Research Paper MIS - SOC 2 Compliance

profilesirivasu
BA_602_MIS_SU_2018_GROUPC.docx

Running head: SOC 2 COMPLIANCE

1

SOC 2 COMPLIANCE

6

SOC 2 COMPLIANCE

BA60271 H6 Management Information Systems

CAMPBELLSVILLE UNIVERSITY

Instructor: Dr. Iris Billy

Presenters: Group C

Sirisha Dumpa(558335)

Lakshmi Sai Donti Reddy(558453)

Sai Nischal Dasari(558485)

Sai Srinija Gogineni(556841)

Ajeet Garikena(559161)

Suhaib Gulam(558715)

Pallavee Gajera(558751)

Vikas Dachepally(558670)

Venu Madhav Datla(557495)

Abstract

Organizations don’t want to do business with at-risk vendors. That’s why many service organizations are being asked for a SOC 2 audit report. SOC 2 compliance helps to address any third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the security at a service organization. This white paper will help familiarize you with an overview of SOC 2 compliance and reporting. We will discuss reasons why you may have been asked by a client to receive a SOC 2 audit, the history of SOC 2 reports, understanding the different Trust Services Principles and how they may apply to your organization, and reasons why your organization will benefit from SOC 2 compliance.

Keywords: SOC 2 compliance, SOC 2 reports

SOC 2 Compliance

SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. Its goal is to ensure that systems are set up so that they assure security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 is both a technical audit and a requirement that comprehensive information security policies and procedures are written and followed.

SOC 2 Compliance Reports

Service Organization Controls reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.

SOC reports cover situations where one company outsources some portion of their business or technology to another company. SOC 2 reports are an examination engagement to report on controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles). Examples of service providers where a SOC 2 report might be relevant include cloud computing, customer call centers, enterprise IT outsourced services.

The following are the key terms related to SOC Reports and their definitions.

Key Terms

Definitions

Service Auditor

A practitioner who reports on controls at a service organization.

Service Organization

An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ internal control over financial reporting.

Subservice Organization

A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.

User Entity

An entity that uses a service organization.

Applicable trust Services Criteria

The criteria in Trust Services Principles (TSP) section 100, i.e., Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids), that are applicable to the principle(s) being reported on. These are issued by issued by the Assurance Services Executive Committee of the AICPA (the committee).

Boundaries of the system

The boundaries of a system are the specific aspects of a service organization’s infrastructure, software, people, procedures, and data necessary to provide its services.

Engagement Letter

A formal letter representing the written contract between the service auditor and the service organization to perform SOC services.

Management Assertion

A written statement by management of the service organization regarding the description of the service organization’s system; the suitability of the design of the controls; and in a Type 2 report, the operating effectiveness of the controls.

Management Representation Letter

A letter signed by management of the service organization that includes written statements of facts or representations that controls are suitably designed and implemented (Type 1) and operating effectively (Type 2).

Test of Controls

A procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system.

Type 1 and Type 2 SOC 2 reports

· Type 1

1. Reports on controls placed in operation (as of a point in time)

2. Looks at the design and implementation of controls; not operating effectiveness

3. Considered for information purposes only

4. Often performed only in the first year a client has a SOC report completed

· Type 2

1. Reports on the design, implementation and operating effectiveness over a period of time (generally not less than six months)

2. Includes tests of operating effectiveness and results

3. More comprehensive

4. Requires more internal and external effort

5. More emphasis on evidential matter

SOC 2 CERTIFICATION

SOC 2 is an AICPA report that allows service auditor to provide an opinion on the following principles:

1. Security

2. Availability

3. Processing integrity

4. Confidentiality

5. Privacy

References

2017, www.msspalert.com/cybersecurity-breaches-and-attacks/service-organization-control-soc-2-certification/.

Basham, Robin, and VP Security & Compliance. “Why Earn SOC 2 Certification.” Cavirin Systems, Inc., www.cavirin.com/blog/25-compliance/37-soc2-certification.html.

Martinez, Carlos. “Top 3 Challenges When Updating Your Compliance Framework.” Reciprocity, Reciprocity Labs, 11 Apr. 2018, reciprocitylabs.com/top-3-challenges-when-updating-your-compliance-framework/.

CIPT , Jeff Cook. “Trying to Comply with SOC 2? Things Just Got Easier.” Top 10 Operational Impacts of the GDPR: Part 6 - RTBF and Data Portability, 8 Jan. 2017, iapp.org/news/a/trying-to-comply-with-soc-2-things-just-got-easier/.

Wilkins, Travis. “9 Common Questions About SOC 2 Compliance – Threat Stack.” Threat Stack, www.threatstack.com/blog/9-common-questions-about-soc-2-compliance.

Incapsula.com, www.incapsula.com/web-application-security/soc-2-compliance.html.