Post on 01-Aug-2020
The Death of SAS 70: SOC It to Me
March 2011IAPP Global Summit 2011
Washington D.C.
Presented by:Rena Mears, CIPP
Doron Rotman, CIPP
2
Objectives of Today’s Session
– Identify Third Party Service Provider’s privacy risks– Discuss how utilizing privacy audits and/or
assessments of service organizations is considered a good business practice
– Identify the different types of reports available under the new attestation standard, SSAE No. 16 and the impact from a privacy perspective
– Identify which reports are more useful for your organization based on different criteria
3
General Introduction
• The audience – tell us about yourself:– Your name– Company name and location– Position– Involvement in your organization’s
privacy program– What would you like to take away from
this presentation today
4
Agenda
– Top 8 Privacy Concerns with Third Party Service Providers
– How to Mitigate Privacy Concerns– Overview of Service Organization Control
(SOC) reports– Why there was a change from SAS 70 reports– Types of SOC reports– Control Requirements– Steps to Alleviate Privacy Concerns
5
Privacy Concerns with Third Party Service Providers• Accountability of Data• Data Security / Safeguarding Data• Utilizing Other Third Parties – Subsequent Use
and Onward Transfer• Breach Management• Contract Management• Use and Retention of Personal Information• Data Integrity• Monitoring and enforcement of laws and
regulations
6
Building Trust with Third Party Service Providers• You can outsource data, you can’t outsource
accountability!• Due to prominent internal-control breakdowns
(security, privacy breaches, and fraud) and increasing regulatory focus on internal control (Sarbanes-Oxley Act, Basel II, HITECH and HIPAA), there is an increase in due diligence and governance oversight.
• Technological, regulatory and other changes have heightened the need for information and assurance.
• The Cloud!
Steps to Alleviate Privacy Concerns of Third Parties
It is critical when organization’s utilize a third party service provider to create a strategy to help ensure that privacy concerns are addressed through a strategy:
• Examine Applicable Privacy Laws • Due Diligence• Monitoring• Data Control• Contractual Agreements• Compliance Monitoring
7
Privacy Assessments and Audits – A Necessity
• When companies outsource their data processing or services to third-party service providers, they do not release ownership and responsibility for internal controls.
• The controls of the service provider effectively become the controls of the user organization, and must fit into the user organization’s internal control framework.
• Companies need assurance that the controls specified agree to the framework.
8
Mitigate Privacy Concerns
• To mitigate risks, third-party service providers need to provide a description of their internal control activities surrounding data processing, including input, processing, output, and security. This documentation or assessment is necessary to provide assurance to the user that data integrity, availability, and confidentiality is secure.
• This can be achieved through utilization of a service organization control report.
9
Service Organization Privacy Audits –Risk Based Approach
• Questionnaires• Self Certification• Self Regulatory Programs (TRUSTe, IAB, Safe
Harbor) and Assessments (PCI)• User organization internal audits• Independent 3rd Party Assurance
– Agreed upon procedures (Shared Assessment)– SOC 2/3
10
11
Service Organization Control (SOC) Reports Replace SAS 70• With the retirement of the SAS 70 standard, traditional
SAS 70 reports are being replaced by Service Organization Control Reports (or “SOC” reports.)
• In the past, the SAS 70 report was intended to assist service organizations’ customers and their auditors in the context of a financial statement audit.
• Now, three types of SOC reports have been defined to replace SAS 70 and help service organizations meet a broader set of specific user needs – including addressing security, privacy and availability concerns related to the cloud.
12
Reason for the Change
• Mis-understandings• Mis-applications• Mis-uses of SAS70
Clarity of Purpose
New Technologies
Global Implications
• Need for greater international consistency
• SAAS• Cloud Computing• Privacy issues for emerging
technologies
16
13
Reason for the ChangeSAS 70 reports often were misinterpreted as a means to obtain assurance regarding controls over compliance and operations (which included privacy controls).
16
14
Reason for the Change
16
Statement on Auditing Standards #70 (SAS70)
SOC1(Financial Reporting)
Trust Principles: SysTrust, WebTrust
SOC2 & SOC3(Non-Financial
Reporting)SSAE16
AT101
Service Organization
Controls (SOC)
15
Types of SOC ReportsReport Scope/Focus Summary Applicability
SOC1 Internal Control Over Financial Reporting
Detailed report for customers and their auditors
• Focused on financial reporting risks and controls specified by the service provider.
• Most applicable when the service provider performs financial transaction processing or supports transaction processing systems.
SOC2 Security, Availability, Processing Integrity, Confidentiality and/or Privacy
Detailed report for customers and prospective customers
• Pre-defined security criteria form the baseline.
• Can also include Confidentiality, Availability, Processing Integrity and/or Privacy criteria.
• Financial reporting is not the primary concern.
SOC3 Same as SOC2 Short report that can be generally distributed, with the option of displaying a web site seal
• Same as above without disclosing detailed controls and testing.
• Optionally, the service provider can post a Seal if they receive an unqualified opinion.
Which Report is the Right Report?
16
SOC 1
• Focus on internal control over financial reporting.
• Need detail about systems and processes.
SOC 2
• Primary interest on key compliance and operational controls (security, availability, processing integrity, confidentiality or privacy) of primary.
• Need detail about systems and processes.
SOC 3
• Primary interest on key compliance and operational controls (security, availability, processing integrity, confidentiality or privacy) of primary
• Only provide summary report/seal.
17
Privacy Control RequirementsGenerally Accepted Privacy Principles (GAPP)
1. Management2. Notice3. Choice & Consent4. Collection5. Use, Retention and Disposal6. Access7. Disclosure to Third Parties8. Security for Privacy9. Quality10. Monitoring & Enforcement
Requirements
• Address all 74 criteria
• Service Provider only
• User Organization Only/ NA
• Shared
• Disclose controls that support the criteria
18
Control RequirementsInformation Security Management System
• Security Policy• Organization of Information Security• Asset Management• Human Resources Security• Physical and Environmental Security• Communications and Operations
Management• Access Control• Information Systems Acquisition,
Development, and Maintenance• Information Security Incident
Management• Business Continuity Management• Compliance
Areas of Added Emphasis for Emerging Technologies
• Data Protection/Segregation
• Privacy
• Encryption Standards
• Logging
• Authentication
• Configuration Management
• Monitoring/Compliance Function
The SOC2 and SOC3 assurance framework can be used to demonstrate the
effectiveness privacy related controls within different frameworks.
19
Take Away• The SOC reports will increase your trust and
helping your organization address risk and governance concerns with your third party service provider.
• Utilizing a SOC report is beneficial, however your organization must have a strong governance structure, which incorporates party service providers.
Questions
21
Contact Information
Rena Mears, PartnerUS and Global Privacy and Data Protection LeaderDeloitte & Touche LLPrenamears@deloitte.com
Doron Rotman, CIPPNational Privacy Service LeaderAdvisoryKPMG LLPdrotman@kpmg.com