You work for a system integrator based in the US that provides consulting and maintenance services to banks issuing credit cards. Your company is subject to contractual obligations being certified by a third-party auditor to provide security assurance. Which of the following is the primary contractual compliance requirements your company shall comply with?
A. Payment Card Industry Data Security Standard (PCI DSS)
B. Service Organization Control (SOC)
C. Gramm-Leach-Bliley Act (GLBA)
D. General Data Protection Regulation (GDPR)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Service Organization Control (SOC).
Your company is the system integrator that provides consulting and maintenance services to banks. It is the service provider to banks, not the bank itself. According to the AICPA, “Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service,” banks may specify clauses in the contract to require your company to present SOC reports.
SOC
Any service organization (your company) that provides services to user entities (banks) can pursue SOC examinations to provide security assurance. SOC examinations are common in the settings of outsourcing or supply chains.
In April of 2017, the American Institute of CPAs revised the meaning of SOC from “Service Organization Controls” to “System and Organization Controls.”
System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. Learn more about the SOC suite of services, below:
SOC for Service Organizations
Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service
SOC 1®— SOC for Service Organizations: ICFR
SOC 2®— SOC for Service Organizations: Trust Services Criteria
SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report
SOC for Cybersecurity
A reporting framework through which organizations can communicate relevant useful information about the effectiveness of their cybersecurity risk management program and CPAs can report on such information to meet the cybersecurity information needs of a broad range of stakeholders
SOC for Supply Chain
An internal controls report on an entity’s system and controls for producing, manufacturing or distributing goods to better understand the cybersecurity risks in their supply chains.Source: AICPA
Examination vs Audit
Q. How do agreed-upon procedures and examination engagements differ from audit engagements?
A. The principal difference between an audit engagement, and an agreed-upon procedures or examination engagement is the type of standards under which the engagements are performed. Audits are performed under auditing standards promulgated by the AICPA; agreed-upon procedures and examination engagements are performed under attestation standards promulgated by the AICPA.
A SOC 2 examination produces an attestation report. “Attestation” means “management asserts that controls are in place to meet the SOC 2 criteria, and a CPA firm conducts an examination and provides a report with an opinion on whether or not they agree with management’s assertion. A CPA firm attests that controls are in place and either designed effectively (Type I SOC 2), or designed effectively and operated effectively over a period of time (Type II SOC 2).” (Inford)
TSP as COmplliance Requirements
Compliance: fulfilment of specified requirements. (ISO 2394:2015)
A set of evaluation criteria is used in a SOC 2 examination, called “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” aka Trust Service Principles (TSP), and documented in TSP Section 100. Service organizations need to evaluate existing controls and policies to ensure their practices align with TSP criteria when conducting a SOC 2 examination.
PCI-DSS
Banks issuing credit cards are obligated to comply with the Payment Card Industry Data Security Standard (PCS DSS).
- Issuing banks are banks that issue credit cards to consumers. Acquiring banks hold merchants’ bank accounts.
- Visa, Mastercard, Discover, and American Express developed the PCI DSS in 2004. In 2006, the Payment Card Industry Security Standard Council (PCI SSC) is founded to develop and manage security in the payment card industry and promote the PCI DSS (data security standards).
GLBA and GDPR
Banks based in the US shall comply with the Gramm-Leach-Bliley Act (GLBA). Banks that hold the personal data of EU citizens are subject to GDPR. This question asks about “contractual compliance requirements” and doesn’t mention if your company processes personal data of data subjects who are in the EU to be qualified as a GDPR processor. So, your company is not subject to GLBA and GDPR.
GDPR applies to any organization operating within the EU, as well as those located outside of the EU which offer goods or services to customers or businesses in the EU.
Source: SUMAN BHATTACHARYYA
Reference
- Top 7 IT security frameworks and standards explained
- Download The Secure Controls Framework (SCF)
- Secure By Design & Default
- SOC Audit – What is it? Do you need one?
- What is a SOC Report and Why Does My Company Need One?
- What is SOC2 and do we need it?
- Do Banks Need to be PCI Compliant
- Comparing Cyber Security Requirements for GLBA, FFIEC, and 23 NYCRR 500
- AICPA Services\Attest Services\ASSURANCE SERVICES
- SOC reports evolve to reach a wider audience
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您在美國的系統集成商工作,該系統集成商為發行信用卡的銀行提供顧問和維護服務。 客戶要求您的公司必須遵守由第三方認證稽核的合同義務,以提供安全保證。 您的公司主要應遵循以下哪個符合性(compliance)要求?
A. Payment Card Industry Data Security Standard (PCI DSS)
B. Service Organization Control (SOC)
C. Gramm-Leach-Bliley Act (GLBA)
D. General Data Protection Regulation (GDPR)
answer: A. Payment Card Industry Data Security Standard (PCI DSS)
The Secure framework is a spreadsheet…Let’s start with the definition of framework (that applies here, as opposed to creating an actual building); a basic structure underlying a system, concept, or text. So, a framework is a structure, a schema, method of organization and configuration to accomplish something. When dealing with compliance frameworks, that structure and schema focus on the aggregation of compliance rules, first and foremost. Once identification and harmonization are complete, those requirements need a structure for integration into the organization’s processes as well. Therefore, we can define compliance frameworks as such:
A compliance framework is a structured set of guidelines to aggregate and harmonize, then integrate, all compliance requirements applicable to an organization.
In other words, a compliance framework is a methodology for compiling multiple authority documents into a cohesive whole.
• It provides a structure for identifying Mandates within Citations.
• It provides a structure and methodology for harmonization.
• It provides the structure and proof to support the veracity of the identification and harmonization.
These are the defining requirements for a compliance framework.
How well does a framework-as-spreadsheet hold up to this scrutiny?
Not very well.
How well does a framework-as-spreadsheet hold up to these requirements? First, let’s go back to a term we’ve used above, non satis probandi – an ancient Latin term for not enough proof. You may be more familiar with onus probandi – the burden of proof.
You may want to check to make sure your framework has proof, such as:
1. 1a Provide a structure for identifying source documents.
2. 1b Provide a structure for identifying Citations within those documents.
3. 1c Provide a structure for identifying Mandates within Citations.
4. 1d Provide a structure for linking a Mandate’s predicates and subjects to
their situational definitions.
2 Provide a structure for measuring correlation between Mandates or a reference control.
1. 3a Provide the necessary data structures such as JSON-LD for encoding the tagging, dictionary linking, harmonization, and audit trails for change management that are machine readable.
2. 3b Embed data structures and subsequent data into the identification and harmonization of each record.
• The SCF, does not provide a structure for identifying Mandates within Citations, a structure and methodology for harmonization or structure and proof to support the veracity of the identification and harmonization. If you investigate further, you will this. Unless it is call the Unified Compliance Framework, a patented process that ONLY UCF has, the others do not.