In today’s public cloud, data security and privacy are
challenging to protect. Many organizations are storing a significant amount of
data in the public cloud and even unmanaged environments, increasing challenges
for regulatory compliance. At the same time, there are privacy mandates, such
as GDPR, which can add to the complexities of governing data. Without a proper
data governance program; however, organizations may face difficulties in
meeting these privacy compliance mandates.
Providing independent third-party assurance, such as a
System and Organization Controls (SOC) 2 report helps address these concerns
and gives assurance to help organizations mitigate data security and privacy
risk.
In this blog, we will give an overview of the System and
Organization Controls for Cybersecurity (SOC) Reporting to help your
organization better understand how it can help with data security. We will
cover the SOC framework for the management and reporting of cybersecurity
practices that allow companies to track and monitor the effectiveness of their
information safety activities.
Rising Cybercrimes and Financial Data
No business is immune from a data breach. A study done in
2019 on a series of Maryland CPA firm breaches showed that of the 132 firms
reporting a crime, 90% were small firms (not included in the state’s top 300
CPA firms) and that the most popular type of breach was the unauthorized access
to data.
This is common in large enterprises, too. In November, the
email stores and confidential client documents of global SaaS provider,
Prestige Software, exposed millions of records after failing to pay attention
to the security of its cloud instances. Users of some of the world’s most
popular travel retail websites, including Booking.com, Expedia, and Hotels.com,
now have some of their most sensitive data compromised.
The most tragic point of the tale, however, is that the
original access is believed to have been through a leaky S3 bucket.
The large firm intrusions, however, surprised many industry
professionals; companies that size are expected to use their considerable
resources to set and maintain the highest standard of data security. As the
Maryland study shows, smaller firms are also at risk of invasion since they
don’t often have those high-volume resources. They can’t establish the data
security systems needed to keep their client’s information safe.
What is AICPA’s SOC?
The AICPA noted this small-firm data security concern when
designing its SOC Cybersecurity risk management program. The framework begins
by establishing a three-part process to ensure all corporate information – both
the company’s and its clients’ – is safely protected from cyber intrusions:
It creates a common language for use by all internal
entities (human and machine) engaged in the cybersecurity concern. The
standardized nomenclature ensures that all participants are ‘on the same page’
in terms of cybersecurity risks, controls, and management practices.
Using that common language throughout the organization allows
the company to both implements and accurately report on the security system’s
ongoing activities. The reports facilitate assessments on the effectiveness of
the practices to ensure controls are appropriately in place to protect
confidential information.
Finally, the framework provides a guide for CPAs hired to
examine the corporate cybersecurity risk management program and submit
attestation as to their findings.
By following the SOC framework, users learn to develop and
implement cybersecurity best practices and controls, and to keep stakeholders
informed about their effectiveness and efficiencies. Not insignificantly, the
AICPA designed the framework to be agile and flexible according to guides,
rules, and regulations imposed by other global organizations and security
frameworks, such as HIPAA and NIST.
Next, the framework creates three report categories to
describe and assess the firms’ data security practices:
SOC 1®: Internal Controls Over Financial Reporting (ICFR)
SOC 1 reports assess how well a financial services
organization (in this case, a CPA firm) manages the financial statements of
their clients and customers. Reports give assurance to potential clients and
industry regulators that the CPA firm is acting responsibly with its
clientele’s sensitive financial information. SOC 1 reviews generate one of two
reports:
- SOC 1 Type 1 reports how well the CPA firm
depicts the client’s financial status on a given date, and
- SOC 1 Type 2 reports on that concern over a period
of time.
SOC 2®: Trust Services Criteria
These reports go beyond a firm’s capacity to properly manage
client data by explaining how internal controls ensure the confidentiality and
privacy of client information as it’s accessed, processed, and secured. The
data revealed by these reports inform management and overseers about the
sufficiency of the company’s data and vendor management protection strategies.
The SOC 2 assessments seek out controls related to both
access to data and the types of data collected.
Access to Data
Access is classified into two types, physical and logical.
Physical access controls govern all the physical
devices, servers, data centers, etc., where an orgs data reside. Compliance
with a SOC 2 standard would mean that all data storage devices (servers,
databanks, computers, hard, drives, etc.) are safely and physically locked so
that interlopers can’t access their information. Physical controls used to
secure information include the use of firewalls and anti-virus software, ensuring
laptops and computers are locked behind secure doors, and encrypting data
storage hard- and flash drives.
Logical access controls include the tools, programs,
and protocols used to identify, authenticate, and authorize appropriate users
of information and computing systems. Securing logical access controls requires
a two-step process to determine if access should be granted:
- Identifying, not just individual persons to
allow access, but also identifying those virtual software machines and programs
that consume data as part of their programming requirements.
- Identifying why that entity needs access. The
AICPA acknowledges the ‘principle of least privilege’ as a guide for CPA firms
to establish not just who can access their data, but also why and when it is
valid.
- The logical controls ensure that CPA firms are
always limiting data access by their human and digital workers to only the
minimum amount necessary to perform their required duties.
Types of Data
In addition to who gains access to data, the framework also
offers guidance on clarifying and securing the types of data collected by CPA
firms. Not all incoming or stored information is confidential, so the firm
needs different security levels based on the differing levels of data
sensitivity. Sending data also raises concerns, especially when the workforce
is distributed and uses personal devices to access corporate databases.
Finally, some global data regulatory systems (such as Europe’s General Data
Protection Regulation – GDPR) mandate how, when, and why data must be destroyed
or retained. The SOC 2 report will detail how any individual CPA firm manages
this aspect of global data controls.
SOC 3®: Trust Services Criteria General Use Report
SOC 3 reports assure any user that the CPA firm maintains
appropriate controls over information security, access, and privacy without
going into the detail noted in the SOC 2 reports.
Benefits of the AICPA Framework
Cybersecurity practices must evolve as digital crimes
evolve, but most CPA firms aren’t able to follow those developments or respond
accordingly. The AICPA framework provides them with an overarching strategy to
regularly evaluate their internal cybersecurity controls to minimize known
risks and report their mandated compliances to their clients and industry
regulators. They can also share their insights with clients to improve their
security practices and perform the audits and assessment their clients need to
maintain their cybersecurity perimeters.
From a higher perspective, the AIPCA SOC framework also builds
confidence in clients, investors, and other stakeholders that confidential
information is safe, and that the agency continues to pursue its due diligence
in terms of cybersecurity activities.
Sonrai Security’s award-winning Dig technology maintains a
constant vigil over corporate and client data stores and usages, monitoring for
‘least privilege access and alerting you to data breach concerns. The software
ensures that your CPA firm provides the highest standard of data protection and
assures well-received SOC reports when needed.
Click
here for the original article.