| 2.8 Compliance
02. Service Organisation Controls | |
|---|
| 28.03 Service Organisation Controls: | | 1. SOC are a series of standard that measure the control of information by an application service provider. The Assurance Services Executive Committee (ASEC) released the Trust Services Principles and Criteria (TSP) in January 2014. TSP may be a different way to define Critical Success Factors (CSF) that the ASP operates. | | 2. SOC documents are living entities with continual improvement, rather than a one-off paper exercise. Procedures that were good enough last year may not be good enough for next year. Security controls that were good enough last year will not be good enough for next year. Encryption methods that were good enough last year will be broken in the future. | | 3. Peer review is a valuable aspect of all scientific research and service controls can benefit in the same way. Concerns will exist regarding trade secrets and the accidental disclosure of vulnerabilities before corrective measures have been deployed. By publishing all security controls gives the criminals an unfair advantage. | | 4. SOC1 reports may be published to offer an overview of the service Organisations structure and financial stability. SOC2 documents controls for security, availability and processing integrity with confidentiality and privacy - this will contain trade secrets. SOC3 reports are a simplified edition of SOC2 report that may be published to a wider audience. | | 5. SOC2 Report on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. SOC2 reports are only made available to a very restricted audience under a strict non-disclosure agreement. SOC2 reports cannot be shared with competitors or a company who are operating similar application services. | | Link back to GDPR_Due_diligence | | Link forward to SOC Readiness |
| 1. Trust Services Principles (TSP) : | | 1. Security: The system is protected against unauthorized access, use, or modification. | | 2. Availability: The system is available for operation and use as committed or agreed. | | 3. Processing Integrity: System processing is complete, valid, accurate, timely, and authorized. | | 4. Confidentiality: Information designated as confidential is protected as committed or agreed. | | 5. Privacy: The system collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service Organisations privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA. |
| 2. Seven Categories: | | 1. Organisation and Management: The criteria relevant to how the Organisation is structured and the processes the Organisation has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function. | | 2. Communications: The criteria relevant to how the Organisation communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system. | | 3. Risk Management and Design and Implementation of Controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entities ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process. | | 4. Monitoring of Controls: The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified. | | 5. Logical and Physical Access Controls: The criteria relevant to how the Organisation restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement. | | 6. System Operations: The criteria relevant to how the Organisation manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement. | | 7. Change Management: The criteria relevant to how the Organisation identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement. |
| 3. What you need to know: | | 1. Does the data processor need an SSAE16 external audit or is it being done because somebody asked for it? | | 2. SSEA audits on the low end begin at 15 thousand US dollars that may place a high overhead on the business model. | | 3. Does the data processor have all the business processes defined or will investment be needed to develop documents before an audit can begin? | | 4. Are the controls that impact the data controller known and how will the data processor know the scope of the services to be audited? | | 5. Have the key stake holders been identified and informed as to how an SSAE external audit will impact the viability of the overall trade? |
| 4. Benefit Analysis: | | 1. Benefits are compared with an annual 15 day external audit costing one thousand pounds per day. | | 2. SSAE16 report is mandated by an application service provider acting as a data processor for public and private companies acting as the data controller. | | 3. Public and provate companies are nore likely to trust the application service provider to process their business data. | | 4. Each year a valuable source of knowledge is provided by external auditors. | | 5. A third party to review controls and procedures can ensure they are functioning appropriatly and give advice on how things could be improved. | | 6. Continual improvements can be triggered from annual audit findings. |
| 5. Reporting Examples: | | 1. Reporting on a detailed description of the physical characteristics of a service Organisations facilities, including square footage. Physical access to any one of the large number of production data centers is not permitted for security and privacy reasons. | | 2. Reporting on the controls at the service Organisation relevant to the security of the application service based on the trust services criteria. Reference to internal and external penetration testing by specialised external auditors can reduce the cost of the SSAE audit. | | 3. Reporting on historical data availability of computing resources on the controls at the service Organisation relevant to the availabilty of the application service based on the trust services criteria for availability. Adherence to SLA requirements for availability by customer by retention duration as one month, six months, seven years. | | 4. Reporting on the ASP compliance with a statement of privacy practices in addition to reporting on controls at the ASP relevnt to the privacy of the application service based on the trust service criteria for privacy. | | 5. Reporting on privacy of the ASP based on regulatory requirements and reporting on controls at the ASP relevant to the privacy of the application service based on trust services criteria for privacy. | | 6. Reporting on security at the ASP based on criteria established by an industry group such as Cloud Security Alliance (CSA), Cloud Control Matrix in addition to reporting on controls at the ASP relevant to the security of the application service based on the trust services criteria for security. The SSAE audit can become a replication of similar audits undertaken for compliance with CSA requirements. |
| 4. SSAE (16 or 18) Scope: | | 1. Sponsor and single point of contact:- | | 2. Describe the services, systems, applications and/or business processes that your Organisation plan to include in the scope of SSAE. | | 3. Please provide the following information regarding the infrastructure for each in-scope application: (1) Application Name, (2) Description of Application, (3) Database, (4) Operating System. | | 4. Are there any major outsourcing or co-sourcing relationships (including data centers, web and code developers etc) between your Organisation and third parties? | | 5. Does the third part service provider has a SSAE? This can help you determine whether to use the inclusive or carve-out method. | | 6. What geographic locations will the engagement fieldwork include (including any third party locations). | | 7. If control activities that will be applicable to the SSAE audit do occur at more than one location, are controls identical or different? | | 8. Do you intend to engage the selected firm for a single or multi-year engagement? Multi-year engagement may result in a reduction in fees, but using a diffrent firm each year may lead to more improvements and a more diverse feedback. | | 9. Which of the following services or combinations will be required: (1) readiness Assessment, (2) SSAE 16 Type 1, (3) SSAE 16 Type 2, (4) SOC 2 Type 1, (5) SOC 2 Type 2. | | 10. If a SOC 2 audit is desired, which Trust Service Principles and Criteria are you interested in performing: (1) Security, (2) Confidentiality, (3) Availability, (4) Processing Integrity, (5) Privacy. | | 11. For a Readyness Assessment, what is the desired review date of the assessment? | | 12. For a Type 1 examination, what is the desired review date of the report? | | 13. For a Type 2 examination, what is the desired length of the review period as: Three Months, Six Months, Twelve Months? |
| 5. Application Service Provided: | | 1. Infrastructure: as the physical equipment, facilities and networks deployed. | | 2. Software: as the operating systems, applications and utilities deployed. | | 3. People: as the people involved in the operation, use and provision of the application service. | | 4. Procedures: as the quality management system used to manage all tasks and activities. | | 5. Data: as the business data used and provided by the application service. |
| 7. Infrastructure: | | 1. Public internet application services are provided to approved people using infrastructure located in many secure data centers. | | 2. Data centers replicate encrypted business data in London, Slough, Oxford, Bristol, Leeds, Manchester, Glasgow, Newcastle and Birmingham. | | 3. Application services are manifested by racks of web, application and database servers manufactured by IBM, Dell, HP and others. | | 4. Networking equipment from Cisco and others includes load-balanced firewalls and Intrusion Detection Servers. | | 5. Every data center is unique with its own hardware, its own network equipment, its local power supplies and UPS backup systems. | | 6. Hardware is recycled at least every two years with different types of application services provided by different types of hardware. Transactional application services may operate on hardware that is less than two years old while static company web services may operate on hardware that is more than two years old. | | 7. Hard disk drives have been replaced with flash memory drives in the latest data centers with a significant performance improvement. However when an application service falls back to an older data center with rotating disks, the application service continues at its original performance. | | 8. In the event that any one data center is not available, other data centers continue to provide application services. Nobody has physical access to any production rack of servers in any data center. All business data is excessively encrypted in every data center to ensure that it is meaningless and worthless to any criminal. | | 9. Hypervisors and virtualisation is not used. |
| 8. Software: | | 1. Each data center was commissioned at a different time with system software that was appropriate for the hardware at that point in time. | | 2. IBM and Linux operating systems are deployed with an evolution towards open systems standard for the latest data centers. | | 3. Linux, Apache, MySQL, PHP (LAMP) was the original architecture, however this is continually evolving with the advent as NOSQL and more effective database management services. | | 4. While some original applications may be more than ten years old, more modern applications are driven from an artificial intelligent knowledgebase. | | 5. A mission for the next few years is to replace all legacy applications with business rules and an artificial intelligent assistant. | | 6. Application services are designed to never stop and cannot be stopped. Maintenance downtime has been eliminated. | | 7. All business data is encrypted and replicated to at least two other data centers in real time and a swarm of data centers in a few moments. All business data is encrypted when communicated to approved people. |
| 9. People: | | 1. The ASP has evolved an ITIL organisation structure to ensure that each and every role has a formal job description and nothing is overlooked. | | 2. The ASP has a Board of Directors and four operational divisions as: Design, Transition, Operations and Improvements. | | 3. The Board of Directors includes: Personel Director, Portfolio Director, Demand Director, Finance Director, Supplier Director and Architect. | | 4. The Design Division includes: Catalogue Manager, Service Level Manager, Risk Manager, Capacity Manager, Availability Manager, Business Continuity Manager, Information Security Manager and Compliance Manager. | | 5. The Transition Division includes: Change Manager, Project Managers, Development Manager, Deployment Manager, Test and Validation Manager, Configuration Manager and Knowledge Manager. | | 6. The Operations Division includes: Support Manager, Incident Manager, Request Fulfilment Manager, Access Control Manager, Problem Manager, Operations Manager and Facilities Manager. | | 7. The Improvement Division includes: Service Evaluation Manager, Process Audit Manager and Continual Improvement Manager. |
| 10. Procedures: | | 1. The ITIL organisation structure and role defines the responsibilities and procedures that are deployed. | | 2. Excessive Encryption is a mission to eliminate the possibility of a data breach by ensuring that all business data is stored in a way that is meaningless and worthless to anybody gaining physical access to that data. | | 3. Excessive Replication is a mission to eliminate the possibility of a data breach by ensuring that business data cannot be lost, corrupted or accidentally deleted - many physical copies exist in many distributed locations. | | 4. Continual Monitoring is a mission to eliminate the possibility of a data breach by ensuring that application services are only used as designed. Continual monitoring identifies criminal attacks and blocks them in real-time. Incident management procedures are triggered many times each day as attacks are identified. | | 5. Programming has been replaced with knowledge engineering where business rules used with an artificial intelligent assistant ensure that programming errors have been eliminated and maintenance downtime has been eliminated. Change control of knowledge is many times more resilient than could be achieved by change control of programming improvements. | | 6. At least three Engineers must cooperate at the same time using approved computers on approved networks to gain access to any production server for patch management. No one Engineer has access to any part of the infrastructure. No system administration role exists. |
| 11. Business Data: | | 1. Business data is encrypted using many different methods and personally identifiable information is excessively encrypted using tokenization and pseudonymisation techniques. | | 2. Business data is managed, processed, communicated and stored in accordance with relevant data protection regulations. | | 3. Business data is encrypted at the field level, at the record level and at the database level using different encryption methods and the latest database management software. | | 4. At least three Engineers must cooperate at the same time using approved computers on approved networks to gain access to any production server. No one Engineer has access to any part of the infrastructure. No system administration role exists. |
| 12. Data Controller Responsibilities: | | 1. A strong authentication service is deployed with multi-factor checks to identify an approved person when they sign-in and to block any hacker attack. A one-time pass-phrase may be requested by an approved persons manager and given to the approved person to use within the hour. When an approved person first signs-in they are assigned their permanent pass-phrase that must be used for all subsequent sign-in authentication. If a person forgets their permanent pass-phrase or they suspect that their pass-phrase has been compromised they may request their manager to assign them a one-time pass-phrase. Each time a one-time pass-phrase is requested, the approved persons permanent pass-phrase is automatically reassigned and only shown to the approved person when they first sign-in with their one-time pass-phrase. | | 2. Two types of site are managed as: Head Office or a named Site. Where a head office person may access data managed by any named site while a named site person is only able to access data about their own site. Four types of role are provided as: Agent or Manager, at Head Office or a named site. A head office person may access data managed by any selected named site. A named site person is only able to access data about their own site. A Manager is able to approve new people, disable people who have left and assign one-time pass-phrases for approved people. No "super user" role exists. | | 3. Approved people may use any kind of desktop, laptop, tablet or smart phone with any operating system and any modern browser that supports encrypted communications. No application programs are downloaded, no application software is distributed and no application maintenance is required by an approved person. |
| 20. SOC Report: | | 1. A SOC type 1 report is available to cover the financial stability of the application service provider. | | 2. A SOC type 2 report is available subject to a non-disclosure agreement for an audited duration of twelve months. The scope is identified below and the twelve month duration report is continually audited each year into the next report. The complex and technical nature of the SOC type 2 report is intended for use by specific named people who have an expert understanding of the information provided. | | 3. A SOC type 3 report is available to cover non-financial controls at a point in time. The scope is the same as the type 2 report and is identified below. The terminology used in this SOC type 3 report is greatly simplified to be shared with business associates who may not be experts in these technical subjects. | | 4. A large number of secure data centers are subcontracted to host dedicated racks of servers. The "carve-out" method of auditing is deployed to exclude physical access to all secure data centers - those tier-4 data centers are the UK broadband backbone. |
| 21. SOC Security: | | 0. The application service is protected against unauthorized physical and logical access. |
| 22. SOC Availability: | | 0. The application service is available for operation and use as committed in the service level agreement. |
| 23. SOC Processing Integrity: | | 0. The application service is complete, accurate, timely and authorized. |
| 24. SOC Confidentiality: | | 0. Information designated as confidential is protected as committed in the confidentiality policy and legal regulations. |
| 25. SOC Privacy: | | 0. Personal Information is collected, used, retained, disclosed and disposed of in conformity with the privacy policy and legal regulations. |
| 6. Privacy Criteria: | | 1. Notice and communications of commitments and system requirements: focuses on notice about and changes to privacy practices and commitments as well as the system requirements to internal people to carry out responsibilities. | | 2. Choice and consent: focuses on the choices related to the collection, use, retention, disclosure and disposal of personal information to data subjects. Consent must be obtained from the data subject if required and is only obtained for the one stated purpose. Basis for the determination of any implicit consent is documented. | | 3. Collection: of personal information must be collected in accordance with privacy commitments and system requirements. If explicit consent is required that consent must be communicated as well as the consequences of failure to provide consent for the request of personal information. | | 4. User, Retention and Disposal: of personal information is limited to the purposes identified in the privacy commitments and system requirements. Disposal of personal information needs to be secure and consistent with commitments and system requirements. | | 5. Access: by data subjects once identified and authenticated are given the ability to review and access their stored personal information and upon request provided with physical or electronic copies of that information. If access is denied to a data subject, notice as well as the reason for denial is provided. Data subjects are allowed to provide corrected, updated or appended information and that information is to be communicated to appropriate parties. If such corrections are denied, notice as well as the reason for denial is provided. | | 6. Disclosure and Notification: of personal information must have the consent of the data subject prior to disclosure of the information to third parties. The ASP creates and retains authorised disclosure records that are complete, accurate and timely. The ASP creates and retains unauthorised personal information disclosure records that are complete, accurate and timely, including data breaches. Vendors and third parties whose products or services are part of the system and have access to personal information must comply with the ASP privacy commitments and system requirements. If the said vendors or third parties have an actual or suspected unauthorized disclosure of personal information they must notify appropriate ASP personnel and act on the event to meet established incident response procedures, privacy commitments and system requirements. Notification of breaches and incidents must be reported to affected data subjects, regulators and others deemed necessary to know. A data subject may request and the ASP must keep an accounting record of personal information held and disclosure of that information. | | 7. Quality: of the personal information collected must be accurate, up-to-date, complete and relevant. | | 8. Monitoring and Environment: is deployed with a process for receiving, addressing, resolving and communicating the resolution of inquiries, complaints and disputes from data subjects and others. Compliance with privacy commitments and system requirements should be periodically monitored. Corrections and other necessary actions related to identify deficiencies are taken in a timely manner. |
| Document Control: | | 1. Document Title: Service Organisation Controls. | | 2. Reference: 162803. | | 3. Keywords: Service Organisation Controls. | | 4. Description: Service Organisation Controls. This document does not provide legal or financial advice. | | 5. Privacy: Public information service to who it may concern. | | 6. Issued: 11 Feb 2017. | | 7. Edition: 1.1. |
|
|