.png?width=679&height=250&name=P3%20Audit%20New%20Logo%20(No%20Tag1).png "P3 Audit New Logo (No Tag1)")
Service Organization Control (SOC) 2 is a standard that is designed to provide assurance that an organization's systems are set up to cover the security, availability, processing integrity, confidentiality, and privacy of customer data.
These five core subject areas are commonly known as Trust Service Principles. The purpose of a SOC 2 (also referred to as a Type 2 report) is for an organisation to detail the operational effectiveness of their systems based on the five principles. To achieve compliance against a SOC 2 assessment, organisations must develop a clear documentation framework, built around security policies, security procedures and supporting documentation.
The five principles are further defined to account for criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories. Clear objectives of each principle are set out within the Trust Services Criteria and provide an organisation with clear expectations to look for when validating or verifying security controls.
BBBEE policies are set out in the BBBEE Act (No. 53 of 2003) and reinforced by the Codes of Good Practice (last revised in 2015). Under this legislation, it is not compulsory for a business to obtain a BBBEE certificate – it is an entirely voluntary process. However, a certificate brings with it a lot of benefits – particularly for Qualifying Small Enterprises (QSEs). A QSE is a company that has an annual turnover of between R10 million and R50 million.
One of the biggest benefits of having a BBBEE certificate is being able to conduct business with government sectors (including municipalities) and public entities. A certificate allows a company to tender – and the higher the level of your certificate, the better your chances of winning. There are eight levels of BBBEE compliance, with Level 1 being the highest and most desirable.
Other advantages of having a BBBEE certificate include having a better chance of securing contracts with large companies and big industry names, because they are encouraged to do business with smaller BBBEE-compliant companies. A certificate allows you to participate as a supplier in the lucrative chain of preferential procurement.
A further benefit of having a BBBEE certificate is the impression it gives. A certificate shows that you care and that your business is committed to making a positive difference in socety. Remember that BBBEE policies are focussed on effecting transformation in the business world by empowering greater black economic participation. A BBBEE certificate can be promoted in your business’s marketing materials.
BBBEE certificates can be issued by verification agencies that are approved by the South African National Accreditation System or Independent Regulatory Body. Obtaining a certificate may not require special auditing – an affidavit may suffice. For example, a QSE that has 51% black ownership is automatically qualifies for Level 2 BBBEE status. If the ownership is 100% black, this grants Level 1 status.
Exempt Micro Enterprises (EMEs), which need to have annual turnover of less than R10 million, automatically acquire Level 4 status without needing any black ownership. Having black ownership immediately upgrades them to Level 1 status.
BBBEE certificates are valid for one year from the date of issue, and need to be renewed annually. Even though rules and regulations have become stricter with the policy changes that were introduced last year, it is still perfectly feasible to obtain a BBBEE certificate – and with all the benefits that having one brings, there is no good reason not to.
Although all business entities are are obliged to comply with B-BEEE requirement, these requirements differ slightly and have different implications for different size business.
Big Business and government procurement processes are currently required to support businesses who are B-BBEE certified. This means that small business are more likely to secure large businesses and government entities as clients, if the small business in question is in compliance with the new B-BBEE scoreboard. Businesses with a low B-BBEE score stand to lose out. If your company has a B-BBEE certificate then your customers can claim points on their own B-BBEE scorecard for buying from your business.
The act refers to three different sized companies:
These are businesses with an annual turnover of less than R10 million. EMEs are exempt from B-BBEE compliance in so far as they automatically receive a minimum B-BBEE score of 100% regardless of other factors. However, this score can increase to as much as 135% if they have black ownership. Other B-BBEE criteria do not come into play for EME’s.
These are businesses with an annual turnover of between R10 to R50 million. In the past these entities only had to comply with a some criteria but in terms of the new B-BBEE scorecard QSEs must comply with all 5 elements of new B-BBEE Scorecard to score their points.
These are businesses with an annual turnover of more than R50 million. M&Ls must comply with all 5 elements of the new B-BBEE Scorecard.
In order to get a good BEE rating, a number of criteria are set out by which your score is calculated. The 7 criteria of the past have been reduced to 5 under the new B-BBEE scorecard. These are as follows:
This pertains to voting rights and shareholding. In calculating the score one looks at black ownership in general, and ownership by black women specifically. The acts also calculates ownership and voting rights among certain groups such as those below the age of 35 and above the age of 65.
This criteria refers to the extent to which voting rights on the board is held by black members, control of the executive board, and percentage of senior management.
Skills development refers to the the extent to which a company invests in and works towards improving the skills and competencies of its black workforce.
This aspect of the new B-BBEE scorecard record the extent to which small, black-owned companies are supported and developed
The extent to which a company carries out social investment initiatives.
The Bribery Act of 2010 is a United Kingdom (UK) law that defines and enforces the crime of bribery to ensure companies can compete on a level playing field. Section 7 of the law introduced a new offense: the failure of an organisation to prevent bribery on its behalf.
The UK government provides guidance to help organisations meet the requirements in the Act. Companies that use third parties should be aware of these provisions and assess their vendors, supply chain partners and other third parties accordingly.
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications.
The CAIQ contains a series of yes or no control-assertion questions that can be customized to fit an individual cloud customer's needs. The CAIQ is intended to be used in conjunction with the CSA Guidance and the CSA Cloud Controls Matrix (CCM). The CAIQ is part of the CSA governance, risk management and compliance stack.
The questionnaire is designed to support organizations when they interact with cloud providers during the cloud providers' assessment process by giving organizations specific questions to ask about the providers operations and processes.
Cloud providers can use the CAIQ to outline their security capabilities and security posture to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be best practices by the CSA.
Completing the CAIQ questionnaire usually takes a few hours and is considered only a first-level screening process; more intensive provider review processes are advised.
Benefits of the CAIQ
The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. Organizations should use the CAIQ as a first-level filter, After they pass that test, businesses should audit vendors to provide more specific demonstrations on controls that matter most to them.
Next steps after the CAIQ
The CSA STAR program consists of three levels of assurance (self-assessment, third party certification and continuous auditing) based on:
Certified in the Governance of Enterprise IT (CGEIT) is a vendor-neutral certification for experienced tech professionals. The CGEIT credential is designed to provide certification for those who direct, manage or otherwise support the governance of IT in large organizations and their extended third-party service provider capability . ISACA (Information Systems Audit and Control Association) developed and runs CGEIT, which is accredited by the American National Standards Institute (ANSI).
Information technology governance in organizations continues to grow in importance due to an ever-increasing reliance on IT to deliver services, along with the rising need to comply with complex laws and regulations concerning financial accountability, data security and protection, and privacy. As a result, the need arises for governance credentials, such as Certified in the Governance of Enterprise IT (CGEIT), as well as others such as ITIL Expert, Certified in IT Governance, Risk Management, and Compliance (CRISC) from ISACA and PMI Risk Management Professional from the Project Management Institute.
CGEIT Qualifications: Education and Experience
To receive the certification, candidates must pass a four-hour exam, which includes 150 questions and covers five areas: Framework for the Governance of Enterprise IT, Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization. CGEIT-certified professionals also must have at least five years of cumulative work experience in IT enterprise governance, including at least one year defining, implementing and managing a governance framework. (Individuals may take the CGEIT exam before meeting the experience requirements, which must be met before the CGEIT designation is awarded.)
Additionally, CGEIT holders are expected to comply with the ISACA Code of Professional Ethics as well as the CGEIT Continuing Education Policy, attaining an annual minimum of 20 continuing professional education (CPE) hours in related coursework to reach a minimum of 120 CPE hours for a three-year reporting period.
Depending on the third-party payroll providers clients, the CGEIT certifications can form part of their global business continuity and TPRM audit criteria.
On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v1.0 of the Cybersecurity Maturity Model Certification (CMMC). Developed to serve as a single cybersecurity standard for all future DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.
CMMC requires companies achieve third-party certification against cybersecurity and information handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.
All DoD contractors must be certified in one of five levels, from Level 1 (lowest, Basic Cyber Hygiene) to Level 5 (highest, Advanced/Progressive) based on the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for controlled unclassified information (CUI) from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7012.
Although certified auditors (C3PAOs) must assess DoD contractors in order to demonstrate compliance with their target level of certification, companies that are doing, or wish to do, business with the US federal government can assess themselves against the requirements as well.
Certified in Risk and Information Systems Control (CRISC) is a certification program that recognizes knowledge and training in the field of risk management for IT. CRISC is one of many certifications available from Information Systems Audit and Control Association (ISACA) which is accredited by the American National Standards Institute (ANSI).
CRISC can provide IT security professionals with a visible marker of experience and knowledge in risk management for enterprise and financial sectors.
CRISC Areas of Risk Management
CRISC breaks down areas of risk management specialization into 4 domains:
Within these domains, CRISC measures an individual’s ability to deal with risks in an enterprise business and to use information system controls.
Prerequisites for CRISC include three years’ experience in a risk management role with one year at least in domain 1 or 2. Candidates must agree to uphold the ISACA professional code of ethics and comply with the continued education policy. The certification has one requisite exam with 150 questions.
Individual experience and relevant certifications often form part of a third-party risk management (TPRM) and Business Continuity Program audit.
The California Transparency in Supply Chains Act is a law enacted in 2012 that requires companies to disclose their efforts to ensure that the goods they sell are not produced by workers who are forced into servitude or labor. The law applies to any company that does business in the U.S. state of California, with at least $100 million in global revenue, and that makes or sells goods in California.
A company's public disclosure must be conspicuous and include information on how it:
Verifies labor practices in its supply chains
Audits suppliers
Certifies that materials are not produced by forced labor
Maintains internal accountability
Trains employees and management
The EBA Guidelines set out the internal governance arrangements that credit institutions, payment institutions and electronic money institutions should implement when outsourcing internal services, activities or functions.
The EBA Guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.
These requirements represent a full set of controls implemented across the outsourcer organization and are well beyond the scope of a simple automated scan of external-facing infrastructure.
Guidelines on outsourcing-arrangements
EBA regulation and policy
EU Directive
EU Access Legal Act
Organizations who collect, store, process, or transfer personal data of EU citizens must comply with this regulation. These data protection obligations extend not only to organizations operating within the EU, but also to any companies (payroll service providers and their downstream partners) outside of the EU that offer goods or services to EU residents.
To be compliant with GDPR, organizations must take necessary steps to protect citizens’ data in their care, including data that is shared with third parties. Because many data breaches occur through third-party relationships, GDPR clearly states that third parties (known as data processors) must handle data privacy and security in a way that is compliant to the regulation. In fact, under this legislation, they are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for customers.
Under GDPR, regulatory authorities have greater power to act against companies that break this law, with fines totalling up to 4% of annual global revenue or 20 million euros, whichever is greater. It's therefore imperative to conduct due diligence of your organization's vendors, suppliers and other third parties to ensure they are adhering to GDPR requirements.
This documentation serves as an overview of Health and Safety at Work.
Work from Home is no different to Work from the Office – the employer has a responsibility to their employees Health and Safety and the investment in regular compliance audits help support wider and longer term Business Continuity Plans.
We and our partners know exactly what the law demands of your business. We have practical experience and understand how to balance compliance with commercial need. That’s why both small businesses and leading brands trust us to support their health and safety compliance. A business with a good reputation for safety is one that staff want to work for and other organisations want to do business with.
Risk assessments relevant to the law. P3 work with leading experts in region:
We spot the health & safety hazards that put you on the wrong side of the law. Then we help you cut them out.
Practical fixes.
We give practical advice on how to remove risk and deliver duty-of-care. So you can be sure you’re not breaking the law, without breaking the bank.
A watertight written report.
You get a written risk assessment from a health & safety expert that stands up to scrutiny if you ever face a claim in court.
Improved employee wellbeing.
Safe workers make better workers. Your risk assessment reduces the chance of work-related sickness and increases productivity.
A plan for growth.
We give you an action plan to improve your health & safety and get the best for your business as it grows.
Flood, Cyber attack, Supply chain failure or losing a key employee. Disruptions to your business can happen at any moment.
Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible. Whether it’s a business, public sector organization, or charity, you need to know how you can keep going under any circumstances.
A good BC plan recognises potential threats to an organization and analyses what impact they may have on day-to-day operations. It also provides a way to mitigate these threats, putting in place a framework which allows key functions of the business to continue even if the worst happens.
Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.
ISO 27001 is the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system.
ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.
ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”
With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarizes the requirements for securely dealing with various types of third parties.
ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organisations consider what they need to put in place to meet these requirements.
"ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”
With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarises the requirements for securely dealing with various types of third parties."
ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity.
It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions.
It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.
The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.
ISO 9001:2015 is an international standard that establishes the criteria for a quality management system. It is the only standard in the ISO 9000 family that results in a formal certification.
The standard is based on several quality management principles, including clear focus on meeting customer requirements, strong corporate governance and leadership commitment to quality objectives, process-driven approach to meeting objectives, and focus on continuous improvement.
ISO 9001:2015 helps organisations improve customer satisfaction by focusing on the consistency and quality of products and services provided to customers.
The Modern Slavery Act of 2015 is a UK law that requires organisations to publicly communicate their practices to ensure that forced labor, human trafficking, and other forms of involuntary servitude are not taking place in their businesses or supply chains. The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what form this should take for third-party relationships.
The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). Enforceable starting on July 1, 2020, responsible entities have 18 months to comply in order to avoid penalties. NERC is authorised to penalise registered entities up to $1 million per day per outstanding violation.
Third-party risk management plays a pivotal role in ensuring supply chain security through the regular assessment of supply chain partners’ internal security controls and the ongoing monitoring of vendor risks in real time. Taken together, this inside-out, outside-in view provides more complete visibility in supply chain risks.
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.
NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.
NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organisations. NIST Cybersecurity Framework v1.1 realises that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organisations.
These NIST standards specify that:
A policy for managing risk should be in place
Security controls should be selected
A policy should be codified in supplier agreements where appropriate suppliers should be managed and audited to the requirements and controls
In the simplest terms, an organisation needs to establish and implement the processes to identify, asses and manage supply chain risk.
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.
NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.
NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organisations. NIST Cybersecurity Framework v1.1 realises that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organisations.
These NIST standards specify that:
A policy for managing risk should be in place
Security controls should be selected
A policy should be codified in supplier agreements where appropriate suppliers should be managed and audited to the requirements and controls
In the simplest terms, an organisation needs to establish and implement the processes to identify, asses and manage supply chain risk.
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.
NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.
NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organisations. NIST Cybersecurity Framework v1.1 realises that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organisations.
These NIST standards specify that:
A policy for managing risk should be in place
Security controls should be selected
A policy should be codified in supplier agreements where appropriate suppliers should be managed and audited to the requirements and controls
In the simplest terms, an organisation needs to establish and implement the processes to identify, asses and manage supply chain risk.
In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NY CRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.
23 NY CRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with 23 NY CRR 500 is managing vendor IT security controls and data privacy policies.
Two sections of the regulation specifically address third-party providers:
Section 500.04 relates to the appointment of a CISO, who can be employed by an affiliate or third-party.
Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment.
Signed into law by the Governor of the US State New York on July 25, 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data protection law that has broadened the definition of personal information to include username and password for an online account and biometrics; requires specific data security controls for organisations to protect the personal information of New York residents; and sets specific data breach notification requirements and penalties on organisations where the data of New York residents has been compromised.
Largely an update to previous New York state laws, the SHIELD Act will go into effect on March 21, 2020 and is meant to improve cybersecurity protections and data breach notification, with penalties ranging from $5,000 per violation to $20 per failed notification (capped at $250,000). Much like what the California Consumer Privacy Act (CCPA) does for that state, if your organisation collects any kind of personal information from a resident of New York State – or you exchange information with a business partner that does – the law applies to you regardless of where your organisation is located.
The Office of the Comptroller of the Currency (OCC) is the group within the Department of the Treasury that charters, regulates, and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks. The OCC enforces its regulations with examinations, and it can deny applications for new charters or take other actions against banks and thrifts that do not comply with laws and regulations or otherwise engage in unsafe practices.
The OCC's mission is to ensure that national banks and federal savings associations operate in a safe and sound manner; provide fair access to financial services; treat customers fairly; and comply with applicable laws and regulations.
OCC Bulletin 2013-29, clarified with a FAQ in OCC Bulletin 2017-21, provides risk management guidance for “assessing and managing risk associated with third-party relationships.” OCC 2020-10 provides guidance to Examiners on what to look for when examining a bank’s third-party risk management program.
These bulletins highlight the need for an effective risk management process throughout the lifecycle of third-party relationships, including risk assessment, continuous monitoring, and reporting and documentation to facilitate oversight and accountability.
A comprehensive report covering gap analysis and exercise results with documented priorities to mitigate risks in accordance with Third-Party Vendor client Business Continuity Plan Priorities
China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations.
As is usual with all China laws, many of the concepts and requirements are high-level and we expect that some further details will be provided in regulations and practical guidances in the coming months.
The PCI Security Standards Council operates programs to train, test, and qualify organizations and individuals who assess and validate compliance, in order to help merchants successfully implement PCI standards and solutions. The Council also qualifies payment hardware and software so that merchants select and implement approved solutions for securing payment data and systems.
Becoming PCI DSS compliant depends on the complexity of your payments environment, and the data security measures you already have in place. In fact, you may already be compliant and not realise!
Becoming compliant isn’t just a one-time task – you’ll need to take measures regularly to ensure you’re still complying with the rules.
Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is a deprecated auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 (SAS 70) and has been superseded by SSAE No. 18.[1]
The "service auditor’s examination" of SAS 70 is replaced by a System and Organization Controls (SOC) report.[2] SSAE 16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS 70 have now shifted to SSAE 16.[citation needed] Some service organizations use the SSAE 16 report status to show they are more capable, and also encourage their prospective end-users to make having an SSAE 16 a standard part of new vendor selection criteria.
SSAE 16 has two different kinds of reports. A SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day. A SOC 1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE 16 standard requires a minimum of six months of operation of the controls for a SOC 1 Type 2 report.
SSAE 16 reporting can help service organizations comply with Sarbanes–Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting.
SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set. In this respect, it is similar to ISO 27001:2013.
Service Organization Control (SOC) 2 is a standard that is designed to provide assurance that an organization's systems are set up to cover the security, availability, processing integrity, confidentiality, and privacy of customer data.
These five core subject areas are commonly known as Trust Service Principles. The purpose of a SOC 2 (also referred to as a Type 2 report) is for an organization to detail the operational effectiveness of their systems based on the five principles. To achieve compliance against a SOC 2 assessment, organizations must develop a clear documentation framework, built around security policies, security procedures and supporting documentation.
The five principles are further defined to account for criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories. Clear objectives of each principle are set out within the Trust Services Criteria and provide an organization with clear expectations to look for when validating or verifying security controls.
-1.png?width=250&height=92&name=P3%20Audit%20New%20Logo%20(No%20Tag1)-1.png "P3 Audit New Logo (No Tag1)-1")