Ensure the right people have the right access

Employees are constantly turning over and changing roles. It is important to have a process in place to help ensure that as employees turn over or change roles, their access remains commensurate with their job responsibilities. New access requests should be approved by an appropriate level of management prior to access being granted. Access should also be removed or disabled for terminated employees in a timely manner. In addition to having a process to add and remove access, it is a good idea to perform periodic access reviews to ensure access remains appropriate over time.

Require and use strong passwords

Systems that authenticate using Microsoft Active Directory should be configured to systematically require the use of complex passwords. This can be accomplished by setting the group policy object’s password policy to require the use of complex passwords. If your application does not use Active Directory to authenticate, determine if your application can be configured to require password complexity and configure it to do so. If you are not able to systematically enforce password complexity, you should educate users on the importance of using complex passwords and changing them periodically. The following are some best practices for password requirements:

• Have a minimum of eight characters
• Contain a combination of lowercase and uppercase alphanumeric characters and symbols
• Should not contain any part of the user name that is associated with the password
• Be changed every 60 – 90 days
• Should not be the same as any of the user’s previous 10 passwords

Ensure patching and antivirus levels are up to date

It is important to ensure that applications and operating systems are up to date on patch and antivirus levels to help mitigate the risk of known security vulnerabilities. Ensure that your company has a process for periodically scanning applications, operating systems, and hardware to ensure that patching and antivirus levels are up to date. Tools such as Microsoft WSUS (Windows Server Update Services) can be used to manage the distribution of patches to computers. Tools such as McAfee’s ePolicy Orchestrator (ePO) can be used to periodically scan and update antivirus definitions. In conjunction with tools used to scan applications and infrastructure, have a process to follow up on repeated failed update attempts to ensure they are eventually applied successfully.

While these tips are by no means inclusive of all of the security precautions your company should be taking, they are a good start to helping ensure the security of your systems and infrastructure. Don’t get caught neglecting the basics.

SOC 1 Report

These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs who audit the user entities’ financial statements (user auditors) when evaluating the effect of controls at the service organization on the user entities’ financial statements.  User auditors use these reports to plan and perform audits of the user entities’ financial statements.  SOC 1 engagements are performed under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801), and the AICPA Guide Service Organization’s Applying SSAE No. 16, Reporting on Controls at a Service Organization.  In other words, if the service organization plays a role in their clients’ financials (including hosting systems, such as Oracle or SAP financials), then a SOC 1 audit report is the correct choice.

SOC 2 Report

These reports are intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems that the service organization uses to process users’ data or the confidentiality or privacy of the information processed by these systems.  Examples of stakeholders who may need these reports are management or those charged with governance of the user entities and service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.  These engagements are performed under AT section 101, Attest Engagements (AICPA, Professional Standards), and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.  Simply put, every service organization that does not fall into the SOC 1 criteria should obtain a SOC 2 audit report.

So what should a service or user organization do?

Service organizations are now in the unforeseen position of receiving requests for both types of reports.  Since a service organization may have clients (i.e., user organizations) that meet the criteria for both reports, it is inevitable that a service organization will have to obtain both types of reports.  For example, this is becoming a more common situation with data center companies, though it is not unique to them.  Service and user organizations should simply discuss which report is needed while understanding that the content of a SOC 1 or a SOC 2 report is often as closely related as the names of the reports themselves.

Am I using a trusted service organization?  Ask whether the service organization has undergone an SSAE 16/SOC 1 (formerly SAS 70) examination.  These third-party examinations are performed by independent auditors who examine the design and operating effectiveness of internal controls that support information security, transaction processing, reporting, service availability, and other functions at these service organizations.  Executives should ask service organizations whether they have undergone such an examination as part of their due diligence procedures.

Have I considered the value and risk to the information that I am outsourcing to the service organization?  Although a user organization can outsource certain functions to a service organization, management of the user organization cannot abdicate responsibility.  SSAE 16 reports can assist user organizations with their evaluation of the value and risk of outsourcing certain activities.  The internal controls tested as part of a SSAE 16 examination are required to be described in detail.  This report helps the user organization understand their risk profile and the anticipated value from outsourcing.

Have I considered how knowledge of the business processes would be retained should I wish to switch back from outsourcing?  Fear of losing internal knowledge when outsourcing certain activities is often dismissed when the service organization has a SSAE 16 report.  The reason is simple: the people, systems, data,  processes, and supporting controls are usually described in sufficient detail within a SSAE 16 report so to enable user organizations to switch back from outsourcing should the need arise.  Companies need not fear as internal processes can be rebuilt using the SSAE 16 report as a tool in the event they need to switch back to in-sourcing.

Do I have a detailed list of controls based on cloud security, operational, and business risks to determine how the service organization complies with them?  This is an example of one more area where a SSAE 16 report excels.  Internal controls specific to the services the service organization is providing are described in detail within the SSAE 16 report.  This is true regardless of whether the internal controls are based on security, operational, or otherwise.  This enables companies to understand the control environment at the service organization as well as the controls they themselves would be responsible for (i.e., user control considerations).

Does my service organization meet the regulatory or compliance requirements needed by my organization?  SSAE 16 reports are designed to meet the testing and reporting requirements associated with many regulations, such as the Sarbanes-Oxley Act (also known as SOX) requirements.  The reports cover internal controls related to systems that support financial reporting.  These reports are accepted and used by public companies and their auditors all over the world.

How do I audit or evaluate controls outsourced to a service organization?  Simply request the SSAE 16 report and evaluate the contents.  This is easily the most efficient and comprehensive way to perform these due diligence procedures.  User organizations should place reliance on the competence and independence of the auditing firm that has been engaged to report on the service organization’s internal controls.  Other methods of evaluation may lack in scope, depth, and be cost and time prohibitive.

User organizations should let these questions be a guide when considering cloud offerings by service organizations.

Critical Areas and Common Red Flags

The following are suggestions for reviewing audit reports from vendors:

• Accounting Firm:  The name of the accounting firm is located in section I. Check with the firm’s state licensing board to confirm they are a licensed CPA firm.  Sadly, a surprising number are non-CPA firms, which in most states, including Colorado and New York, is illegal.  Colorado and New York license verification.
• Management’s Assertion:  Now that SAS 70 has been replaced by SSAE 16, Management is required to include their written assertion in the report stating the report’s accuracy.  Already, SSAE 16 reports are turning up with this assertion missing.  If it’s missing, a conversation with the auditor is warranted.
• Location: Vendors often have multiple locations, which is to be expected in the global economy.  Make sure the report and audit testing covers the locations in which the vendor is performing services for your company.  If it is not obvious, ask the vendor to clarify.  A vendor passing off narrow scope audit reports is more common than you might think.  Vendors do it to save costs, auditors agree to obtain work, but the public suffers.
• Report Dates:  More than a few vendors try to pass off old reports as current reports. Make sure the vendor provides a current report.
• Processes, People, & Systems:  The processes as well as the people and systems that support the processes should be adequately described in the report.  Make sure there is sufficient detail so you can understand what the vendor is doing and what they are not doing.  If a key process (eg, information security) is not described in the report, ask the vendor about it.
• User Control Considerations: User control considerations are simply controls that reside at the service organization.  Most audit reports have them.  Make sure your company considers these carefully.
• Extent of Testing:  Since SAS 70/SSAE 16 are attestation engagements; auditors are required to perform audit procedures beyond inquiry (ie, asking questions) and observation.  The auditors are required to perform a significant part of the examination through inspection and where necessary, re-performance procedures.  In the results of tests—usually Section III—review the language used to describe the tests to see if it meets the criteria just described.