• Understanding the New SOC Reports
  • Standard: AT Section 101 vs. SOC 1 SSAE 18 – 5 Essential Points You Need to Know
  • Standard: AT Section 101 and SOC 2 – What You Need to Know and Why
  • Controls Reference: SOC 1 and SOC 2 Reports | SSAE 18 | AT Section 101 | Trust Service Principles
  • Standard: AT Section 101
  • Controls: Internal Control Over Financial Reporting (ICFR)
  • SOC 2 Basics: Who can perform a SOC 2 audit?
• Service Organization Control (SOC) Reporting Options and Information
• HOW TO SELECT A TYPE 1 OR TYPE 2 SOC REPORT

Audit and Attest

An obvious difference for the service auditor is the change from auditto attest. AICPA states that audit services are reserved for financial audit, and thus, what the service auditor does is attest. As such, the new standard was issued as an SSAE, applied under AT 101. Attest services are very definitive; management identifies specific procedures and the auditor then performs exactly those procedures (agreed-upon procedures [AUPs]). This approach fits the evaluation of controls for an SO (Service Organization).

A new requirement, among others, is that management must provide a written assertionabout the fairness of the presentation of the description of the system and the suitability of the design (type I) and effectiveness (type II) of the controls. The written assertion is part of the final report by the service auditor.

Source: Understanding the New SOC Reports

SSAE No. 18

• Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ internal control over financial reporting.
• User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity’s internal control over financial reporting.
• Service organization’s assertion. A written assertion about the matters referred to in part (b) of the definition of management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.
• Type 1 report. See management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.
• Type 2 report. See management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls.
• Test of controls. A procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system.
• Service organization’s system. The policies and procedures designed, implemented, and documented by management of the service organization to provide user entities with the services covered by the service auditor’s report. Management’s description of the service organization’s system identifies:
  • the services covered,
  • the period to which the description relates (or in the case of a type 1 report, the date to which the description relates),
  • the control objectives specified by management or an outside party,
  • the party specifying the control objectives (if not specified by management), and
  • the related controls. (Ref: par..A8)
• Controls at a service organization. The policies and procedures at a service organization likely to be relevant to user entities’ internal control over financial reporting. These policies and procedures are designed, implemented, and documented by the service organization to provide reasonable assurance about the achievement of the control objectives relevant to the services covered by the service auditor’s report. (Ref: par. .A7)
• Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate.

References

• 整合資安與個資管理系統的國際標準－ISO ／ IEC 27701 簡介與應用

Based on ISO 31000 (risk is the “effect of uncertainty on objectives”), the NIST Generic Risk Model, and the risk metalanguage proposed by Dr. David Hillson, I define a threat as follows:

A threat is a risk with a negative effect as a threat source may initiate a threat event to exploit vulnerabilities and cause an adverse impact on the security objectives if it happens.

SPML, SAML, and XACML

• SPML helps streamline the provisioning process.
• SAML facilitates federated identity and single sign-on. (The sequence diagram is highly simplified. The HTTP methods and redirections are not depicted. Pls refer to SAML specification for details.)
• XACML enables attribute-based access control.

These three XML-based protocols are proposed by OASIS. They are a good fit to integrate solutions across vendors or build the extranet.