Statement on Standards for Attestation Engagements (SSAE) No. 18 was issued by AICPA with purpose of providing reasonable assurance on Service Organization Controls to User entities outsourcing IT and related services. New standard mirrors and complies with the new international service organization reporting standard – ISAE 3402.
SSAE 18 comprises for types of reporting requirement depending on the nature of services outsourced:
SOC 1- Financial process outsourcing and related applications
SOC 2- IT process outsourcing and applications
SOC 3- For organizations requiring general utility report
Comply with SOX requirement (section 404) for effectiveness of Internal Controls Over Financial Reporting (ICFR) on IT general controls in Service Organization. It can also be applied to data centers, or any other service that are used in the delivery of financial reporting
Provide with assurance on controls under Trust Service Criteria issued by AICPA for
Security
Availability
Processing Integrity
Confidentiality
Privacy
Report uses Trust Service Criteria (TSC) used in SOC 2 and provides general report for public utility. Service organization can provide report to User Organization based on request
Report on controls placed in operation A report on a service organization's description of its internal control structure on whether such controls were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specified date
Report on controls placed in operation + Tests of controls Includes a Type I report + Whether the controls tested were operating with sufficient effectiveness to provide reasonable assurance that related control objectives were achieved during period specified
SOC 2 report is performed in accordance with AT 101 and based upon Trust Services Criteria to test and report on design (Type I) and operating (Type II) effectiveness of service organization’s controls. The purpose of report is to evaluate an organization’s information systems relevant to:
| Trust Service Criteria | Expectation |
|---|---|
| Security | System protected against unauthorized logical and physical access controls |
| Availability | Availability |
| Processing Integrity | System processing is complete, accurate, timely and authorized |
| Confidentiality | Information is only accessed by authorized personnel |
| Privacy | System's collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity's privacy. |
Type I and II Report consists of 4 sections:
| Section | Contents |
|---|---|
| Section One | Independent Service Auditor’s Report (the “Opinion”) |
| Section Two | Management’s assertion for controls |
| Section Three | Description of Internal Controls and Control Objectives (Provided by Management of Service Organization) |
| Section Four | Information Provided by the Independent Service Auditor (Includes Tests of Operating Effectiveness - results and exceptions for a Type II Report) |
Gap Assessment of existing environment and SOC 2 controls
Implementation of controls
Framing policies and procedures
Risk Assessment
Attestation
IT audit aims to provide assurance on information systems maintain confidentiality, integrity and availability. The aim is to provide assurance is to provide:
Establishing a sound and robust technology risk management framework
Strengthening system security, reliability, resiliency, and recoverability and
Deploying strong authentication to protect customer data, transactions and systems.
Business goals and objectives
Information System setup and infrastructure
Uderstand policy and procedures for IS
Scope audit for key information system and areas
Identify risks affecting system
Risk rating identified based on criticality level
Understand and evalute key processes and related controls
perform test of desing for controls and effectiveness
Evaluate and document test results
Discuss findings in draft report with IT team management
Obtain remediation plan from management
Finalize report and present to borad
Identify the business context of Data Privacy protection / Information Security relevant to your relevant stakeholders.
Extensive data mapping exercise to determine the type of data you collect, the jurisdiction in which the data is stored, or cross-border transfers performed, the purpose(s) for which the data is collected and determination of whether you are a data controller or data processor with regards to the data.
Provide with formal documentation and attestation for Data Privacy program
Define the DPIA Risk Assessment Methodology, identify risks of note based on the Data Mapping, and assess each risk in accordance with the methodology.
Determine the appropriate level of security that should be applied to information assets, identify, analyze and evaluate risks that security requirements will not be met; and develop plans for managing risks to an acceptable level.
Compare the actual design and performance of the controls in place with the expected design/performance.
Standard data protection regulations are utilized for Gap Assessment and additional controls and guidance may be required depending on organizational needs and functions.
Gap Remediation Plan providing you foundation for setting priorities, assigning ownership, allocating investments of time, money, and human resources, and for measuring, and improving compliance with standards and laws.
Provide guidance and support in addressing the issues identified in your Gap Remediation Plan.
Provide guidance and support in for implementation of controls
Conduct the annual audit of your Data Privacy program to ensure controls remain adequate for the required protections and maintain compliance
Adopting the ISO/IEC 27000-series information security standards (commonly known as “ISO27k”) generally starts with a project to specify, design, develop and implement Information Security Management System (ISMS). Once operational, the ISMS is continuously reviewed and updated on a periodic basis or when a major change in either within the organization or outside results in change to the risks faced by the organization.
To summarize, organizations must at any point in time be able to pre-empt, defend or move quickly to ensure that damage due to Information theft is minimized if not eliminated. Several Organizations trust ISO 27001 certification to give them the assurance that the organization takes information security seriously and have put in place various mechanism/controls to ensure that impact due to information leakages or theft is minimized if not eliminated.
ISO 27K certification requires full support from Management in terms of commitment of intent, resources and reviews to ensure that the ISMS they have implemented yields the benefits they were promised.
Existing environment Analysis: The first stage of the Project is to determine the existing policies and documentation with respect to ISMS with an intent to identify the gaps.
Solution Recommendation: Assessment of Gaps would lead to identification of documentation and processes that would need to be written down and implemented. Risk identification, analysis, treatment would be performed, and their recommendations would be used to drive process changes and controls.
Solution Implementation: All identified documentation will be worked on, existing processes where required be reengineered, and non-existing processes will be implemented. On an agreed upon duration the new ways of working will be monitored for efficiency and effectiveness. Where required corrective actions will be undertaken. Solution implementation should set the stage for Stage1 of the Certification process.
Certification process (stage 2) will be initiated and completed to auditor satisfaction so that the auditor can recommend for Certification.