The AICPA’s Common Criteria list 9 categories to evaluate the Security Trust Service Criteria. ?Briefly review the attached material on the Common Criteria and use it to perform a quick

Lecture – Unit 7 SoC & Common Criteria (AICPA)

ACCT 855

Seminar in Cybersecurity Audit and Disclosure

Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business

Last Week…

Entering SOC

What is SOC, the Service Organization Control

SOC1, SOC2, SOC3 Audit Report Packages

Type I and Type II audits

The Trust Services Criteria

Security

Confidentiality

Processing Integrity

Availability

Privacy

Security TSC and Common Criteria

The Security TSC

AICPA Trust Services Criteria define five criteria for evaluating an organization’s security controls for SOC 2 compliance

HOWEVER, While organizations may pick and choose which SOC 2 Trust Services Criteria they want to include in the scope of their audit…

Every SOC 2 report must include the Security Criteria, and the criteria used to test it are known as the Common Criteria

AICPA’s Common Criteria

BE very careful! This is the AICPA’s SoC2 TSC Security Common Criteria, it’s NOT the COMMON CRITERIA (ISO 15408) as COMMONLY recognized by the rest of the industry.

AICPA’s use of COMMON CRITERIA is still debated as it causes confusion among industry participants for certification.

DO NOT Forget the REAL Common criteria, https://en.wikipedia.org/wiki/Common_Criteria

AICPA’s Common Criteria

The SOC 2 Common Criteria list, also known as the CC-series, includes nine subcategories:

CC1 — Control environment

CC2 — Communication and Information

CC3 — Risk Assessment

CC4 — Monitoring Controls

CC5 — Control Activities

CC6 – Logical and Physical Access Controls

CC7 – System Operations

CC8 – Change Management

CC9 – Risk Mitigation

CC1 – Control Environment

Control environment: The place where controls live and breathe.

Summary of focuses:

Sets the Tone at the Top

Establish standard of conduct within organization

Establish oversight responsibilities

Establish reporting lines

Establish policies and practices

Evaluates competence

Enforce accountability through structure, authorities and responsibilities

Considers excessive pressures, rewards, or disciplines

CC2 – Communication And Information

The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

Summary of focuses:

Identifies Information Requirements

Processes Relevant Data Into Information

Communicates Internal Control Information and with the BoD

communicates with external parties

Communicates system objective and responsibilities

Communication of failure, incidents, concerns, and other matters (whistleblower hotline, etc.)

CC3 – Risk Assessment

To enable the identification and assessment of risks relating to objectives.

Summary of focuses:

Considers the context and management choice of structure, industry considerations..

Considers Tolerances for Risk

Operations and Financial Performance Goal

Considers the risks to reporting, compliance, and operation objectives

Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels

CC4 – Monitoring Activities

Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

Summary of focuses:

Establish measuring instrument and measuring matrices

Establishes Baseline Understanding

Integrate with business process (constant monitoring and improvement)

periodic review and adjustment

assess and communicate results

monitoring of corrective actions.

CC5 – Control Activities

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Summary of focuses:

Considers Entity-Specific Factors

Determines Relevant Business Processes

Evaluates a Mix of Control Activity Types

Evaluates a Mix of Control Activity Types

Performs in a Timely Manner

Takes Corrective Action

Performs Using Competent Personnel

Reassesses Policies and Procedures

CC6 – Logical and Physical Access Controls

The entity implements logical access security software, infrastructure, and architectures over protected information assets

Summary of focuses:

Identifies and Manages the Inventory of Information Assets

Restricts Logical and Physical Access where needed

Authenticates Users and Establishes Authorization over Information Asset

Uses Encryption to Protect Data and Protection of Encryption Keys

Removes Access to Protected Assets When Appropriate

CC7 – System Operations

Identify changes to configurations that result in the introduction of new vulnerabilities.

monitors system components and the operation of those components for anomalies

evaluates security events to determine whether they could or have resulted in a failure

responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.

CC8 – Change Management

authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes

Focus:

Establishes procedures to initiate change

Manages Changes Throughout the System Life Cycle

Authorizes, approve, track, and documents changes

Provides for Changes Necessary in Emergency Situations

Monitoring and detection of unauthorized changes

CC9 – Risk Mitigation

Identifies, selects, and develops risk mitigation activities for risks arising from potential

Establish mitigation strategy against identified risks

Document risk mitigation decisions

Considers Mitigation of Risks of Business Disruption

Considers the Use of Insurance to Mitigate Financial Impact Risks

Assesses and manages risks associated with vendors and business partners.

SOC and the new CPA Exam

Let’s see the exam blueprint.