC reports? Where SOC 1 is focused on ICFR and is based on the SSAE 18 standard, SOC for Cybersecurity is completely concentrated on cybersecurity risk management programs. SOC 2 is where it goes a little more complicated. In general, SOC for Cybersecurity and SOC 2 engagements have four key differences: purpose and use, audience, report types, and subject matter.

What is a SOC 2 Audit?

SOC 2 audits help to address any third-party risk concerns by evaluating internal controls, policies, and procedures as they relate to the security, availability, processing integrity, confidentiality, and privacy of a service organization’s systems. SOC 2 compliance is intended to give a wide range of service organizations the information security assurance that they need to address security.

What is SOC for Cybersecurity?

A SOC for Cybersecurity examination is how a CPA can report on an organization’s cybersecurity risk management program. This program is an organization’s set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives. The AICPA’s intent was to provide organizations with a consistent language to report on their cybersecurity efforts and establish a widely-accepted approach for cybersecurity assessments.

The Difference in Purpose and Use

A SOC for Cybersecurity report communicates information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users perspective and confidence in an organization’s cybersecurity risk management program. SOC for Cybersecurity reports are meant to be used during decision-making processes.

SOC 2 compliance can be a major factor in vendor management; no one wants to work with an at-risk vendor. For service organizations wanting to demonstrate their due diligence and information security efforts, a SOC 2 report will communicate how their internal controls are designed and operating.

The Difference in Audience for SOC 2 and SOC for Cybersecurity

SOC for Cybersecurity engagements may be performed for any type of organization, regardless of size or the industry in which it operates. A SOC for Cybersecurity report is for general use, specifically designed to be used by stakeholders, management, directors, analysts, investors, business partners, industry regulators, users, or anyone else whose decisions are directly impacted by the effectiveness of the organization’s cybersecurity controls.

A SOC 2 report is intended for an audience who has prior knowledge and understanding of the system, such as the management of a service organization or user entity. In order to communicate the attestation in a SOC 2 report, service organizations must have a SOC 3 report. A SOC 3 does not give a description of the service organization’s system but can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as they relate to the Trust Services Criteria.

The Difference in Report Types for SOC 2 and SOC for Cybersecurity

When undergoing a SOC 2 audit, a service organization can choose one of two types. Typically, we recommend that service organizations begin with a SOC 2 Type I. A Type I report is an attestation of controls at a service organization at a specific point in time, unlike a Type II, which is an attestation of controls over a period of time. In Type I, there is no testing of controls, but in Type II, the auditor will report on the “suitability of the design and operating effectiveness of controls.”

Similar to a SOC 2 Type I, service organizations can choose a design-only SOC for Cybersecurity examination. Design-only examinations do not provide the audience with enough information to assess the effectiveness of cybersecurity controls, only to know the description of the cybersecurity risk management program and the suitability of the design of controls to meet cybersecurity objectives. A service organization may choose to undergo a design-only SOC for Cybersecurity examination if they have not been in operation for a sufficient length of time or if they’ve recently made significant changes to their cybersecurity risk management program.

It’s important to note that in the future, there will be three types of SOC for Cybersecurity report levels to meet all the needs of the market: entity, service provider, and supply chain. The guidance currently available all related to entity-level engagements.

Subject Matter Difference in SOC 2 and SOC for Cybersecurity

The contents of a SOC for Cybersecurity report and SOC 2 report have a similar structure, but the different subject matter. Each report contains management’s description, management’s assertions, and the practitioner’s opinion. In a SOC for Cybersecurity report, each of these components will be related to the entity’s cybersecurity risk management program and the effectiveness of controls to meet cybersecurity objectives. In a SOC 2 report, each of these components will be related to the service organization’s system and the effectiveness of controls as they relate to the Trust Services Criteria.

The main difference to remember between SOC for Cybersecurity and SOC 2 is the reporting on a cybersecurity risk management program versus a system and the Trust Services Criteria. Want more help deciding if a SOC for Cybersecurity engagement is right for your organization? Contact us today.

More Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

Everything You Need to Know About SOC 1 Audits

SOC 2 Compliance Checklist

Selecting SOC 2 Criteria

The Age of Cybersecurity & Risk Management

In today’s world, information systems are incredibly interconnected, but this comes with a price.

Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. Who they are, what they do, and what information they possess can make businesses targets for malicious attackers. A malicious cybersecurity attack can result in:

Reputational damage
Disruption of business operations
Fines
Litigation
Loss of business

It’s more important than ever to demonstrate the extent and effectiveness of your organization’s cybersecurity risk management program.

The amount of senior management that acknowledges the new risks coming from doing business in cyberspace is increasing every day; we can see that just from the more prevalent use of the term cybersecurity instead of information security.

Senior management needs information about their organization’s cybersecurity risk management program in order to meet business and cybersecurity objectives. Boards of directors, analysts, investors, business partners, industry regulators, and users may also ask for this information to fulfill their own oversight responsibilities.

So what can senior management provide that outlines the effectiveness of their organization’s cybersecurity risk management program?

The AICPA saw a need in the industry that it could fill: a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Thus, SOC for Cybersecurity was created. In April 2017, the AICPA announced its new cybersecurity risk mangement reporting framework, paired with a market-driven, voluntary SOC for Cybersecurity examination.

Could your organization benefit from a SOC for Cybersecurity examination? Let’s find out.

What is the Cybersecurity Risk Management Framework?

Before we dive in deeper, let’s define some terms set out by the AICPA, including:

Cybersecurity

The processes and controls implemented to manage cybersecurity risks.

Cybersecurity Risks

A subset of information security risks, specifically related to the connection to and use of cyberspace.

Cybersecurity Risk Management Program

The set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of an organization’s cybersecurity objectives and to detect, respond to, mitigate, and recover from security events that are not prevented.

Cybersecurity Risk Management Framework

A way for CPAs to examine and report on management-prepared information on their cybersecurity risk management program.

Cybersecurity Framework

If you’ve already implemented a cybersecurity risk management program at your organization, you probably realized that there’s no widely-accepted approach for cybersecurity assessments. You may have found useful information from other frameworks, such as the NIST Cybersecurity Framework or ISO 27001, but piecing together which information is best practice or which applies to your organization is difficult.

The AICPA recognized the burden placed on organizations that are trying to develop an effective cybersecurity risk management program. The objective of the AICPA’s new cybersecurity risk management framework is to reduce that compliance burden by providing common criteria for assessing a cybersecurity risk management program’s effectiveness and establishing best practices. This cybersecurity risk management framework is beneficial to a broad range of users, scalable, and evolving alongside the threat landscape.

The cybersecurity risk management framework is a key component of the newest addition to the AICPA’s System and Organization Controls (SOC) suite of services.

What is SOC for Cybersecurity?

A SOC for Cybersecurity examination is how a CPA reports on an organization’s cybersecurity risk management program. Its intent is to communicate information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users an entity-wide perspective and confidence in an organization’s cybersecurity risk management program.

A SOC for Cybersecurity examination reports on three elements:

Management’s Description

The management-prepared description of an organization’s cybersecurity risk management program, including key cybersecurity policies and procedures, how the organization manages cybersecurity risks, and how it determines which systems and information are sensitive. This gives readers context and an understanding of the organization’s cybersecurity risk management program.

Management’s Assertion

Management must also make an assertion on whether the cybersecurity risk management program controls are effective and meet cybersecurity objectives, and whether the description meets description criteria.

Practitioner’s Opinion

This element will issue a CPA’s opinion on management’s description and whether the controls in place are effective and achieve cybersecurity objectives.

What Will SOC for Cybersecurity Proivde?

A SOC for Cybersecurity examination does not report on the details of controls, the list of tests of controls performed, or the results, which is why it is a general use report. A SOC for Cybersecurity examination also does not result in an expressed opinion on compliance with laws and regulations or privacy and processing integrity criteria. It does, though, validate cybersecurity controls that are in support of compliance, privacy, and processing integrity.

Managing cybersecurity risks is challenging, even with a sophisticated cybersecurity risk management program. Organizations should do everything possible to prevent, detect, and mitigate cybersecurity risks. Could your organization benefit from a SOC for Cybersecurity examination? If you’re interested in proactive, voluntary cybersecurity efforts, contact us today.

More SOC for Cybersecurity Resources

Cybersecurity Risk Management Reporting Fact Sheet

5 Ways to Defend Your Business from Cyber Threats

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

The 3 Objectives of COSO

Independent Audit Verifies OneCloud’s Internal Controls and Processes

New York, NY – May 2018 – KirkpatrickPrice announced today that OneCloud, a SaaS solution provider, has received their SOC 1 Type I and SOC 2 Type I attestation reports. The completion of these engagements provides evidence that OneCloud has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of OneCloud’s controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services. The SOC 1 Type II audit report includes OneCloud’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of OneCloud’s controls to meet the standards for these criteria.

“Building a robust platform requires a focus on security across the organization, and we’re confident that we’ve taken all the necessary steps to ensure our data is protected,” said Quin Eddy, CEO of OneCloud. “We are confident that this audit reflects the results of our strong commitment to keeping our platform secure.”

“Many of OneCloud’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, OneCloud has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by OneCloud.”

About OneCloud

OneCloud is an integration and automation platform designed for business users to bring simplicity and control to the enterprise application landscape. OneCloud seamlessly orchestrates complex handshakes across a hybrid mix of on-premise and cloud-based systems. OneCloud provides full support for business intelligence and performance management applications including, but not limited to: Anaplan, Workday, Salesforce, Oracle Hyperion, IBM Cognos, Tableau and relational technologies.. For more information, visit www.onecloud.io or connect with OneCloud on LinkedIn.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 700 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Vendor Compliance Management: What Happened?

On April 4th, [24]7.ai, a customer support software company, announced a cyber incident “potentially affecting the online customer payment information of a small number of our client companies,” that occurred between September 26 and October 12, 2017.

This cyber incident specifically occurred in [24]7.ai’s chat tool. Never heard of [24]7.ai? We hadn’t either, but their well-known clients gave this breach national attention. Sears, Delta Air Lines, and Best Buy have all announced breaches traced back to [24]7.ai, making this cyber incident a vendor compliance management issue.

Sears estimates 100,000 customers’ payment card details were maliciously accessed. Fortunately, stores and internal systems were not accessed. Delta estimates several hundred thousand customers’ data was exposed. Best Buy’s announced that only a small fraction of their online customer population would be impacted by this incident – but when you have a customer population as large as Best Buy, the amount of compromised data can’t be small.

From what we know, [24]7.ai’s clients’ internal databases were not breached; the malware resided in the provided chat service, and payment card details were accessed after a customer completed a transaction. Customers did not have to actually use the chat tool to be compromised.

Several elements of this breach stand out to us and bring up several questions regarding PCI compliance and vendor compliance management:

Why did it take six to seven months for [24]7.ai to notify its clients of this cyber incident? The incident occurred between September 26 and October 12, 2017, but Delta reports it was only informed of the breach on March 28. Sears reports it was told sometime in mid-March.
How did Sears, Delta, and Best Buy attest to their own PCI compliance and were they actively monitoring [24]7.ai’s PCI compliance? PCI Requirement 12.8.4 explicitly states, “Maintain a program to monitor service providers’ PCI compliance status at least annually.” Knowing your vendors’ PCI compliance status provides assurance and awareness about whether they comply with the same requirements that your organization is subject to.
Was [24]7.ai’s chat tool encrypted? In respect to PCI Requirement 4.2, the PCI DSS guidance states, “E-mail, instant messaging, SMS, and chat can be easily intercepted by packet-sniffing during delivery across internal and public networks. Do not utilize these messaging tools to send PAN unless they are configured to provide strong encryption.”

Importance of Vendor Compliance Management

This [24]7.ai cyber incident highlights how connected organizations and their vendors are and why attacks on third parties are so predominant. Organizations must understand that vendors are a major risk factor if they have access to customer data. An attacker gets two for the price of one – attacking a vendor, plus attacking their clients.

It’s not likely that [24]7.ai will be a name to remember, but customers will remember that payment card details from Sears, Delta, and Best Buy were compromised. Organizations must perform due diligence when choosing vendors who will handle customer data.

In the past, managing vendor compliance contractually was adequate, effectively transferring risk and responsibility to the service provider. But now? Compliance demands a full chain of custody. An effective vendor compliance management program should include:

A list of vendors who are subject to your compliance requirements.
Policies and procedures that outline compliance and security training for vendors.
Contractual agreements with vendors that provide a clear definition of compliance and security expectations.
Evidence of due diligence.
Continuous monitoring to ensure vendor compliance.
A remediation plan for compliance issues.

Do you monitor your vendors’ compliance efforts? Have you performed due diligence when choosing vendors? For more information on establishing a vendor compliance management program, contact us today.

More Vendor Compliance Resources

[24]7.ai Issues Statement on Information Security

Delta’s Information on [24]7.ai Cyber Incident

Best Buy’s Statement on [24]7.ai Cyber Incident

Sears Holdings’ Statement on Data Security Incident

Vendor Compliance Webinar Series

PCI Demystified

Data FAQs for GDPR

Ready to learn what constitutes a data subject and personal data under GDPR? Mark Hinely joins us in this webinar to discuss!

Who is a Data Subject?

The definition of a data subject under GDPR is one of the most confusing aspects of the law. There’s no formal definition, inconsistent terms within the law, no formal guidance from Article 29 Working Party, and the supervisory authority guidance is dated. So how do organizations determine who data subjects are? The different interpretations of the law say:

A data subject is anyone physically within the borders of the EU whose data is being processed while that individual is physically within the Union.
A data subject is anyone who formally resides within the EU, regardless of citizenship, while that individual is physically within the Union.
A data subject who has formal citizenship in the EU while that individual is physically within the Union.
A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing.
A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject.

Those interpretations create some confusion, right? There’s some overlap, some questioning. The law is not clear. Reasonable, educated people disagree on the interpretation of what a data subject is under GDPR. We’re here to show you what those different interpretations are and show you what the issues are.

What is Personal Data?

Under GDPR, personal data is any information relating to an identified or identifiable person (data subject), who can be recognized by identifiers like a name, an ID number, location data, or physical, physiological, genetic, mental, economic, cultural, or social identity. Personal data depends on what type of data element it is, the context, and reasonable likelihood of identification. There are logical and legal considerations that apply to the definition of personal data under GDPR.

Listen to the full webinar to educate yourself on who a data subject is under GDPR and if the data you control or process is personal data. For more information on GDPR readiness, contact us today.

More GDPR Resources

GDPR Readiness: What, Why and Who

GDPR Readiness: Are you a Data Controller or Data Processor?