The AICPA's Common Criteria list 9 categories to evaluate the Security Trust Service Criteria. Briefly review the attached material on the Common Criteria and use it to perform a quick evaluation of your security breach that you have chosen for your research.
Research topic is:
corporate security breach for analysis is the State of California Department of Justice's (DOJ) data breach incident (State of California Department of Justice, 2019).
Lecture – Unit 7 SoC & Common Criteria (AICPA)
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
Last Week…
Entering SOC
What is SOC, the Service Organization Control
SOC1, SOC2, SOC3 Audit Report Packages
Type I and Type II audits
The Trust Services Criteria
Security
Confidentiality
Processing Integrity
Availability
Privacy
Security TSC and Common Criteria
The Security TSC
AICPA Trust Services Criteria define five criteria for evaluating an organization’s security controls for SOC 2 compliance
HOWEVER, While organizations may pick and choose which SOC 2 Trust Services Criteria they want to include in the scope of their audit…
Every SOC 2 report must include the Security Criteria, and the criteria used to test it are known as the Common Criteria
AICPA’s Common Criteria
BE very careful! This is the AICPA’s SoC2 TSC Security Common Criteria, it’s NOT the COMMON CRITERIA (ISO 15408) as COMMONLY recognized by the rest of the industry.
AICPA’s use of COMMON CRITERIA is still debated as it causes confusion among industry participants for certification.
DO NOT Forget the REAL Common criteria, https://en.wikipedia.org/wiki/Common_Criteria
AICPA’s Common Criteria
The SOC 2 Common Criteria list, also known as the CC-series, includes nine subcategories:
CC1 — Control environment
CC2 — Communication and Information
CC3 — Risk Assessment
CC4 — Monitoring Controls
CC5 — Control Activities
CC6 – Logical and Physical Access Controls
CC7 – System Operations
CC8 – Change Management
CC9 – Risk Mitigation
CC1 – Control Environment
Control environment: The place where controls live and breathe.
Summary of focuses:
Sets the Tone at the Top
Establish standard of conduct within organization
Establish oversight responsibilities
Establish reporting lines
Establish policies and practices
Evaluates competence
Enforce accountability through structure, authorities and responsibilities
Considers excessive pressures, rewards, or disciplines
CC2 – Communication And Information
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
Summary of focuses:
Identifies Information Requirements
Processes Relevant Data Into Information
Communicates Internal Control Information and with the BoD
communicates with external parties
Communicates system objective and responsibilities
Communication of failure, incidents, concerns, and other matters (whistleblower hotline, etc.)
CC3 – Risk Assessment
To enable the identification and assessment of risks relating to objectives.
Summary of focuses:
Considers the context and management choice of structure, industry considerations..
Considers Tolerances for Risk
Operations and Financial Performance Goal
Considers the risks to reporting, compliance, and operation objectives
Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
CC4 – Monitoring Activities
Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
Summary of focuses:
Establish measuring instrument and measuring matrices
Establishes Baseline Understanding
Integrate with business process (constant monitoring and improvement)
periodic review and adjustment
assess and communicate results
monitoring of corrective actions.
CC5 – Control Activities
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Summary of focuses:
Considers Entity-Specific Factors
Determines Relevant Business Processes
Evaluates a Mix of Control Activity Types
Evaluates a Mix of Control Activity Types
Performs in a Timely Manner
Takes Corrective Action
Performs Using Competent Personnel
Reassesses Policies and Procedures
CC6 – Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets
Summary of focuses:
Identifies and Manages the Inventory of Information Assets
Restricts Logical and Physical Access where needed
Authenticates Users and Establishes Authorization over Information Asset
Uses Encryption to Protect Data and Protection of Encryption Keys
Removes Access to Protected Assets When Appropriate
CC7 – System Operations
Identify changes to configurations that result in the introduction of new vulnerabilities.
monitors system components and the operation of those components for anomalies
evaluates security events to determine whether they could or have resulted in a failure
responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.
CC8 – Change Management
authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes
Focus:
Establishes procedures to initiate change
Manages Changes Throughout the System Life Cycle
Authorizes, approve, track, and documents changes
Provides for Changes Necessary in Emergency Situations
Monitoring and detection of unauthorized changes
CC9 – Risk Mitigation
Identifies, selects, and develops risk mitigation activities for risks arising from potential
Establish mitigation strategy against identified risks
Document risk mitigation decisions
Considers Mitigation of Risks of Business Disruption
Considers the Use of Insurance to Mitigate Financial Impact Risks
Assesses and manages risks associated with vendors and business partners.
SOC and the new CPA Exam
Let’s see the exam blueprint.