Updates from November, 2014

  • Business Continuity tabletop exercise – who to involve? 

    The tabletop exercise involves involving each individual whose responsibility is defined and documented in your business continuity plan. The days that you spent in creating the plan should be completely wasted – unless each role and individual named agrees to the content.

    Top Management – Even if you cannot get the CEO, involve someone from your core customer facing team. The role will check if the continuity fulfils customer or core operations in case of restoration.

    Business continuity Manager – This role has the complete oversight of how fast the enterprise needs to be responding to each documented plan. Involving him/her ensures that the outcome of the business continuity plan is achieved in line with business objectives.

    Assuming you have plans to manage site outage, technology outage, vendor outage and people outage, involve both process and support teams to be a part of this exercise.

    Information Technology – Whether it is hot site/warm site or cold site strategy, individuals should acknowledge their ability to restore within the recovery point objectives(RPO), in line with return time objective (RTO).

    Human Resources – If your people outage involves cross training or replacement of existing employees to do a specific task, then the head of those teams should agree and acknowledge that the replaced employee will be able to do the desired work.

    Procurement – If your vendor outage strategy involves seeking an alternate service provider, the procurement team and the respective team whose services will be effected, should agree and acknowledge the alternative plan.

    Physical Security – The physical security team should be able acknowledge the availability of the alternate site and its readiness in case of a site outage as defined in the plan.

    Crisis Management Team(CMT) - CMT Members are the ones who invoke the continuity plans. They should understand each of the outage scenarios, the human element of crisis, and the outage plans. They know that it takes time, and resources to invoke these plans, and there role is to manage the human part of the process.

    Taking Feedback

    Ask questions to members attending the session – are you now more aware of the business continuity or your own responsibility? If the answer is Yes, half of the battle is won. Organisationally, you are now prepared for the next maturity level of continuity – which can be a combination of simulation test or a full blow one.

    Documenting Results

    All the teams participating should give a formal feedback about the outcome of the test, and their feedbacks should be documented for improving your overall continuity plan.

    If your business continuity plan is at version 1 – it is perhaps that it has never been read and reviewed. It is highly unlikely that post a formal tabletop exercise it will remain at version 1.

    Hope it helps!

  • SSAE 16 – SOC 1 and SOC 2 – Readyness journey 

    Unlike many other compliance subjects where the certification or attestation is point in time, SSAE 16 type II is a period of time attestation. The chosen US based CPA firm not only wishes to verify control implementation but more so on consistency and rigor for the last 6 months.

    If you are considering the journey here is what you need to do:

    Start with enterprise/information risk assessment: This can not involve your external risk but also your internal risks. Any event/threat that can jeopardise the organisation operation should be identified as part of this. This exercise can be anywhere between 3 weeks to 6 weeks depending on the size and complexity of the organisation.

    Define control framework: A framework starts with creation of an enterprise team such as (but not limited to) risk management committee, chief risk officer or a security manager, and department heads. Each one of these roles and their functions need to be documented in a formal roles and responsibilities document that shows their alignment with whether they are part of risk identification role and/or risk management role.

    Chose one or more International best practices that suits your enterprise risk

    A series of international standards exist that can be used as a means to reference material for implementation (not exhaustive)

    • Enterprise Risk Management (ISO 31000)
    • Quality Management System (QMS) – ISO 9001
    • Information security Management System (ISMS) – ISO 27001/ISO 27002
    • Business continuity management (BCM) – ISO 22301/ISO 24762
    • IT Governance – COBIT 5/ISO 28000
    • ITIL Service management (ITSM) – ISO 20000

    Documentation – policy, procedure and processes

    Based on your choice and applicability you may then need to write individual policies that govern your organisation risk. Enterprise policy on risks, information risks, risk registers are some of common enterprise documents that are created. At the department levels policies and procedures are created to ensure minimisation of fraud (Such as change management, access management) are also created. The range of documents that shall be created can be anywhere between 30-50 policies depending upon your risk assessment and encompass all part of the business operation.

    Perform internal audit

    Internal audit should be done ideally by an independent team in order to verify the completeness

    Maintain an annual program to keep the momentum

    Note that SSAE 16 attestation is an enterprise program not a project that will come to an end at a certain specific point, so management should ensure that policies so defined are now part of every business life cycle whether it involves new customer acquisition or hiring new employees. One simple way is through incentive to employees.

    Outcome and benefit

    The resultant outcome is a system of people, processes and technology that demonstrates control environment in the organisation. This will be of great value to your existing and future customers.

    Want to know more about difference between SSAE type I and type II read this blog:


    Hope this helps!

  • Risk Assessment – What is the ‘ideal’ approach? 

    The benefit of performing risk assessment far outweighs the cost or impact that an organization may have to suffer in case an incident takes place.

    Thanks to implementation of international standards such as ISO 27001, ISO 31000, ISO 22301, ISO 20000, SSAE 16, COBIT, PCI-DSS, HIPAA, DPA (not exhaustive) there is more and more interest in understanding risk assessment methodologies and how it can benefit an organizations’ business.

    The need for understanding the finer nuances is increasing but is far from maturity levels demanded by any of the international standards. If you are certified to any of the management system certifications, one common flaw that most auditors find in any organization, they will surely respond “I wish they had a better risk assessment..”.

    What is going wrong with risk assessments today?

    The absence and maturity of the formal risk assessment is contributed by some of the following key factors:

    • International standards are sometimes confusing to the layman – if you search for the word ‘risk’ you will several interpretations for the same key word risk; ISO 31000 defines risk closer to a (positive) opportunity whereas ISO 22301/ISO 27001/ISO 20000  reflects a negative interpretation of the word risk.
    • Lack of management interest and what it can do for them – Most management do not see it as a constructive activity, it is seen as related to an event such as ISO 27001 (or any other) certification. Management says “get it somehow done, and we should be compliant..”. If implemented correctly, risk assessment can be part of each business activity and it pays to be ‘risk-aware’.
    • Inability to correlate internal and external events with risk assessment methodology – Owners of risk assessment, people who perform risk assessment, in the organization are often at pain to discuss internal and external events with their risk assessment. It is generally something that someone does and only he knows how it is done. Ideally the response should be “we are all involved”.

    What can be done to ensure completeness?

    Consider the following key parameters for your risk assessment approach to make it successful and beneficial to the business(not exhaustive).

    Agree on Terms and definitions: Risk is a function of asset, business impact, threat, vulnerability, probability. Define each one of  them, and explain how this correlates in the risk valuation of the asset.

    Agree on rating methodology:  Methodology includes valuation. Valuation can be quantitative as well as qualitative. While measuring provide a range 1-4 or 1-10, 1 being lowest, and 4 being highest. The focus of rating should be based on your organization valuation not someone else. If you rate Availability as 4 for an asset it needs to reflect that the asset’s unavailability can hinder continuity of the business, in other other words make it contextually relevant.

    Make it simple, provide a guidance: Provide support to suggest how something is to be rated as 4(Very High). An asset containing salary data may be rated as Very High, and it encompasses all forms of that assets and teams.

    Agree on context: Context is the scope of risk that you wish to address. Is it service risk, information risk or business risk? Since most risk assessments are driven by compliance objectives define the context in terms of assets/service/function that needs to be covered. Once you see the value you can increase the context itself.

    Start from the top: Starts from the CEO. We have found that those we started with the CEO were much more successful. If the CEO is not involved, it is a sure shot failure, i doubt it will the light of the day.

    Involve department heads (if not everybody) and make them ‘own': Explain and involve the head of departments/business process owners, they will appreciate and help you evolve. Again this is not just IT or security teams, it involves everyone. if you explain a team such as R&D how risk assessment helps reduce the assets of R&D, they will surely participate.

    Consider trigger points for reassessment/change: Once you decide the context, also decide the trigger point for change. Change can be in methodology, rating, new assets, new threats, new weakness, new events – internal and external, to name a few.

    Consider a Target and period of measurement: Management is interested in numbers, we all know that. Define a risk target. Also apply this by showing how your risks improved for a given period of time. Note the true objective is to reduce risk at optimum level that supports business.

    Consider the above as a guideline for your risk assessment process and I am sure your risk assessment will improve manifold.

    Hope this helped, let me know your reactions!

  • Understanding SSAE 16/SOC 1 and SOC 2 


    The American Institute for Certified Public Accountant (AICPA) Statement on Standards for Attestation Engagements No. 16 (SSAE 16), reporting on controls at a Service Organization (also called as vendors) was issued in April 2010.  WEF June 15, 2011, the SSAE 16 has effectively replaced the long standing SAS 70 as the U.S. standard for reporting on a service organization’s internal controls.  The focus of SSAE 16 is how service organisations or vendors have internal control on financial reporting as relevant to interested parties specifically customer.

    How does SSAE 16/ISAE 3402 applies to service organizations?

    The Sarbanes Oxley Act (“SOX”) requires that publicly traded companies that outsource a portion of their processes obtain an SSAE 16 report from their service organization.  The SSAE 16 report can effectively replace the need for the service organization to be subject to multiple audits from its customers and their respective auditors.  An SSAE 16 report ensures that all customers of service organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements.  The SSAE 16 may also help service organization recognize significant efficiencies in its business processes as well as improvement in its controls and control environment through value added recommendations from the service auditor.

    Out sourcing service providers to US Companies in India, China, Mexico, Ireland, Russia, Malaysia, Philippines, Brazil, Singapore, Canada, Chile, Poland,  and elsewhere would come under the purview of SSAE 16. The SSAE 16 report by CPA will be a perfect vehicle for the service organization to obtain the level of assurance that customer interest are well under control.

    What are the key benefits for compliance?

    Service organizations can receive significant value from having a SSAE 16 examination performed.  An SSAE 16 report with an unqualified opinion that is issued by an independent CPA firm differentiates the service organization from its peers by demonstrating that it achieved a defined set of control objectives relevant to its specific industry and that its controls are effectively designed and in the case of a Type 2 report that the controls are operating effectively over a period of time.  An SSAE 16 report will not only help a service organization build trust with its existing customers but also position itself in the market place to attract new clients.  A clean SSAE 16 report can put small to mid-sized service organizations on a level playing field with some of their larger competitors.  Most Requests for Proposals today almost inherently have the requirement for the service organization to have been subject through an SSAE 16 examination.  In fact, by not having an SSAE 16 examination, you face the likelihood of being eliminated from an opportunity before even having the chance to bid.

    What are the benefits to customers?

    Customers of the service organizations that obtain an SSAE 16 report from their service organization(s) receive an independent and unbiased opinion from the service auditor about the service organization’s controls and the effectiveness of those controls.  The SSAE 16 report is a mechanism for customers of service organizations to demonstrate management of risks and exposures while outsourcing business services.  It helps ensure processing integrity and reliability of outsourced business transactions and services.

    For service organizations that do not have an independent examination of their controls performed, it is never too late to consider obtaining one and for customers of service organizations it is never too late to ask for one.

    Why the change from SAS 70 to SSAE 16?

    Globalization of business process outsourcing drove the need for a common global standard.  SSAE 16 was issued to align with International Standards on Attestation Engagements (ISAE) 3402.  There was also the need for increased emphasis on the service organization rather than the auditor.  SAS 70 was more focused on the auditor rather than on the service organization.  Companies reporting under SAS 70 had several misunderstandings in that SAS 70 was thought to be the implementation of best practices and that it was a certification.  SSAE 16 clarifies these misunderstandings.

    Difference between SOC 1 and SOC 2

    SOC 1 is a report on controls at a service organization relevant to a user entity’s internal control over financial reporting. A type 1 report focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as on a specified date. A type 2 report contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

    SOC 2 Report has the following key features:

    • Report on controls at a service organisation relevant to Common criteria/security, availability, processing integrity, confidentiality, or privacy.
    • Uses the trust services criteria.
    • Includes a description of the service auditor’s tests of controls and results.

    Two types of engagements

    SSAE 16 will continue to enable a service auditor to perform two types of engagements:

    1.    A Type 1 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
    2.    A type 2 engagement in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

    What changed from SAS 70 to SSAE 16?

    The following are some of the notable changes introduced by SSAE 16:
    1.    A written assertion by management is required and must include the suitable criteria used for its assessment.
    2.    The Audit report must include a written assertion by the sub service organization if the inclusive method is used.
    3.    While the SAS 70s required only a description of controls, SSAE 16 requires a description of systems / processes.
    4.    Management of the service organization must identify risks that threaten the achievement of the control objectives.

    Further questions or clarifications?

    If you have questions clarifications or seeking a road map to achieve SSAE 16/ISAE 3402 call or write to us at roadmap@www.coralesecure.com