Integrity Blog

Which SOC Reporting method should I use to handle subservice organization controls?

This article is written for service organizations that are going through or are considering a SOC report. The purpose of this text is to help explain how to handle controls of subservice organizations (1 A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting.). There are two methods for handling subservice organizations’ controls: Inclusive and Carve-Out.

Inclusive Method

The inclusive method is when the subservice organization’s controls and functions are included in the service organization’s description of the system. These controls and functions will be included in the scope of the report and therefore tested just as the service organization’s controls are tested. A written assertion from management must be signed by the subservice organization to state the accuracy of the controls as they pertain to the subservice organization’s services. The subservice organization must also be involved in the fieldwork, which makes communications and the ability to work together very important.

Carve-Out Method

The carve-out method allows an organization to “carve-out” or exclude the controls of the subservice organization from the scope of the engagement and report. However, it is the service organization’s responsibility to have controls in place to monitor the subservice organization to ensure their controls are functioning as intended. The monitoring of these controls will be included in the SOC examination and description of services.

Which SOC Reporting Controls Method Should Be Used?

When determining the best method for your organization, start by checking if the subservice organization has a type 1 or type 2 report that covers the outsourced services. The key here is to make sure the exact services you are using are covered in the SOC report. Organizations often have different SOC reports for various aspects of their business. If the subservice organization has a SOC report that covers the correct services, use the carve-out method.

If the organization does not have a SOC report that covers the services your organization utilizes you will most likely want to use the inclusive method. As stated above, communication and cooperation with this subservice organization will be critical in a successful audit. They have to be willing to have their control environment tested as well as provide a written assertion from management. Most organizations are willing to do this as they don’t want to lose your business. If they aren’t cooperative and don’t have or plan to implement acceptable security controls, it may be time to consider a new subservice provider.

Although the inclusive method is the preferred method for subservice organizations without a SOC report, the carve-out method can be used in this scenario as well. However, the controls covered by the subservice organization would then have to be excluded from the report and as a result your organization would not have a complete report to provide to customers. The gaps in the report may reduce the value of your SOC report and customers may raise questions regarding the completeness.

In summary, if you can use the carve-out method, use it. It will save time, money and the hassle of including another organization into the conversations. If you have any uncertainty about which method is best for your organization, please contact us.

1 http://www.google.com"}https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf
Top Tips for Developing Effective Security Awareness and Training Programs

A common saying is that an organization’s employees are the weakest link in information security. While there is some truth to that statement, employees should be viewed as part of the solution, not the problem. Information security awareness and training activities can provide some of the best return on investment. If implemented properly, the organization’s leadership will see fewer instances of employees falling prey to cyber threats and tactics, such as social engineering, and greater reporting of suspected attempts to compromise the organization’s critical assets. To implement and maintain an effective information security awareness and training program, several “best practices” and building blocks should be used.

Top Cybersecurity Tips

Leadership

Senior leadership involvement in awareness and training activities is a critical aspect of any awareness and training program. Leadership involvement sets the tone for the program and supports the message that information security is vital to the business’ goals and objectives.

Resources

Awareness and training activities can be conducted without a large outlay of monetary resources, yet those activities can have a significant positive impact in the organization’s overall defense-in-depth strategy. In addition, awareness and training activities do not need to take up a large amount of employees’ or trainers’ time.

Learning

Depending on the size of the organization, there may be up to five generations of learners, and each generation, in general, learns differently. Within the learning model, activities for employees generally fall into the awareness and training categories. To enhance retention of the information provided, consider activities that take into account the various generations of learners. Gaming and challenges are popular across all generations, so consider adding them into the mix.

Strategy

To have the most effectiveness, a long-term strategy should be developed to provide leadership’s vision of the culture it hopes to instill. To support the strategy, a 2-year plan detailing quarterly information security themes and topics should be developed. Activities can then be based on these themes and topics.

Analytics

To ensure there is a proper balance of activities and information, metrics can be useful. First, to understand the organization’s current culture, a “baseline” should be developed. From this baseline, other metrics collection and analysis methods can be used to gauge whether the organization’s security culture is shifting in the direction envisioned in the strategy.

Persistence

Information security training conducted one time per year is simply not enough. Awareness and training activities should be spread across the year to provide greater persistence. Cyber threats are constantly changing, and the awareness and training program must be agile enough to provide information regarding the latest threats.

Timeliness

Information provided to employees should reflect the latest news about best security practices, cyber threats, and company information security policies and standards. Information provided to employees in a timely manner may mean the difference between avoiding a data breach or falling prey to an attack that causes significant damage to the business.

Relevance

Awareness and training activities should include not only information relevant to work and the business, but information that applies to employees at home and on travel. As organizations see more business conducted on personal devices, as well as the impact of cybercrime on employees in home and travel settings, the awareness and training program should provide information pertinent to these situations.

Feedback

One of the best “bang for the buck” training activities is sending your organization’s employees phishing emails, simulating social engineering tactics that are used in a large portion of successful attacks against individuals and organizations. This type of activity can take advantage of “the teachable moment.” If an employee clicks on the fake link or opens the attachment, the employee is taken to a landing page for immediate feedback and additional information. Feedback that is immediate is proven to be much more effective than feedback that is delayed.

Incentives

Employees like incentives. Consider adding them to your awareness and training program. For example, if an end user avoids clicking on a phishing email link, or answers all questions right on an information security quiz, a positive reinforcement may be to provide that employee with a reserved parking spot for a period of time, granting a few extra hours off, or praise that employee in a newsletter.

.

.

.

You can get the printable version of this article here.

Top Tips for Developing Effective Security Awareness and Training Programs
White Paper: Top Tips for Developing Effective Security Awareness and Training Programs

This paper delivers proven tips for developing an effective security awareness and training program.

White Paper

An IT Manager's Guide to a Successful Audit - PART 5 - Summary Tips for a Successful IT Audit
An IT Manager's Guide to a Successful Audit [ PART 5 of 5 ]

Summary Tips for a Successful IT Audit

There are some things that are sure to sink an audit engagement. They are easy to avoid; however, I see people fall into these traps all too frequently. Simply knowing what some of these are should enable you to identify them and hopefully avoid them.

  • Communication. I probably don’t need to spend much time describing what this does to a relationship. For this engagement to be a partnership you need to communicate effectively with your audit team. This means regular meaningful communication. It also needs to be a two way street. If you feel a staff auditor isn’t forthcoming with information, escalate to the team lead or audit manager. Explain how you view this as an opportunity to partner with them and want more from the engagement. I’ve never known a manager, audit or otherwise, to turn down this type of offer.
  • Don’t get a defensive attitude. The auditors are simply doing their job to assess the controls of your environment. Nothing they do or say should be taken out of context and assumed to be an attack on you or your team. They are about the most objective group of individuals you’ll ever meet. Every profession has “that guy”. The one who lives to make life miserable for everyone around them. You might even know one in your line of work. If “that guy” happens to be your auditor, take the high road. Nothing good will come out of doing battle on a matter of principle. Do your best to work with auditors as professionals and your engagements will run amazingly smooth. Cop an attitude and you’re in for a wild ride.
  • Be willing to complete the simple tasks. While most technology professionals loathe creating documentation it is one of the easier tasks. Auditors will key on this every time. Spend the time and document your process. Not only does this make for a more successful audit, it helps with disaster recovery planning, cross-training, and reducing support costs.
  • Talk with your auditor about their expectations and explain yours to them. It may be unrealistic for you to expect to have no gaps or deficiencies. Working with your audit team to communicate and document expectations will reduce the chance that one or both parties are completely surprised during the reporting phase.
  • The more active a management team is in the audit the better chance for a satisfactory rating. I’m not advocating that a manger be the point of contact or run the audit engagement. They do however need to attend the kick off meetings, negotiate scope and time lines, provide input during fieldwork and influence the final report. If your team sees you interacting with auditors, they will take their cue from you. Hide and they’ll hide, build partnerships and they’ll build partnerships.
  • Having a single point of contact works best for both teams. The auditors don’t waste time tracking down the individuals responsible for a certain function or for documentation. Your team isn’t constantly interrupted to provide testing evidence or documentation. The point of contact becomes the mediator. They can help narrow scope, revise testing scenarios and work with the auditor to streamline the request before it gets to your operational teams. Having a good point person working with auditors is invaluable. If you are in a highly regulated environment, such as banking or healthcare, having a person dedicated to working with auditors, tracking remediation plans, or writing management responses is a necessity for most mid-sized or larger organizations.
  • Negotiate a win-win situation with the audit manager upfront. Find out what they want to accomplish through the audit and tell them your objectives. Find some common ground and work to build a scenario which gives you both the best opportunity to succeed. Failure to do this step is only going to hurt you. The audit is going to happen with or without your input. You might as well make the best of it and find a way to turn this into a positive experience.
  • Preparing for an upcoming audit is essential. Start building audit prep into your daily routine. Make sure documentation is part of the build process. Tie operational processes to policy or control statements. The more work you do to prepare for an audit the less you’ll have to do during the audit. I’m usually more successful and comfortable performing tasks according to self-imposed deadlines than to seemingly arbitrary deadlines imposed by others.
  • Self-audits are a great way to prepare for an audit. If you’ve gone through an audit you can use the same testing scenarios from the last cycle. This can be used as a dress rehearsal for your next audit. Your team will be better prepared and equipped to respond during the actual audit. You also get a sneak peek into what’s happening in your organization.
    One of the things I always hated was finding out from an auditor that my team had decided at some point to not follow documented procedures without telling me. Sometimes they just changed the procedures to meet operational goals and in most cases the changes were warranted. However, if they aren’t documented, you’re going to be cited for this. Being able to identify gaps earlier and address them behind closed doors is one of the greatest values of the self-audit. If you do this frequently enough and your audit cycles are long enough the discrepancy might not even be found by an auditor based on their look back period.
    Having gone through the self-audit will give your team the confidence they need to interface with the auditors and build a solid relationship with them. Hopefully this will help bridge any communication gaps and reduce confusion during the audit.

There is no way to ensure you’re going to come out of an audit unscathed. You can however minimize any potential negative impacts by being an active participant. The worst possible thing you can do is to let what happens, happen. This is a naïve and dangerous approach. By building relationships, engaging in the entire process, communicating and negotiating with the audit team, you stand a very good chance of improving the rating you would have received otherwise and are at least somewhat in control of your destiny.

.

.

.

Download the entire guide by visiting the following link.

IT Manager's Guide to a Successful IT Audit
White Paper: An IT Manager's Guide to a Successful Audit

This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.

Download White Paper

Get our blog posts delivered to your inbox: