Cloud Computing & Hosted PBX News – Dallas, TX
Cloud Computing & Hosted PBX News – Dallas, TX

Foolproofing Service Standards

cloud-service-guaranteeIn May 2011, the American Institute of Certified Public Accountants issued a new set of guidelines known as Service Organisation Controls-2 (SOC-2) report, which outlines criteria for the security, availability, processing integrity, privacy and confidentiality of a service organisation’s systems and processes. Organisations that outsource functions, not relevant to financial statements, can request an SOC-2 report to assure themselves that they have requisite controls in place.

The report is similar to the older SAS 70 (now SOC-1). Under SOC-2, a Type 1 report covers only the design of controls, while a Type 2 covers design and operating effectiveness. To illustrate, a service organisation providing data centre facilities would like to assure customers that it has appropriate and effective security measures, controls and oversight to protect client information. To achieve this, it will appoint an independent auditor to evaluate the security controls and produce an SOC-2 report.

The auditor will undertake testing in line with AICPA criteria. An organisation providing data centre facilities should comply with as many as 25 security principles. For each criterion, the data centre management defines a set of control objectives and activities, which are tested by the independent auditor. At the end of the exercise, an SOC-2 report is provided to the company management.

This assurance report provides an independent opinion on the principles covered, and can be distributed to existing and prospective customers, and other interested parties.

Benefits

For a service organisation management, the report

Reduces the number of customer audits;

Promotes effective monitoring of IT governance and risk;

Provides assurance on internal controls;

Identifies process improvements through insights on practices in other industries;

Addresses contractual obligations for such reviews;

Helps map the controls to specific standards and regulations such as HIPAA (Health Insurance Portability and Accountability Act), CSA (Cloud Security Alliance) and so on.

For customers, the report

Provides a common benchmark for comparison of controls across service providers;

Helps in understanding the service organisation’s control framework;

Provides assurance about effectiveness of data security and privacy measures.

For customers’ auditors, the report

Provides a detailed description of testing undertaken;

Indicates details of findings, along with percentage of failures;

Makes available the management response for verification;

Identifies controls that need to be tested independently by the auditor.

An SOC-2 report provides the flexibility to incorporate objective rationale — for example, around Service Level Agreements, National Institute of Standards and Technology frameworks, and adherence to industry-specific standards.

Controls mandated by HIPAA can be mapped to various principles of SOC-2. With one exercise, organisations can obtain assurance with respect to both SOC-2 criteria and HIPAA.

These reports are particularly useful to organisations providing cloud computing services, data centre operations, healthcare services and so on. For instance, a cloud computing company can map the SOC-2 report to the CSA standard.

Similarly, for BPO operations these reports will throw light on the non-financial controls, which would be of importance to customers.

Author: Deepa Seshadri

Source

 

Brian