Wired

The biggest threat of deepfakes isn’t the deepfakes themselves

The mere idea of AI-synthesized media is already making people stop believing that real things are real. It was late 2018, and the people of Gabon hadn’t seen their president, Ali Bongo, in public for months. Some began to suspect that he was ill, or
/
Microsoft to use AI to filter game chat

Microsoft to use AI to filter game chat

Microsoft is turning to AI and machine learning to let Xbox gamers filter the language they see in text messages. It is introducing customisable filters that let gamers choose the vocabulary they see in messages from friends and rival players. The four levels of filtering
/
GDPR Compliance

SOC Reporting Requirements You Need to Know in a Cloud Environment

SOC Reporting Requirements

Security lapses in some of the world’s biggest companies continue to appear in news headlines, and information security is top of mind for businesses. Perhaps as a result, SOC reports are becoming a standard due diligence request before companies procure the services of vendors.

Over the years, the reporting framework has evolved from its original focus on financial reporting controls to include a suite of reporting options that cover cloud service provider security, cybersecurity risk management programs, and even a reporting vehicle to demonstrate compliance with other standards such as HIPAA, CSA, HITRUST, ISO, and others.

SOC Reporting Requirements 

Thanks to the evolving usage of the reports, 2017 saw the American Institute of Certified Public Accountants rebrand SOC reports from Service Organization Control to System and Organization Control.

These reports are no longer just between the service provider and the user. They are instead becoming the 10K financial statement audit for cybersecurity programs. Although they were initially derived from AICPA auditing standards such as SAS 70 for service organizations, SOC reports can now come in these forms:

  • SOC 1 is focused on internal control over financial reporting. These reports do not come with predefined criteria, but they typically focus on general IT controls and business transaction processing controls.
  • SOC 2 is focused on a standard set of cybersecurity criteria, including security, and optional incremental criteria, including availability, confidentiality, processing integrity, and privacy.
  • SOC 3 is a shortened version of SOC 2 that can be made available for public distribution because SOC 2 reports contain confidential details about an organization and further require the user to have knowledge of the system to effectively use the SOC 2 report.
  • SOC for cybersecurity is focused on an entity-wide program or business unit in order to inform a broader range of stakeholders, from private equity and investors to the board and other internal management.
  • SOC for vendor supply chains is under development.

The CPA firm that issues the SOC must adhere to AICPA and international assurance standards. But the beauty of SOC reports is that they are not a regulatory requirement. They’re market-driven reports that have grown organically as businesses around the world have collectively relied on them, and many companies have internally mandated them as part of their various risk management programs.

Reporting Requirements Revealed

There are a number of misconceptions about SOC reports, but the most common is that service providers like Azure, Amazon Web Services, and Google Cloud Platform are the ones responsible for reporting. Because cloud responsibilities are shared, there are three entities that must be considered: your company, critical vendors like IaaS cloud service providers, and whichever user entities are using the report.

All three play a part in an effective cybersecurity program, and the SOC report clarifies which controls and criteria each entity is responsible for. One of the most common SOC reports, SOC 2, leverages the Trust Services Criteria. This set of criteria is aligned to the 17 COSO internal control framework principles, but it can also used as a reporting framework to include several other common standards such as NIST CSF, ISO 27001, CSA, and others. The Trust Services Criteria are broken up into these categories:

1. Security: Security is focused on protecting the systems and data from unauthorized access. It consists of both governing and technical controls. First, governing controls like policies, procedures, risk assessment, and security functions are always the complete responsibility of your organization. Second, technical controls such as logical access, change management, operations, and security incident management might have shared responsibility between you and your vendor. For example, physical security would be the responsibility of AWS.

Have written policies and procedures, and identify best practices for the technology being used in your environment. Next, standardize the hardening of the operating system/database, network, and cloud infrastructure. CIS has excellent whitepapers on almost all technology platforms, including AWS, GCP, and Azure. Define a chief information security officer role (or its equivalent), and determine how security functions and roles are disseminated throughout the organization such as in DevOps and incident management.

2. Availability: Availability is focused on data backups, business continuity, and disaster recovery planning. This criterion is about making data and systems available when they’re needed.

Understand your service-level agreements around uptime and availability. SOC reports are based on commitments, not absolute requirements. For example, a bank with “five nines” (99.999 percent) uptime would be expected to have a more robust business continuity plan than a learning management system that has more tolerance for downtime. The cloud allows options to leverage multi-availability zones and redundancy. Test your BCP at least annually.

3. Confidentiality: Not surprisingly, the confidentiality criterion is focused on data encryption, retention, and disposal.

Understand your commitments to your customers. Confidential data is determined between you and your customer and can include various types of data. Give your customers control of their data in terms of when they can delete it. Know your procedures around the termination of contracts with your customers. How long is data preserved, and when can it be deleted? And how do you validate that data has been deleted in production and in all the backup systems?

4. Processing integrity: Because processing integrity is typically addressed in SOC 1 reports, it’s not commonly reported. Still, this criterion is focused on whether the data processed within the company is complete, accurate, timely, valid, and authorized.

5. Privacy: Privacy isn’t typically relevant in a CSP’s SOC report, as the collection and use of personally identifiable information is the responsibility of the CSP’s customer. However, more organizations are being asked to review certain privacy components as General Data Protection Regulation concerns loom.

Know your requirements. It’s a good idea to avoid collecting personally identifiable information if you don’t need it. But if you do, allow your customers to designate control over the types of PII that are managed and processed. As long as you can process system access requests, individual consumers can delete, access, view, or modify their data. Cloud platforms will also need to adopt programs that sanitize and de-identify data so it’s no longer directly associated with individual users.

Data protection measures aren’t always easy, but they’re in place for a reason. As regulations like the GDPR give control of data back to consumers, companies will need to ensure they’re meeting all regulatory and reporting requirements. By checking these boxes, you minimize your exposure to ever-present cybersecurity risks.

By Brad Thies

  • Recent Articles
Brad Thies Contributor
Founder and President of BARR Advisory
Brad Thies is the founder and president of BARR Advisory, an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force. Brad’s advice has been featured in Entrepreneur, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG’s risk consulting division. He is a CPA and CISA.
follow me
3 Ways to Protect Users From Ransomware With the Cloud

3 Ways to Protect Users From Ransomware With the Cloud

Protect Users From Ransomware The threat of ransomware came into sharp focus over the course of 2016. Cybersecurity trackers have been aware of ransomware for ...
The Cloudification of Healthcare: Benefits and Risks

The Cloudification of Healthcare: Benefits and Risks

Cloud Healthcare: Benefits and Risks Many organizations are moving most of their business-critical applications and workloads to the cloud. The healthcare industry is no exception ...
Daren Glenister

What’s Next In Cloud And Data Security?

Cloud and Data Security It has been a tumultuous year in data privacy to say the least – we’ve had a huge increase in data ...
Mark Casey Apcela

Industrial IoT will reshape network requirements

Industrial IoT The hype around IoT may have been surpassed this year by breathless coverage of topics such as artificial intelligence and cryptocurrencies, but there ...
What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The cloud is capable of delivering ...
It Programs Compressor