demo page 111

Data Security and Privacy are increasing challenges in today’s Cloud-based environments.

MISCONFIGURED CLOUD SERVERS

“In 2018, the media sector topped the chart with 40 percent of publicly disclosed incidents. Half of these incidents involved misconfigured cloud servers and other improperly configured systems that leaked data or allowed a remote attacker to exploit the asset.”

“Attackers are targeting users of cloud services and misconfigured cloud servers are exposing customer and employee data”.

BREACHES AND REGULATIONS MAKE VENDOR RISK A PRIORITY

Organizations should check and monitor settings on cloud service architecture—do not maintain default settings. Vet third-party cloud vendors for high security standards before choosing to do business with them. Ensure you are aware of who controls each component of your cloud infrastructure and define policies for where and how security measures are deployed. Implement the same security policies you would employ for classic IT infrastructure.

VENDOR (THIRD-PARTY) RISKS

From a cybersecurity perspective, third party risks frequently involve a set of threats that may exceed the scope of the organization’s risk management activities. Some organizations focus too narrowly on risks. For example, when hosting data in the cloud, most organizations ask the vendor for attestations or some evidence of cybersecurity capability.

CLOUD ASSURANCE FOR CSP’S

SOC 2 FOR CLOUD CSA STAR ATTESTATION
Cloud Security Alliance (CSA) in collaboration with the AICPA, developed a third-party assessment program of CSP officially known as CSA Security Trust & Assurance Risk (STAR) Attestation. STAR Attestation provides a framework for CPAs performing independent assessments of CSP using SOC 2

engagements with the CSA’s Cloud Controls Matrix (CCM). www.cloudsecurityalliance.org/star/attestation/

Privacy Compliance for Cloud

Privacy has grabbed the attention of Boards of Directors as regions look to implement privacy regulation and compliance standards similar to GDPR. Privacy is the new buzzword and the potential impact is very real. Personal data is processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica. In view of the recent incidents privacy laws are changing and going forward they may become more stringent. It may be prudent for organizations to be more proactive and adopt measures for Privacy Governance.

THE SOC 2 PRIVACY CRITERIA

To demonstrate the privacy-related controls, Organizations can include the privacy criteria as part of the scope of their SOC 2 report. Additionally, controls for any other specific laws too can be included as Additional Subject Matter. The AICPA Privacy Criteria broad requirements are described in the following paragraphs. Many of these requirements match to the legislation like EU-GDPR. In the wake of such new privacy mandates organizations are encouraged not only include the privacy criteria in their SOC 2 report but also to demand including them in their vendors SOC 2 report.

SOC 2 DESCRIPTION FOR PRIVACY

When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organiza tion’s privacy notice or in its privacy policy that are relevant to the system being described.

When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information permitted by user entity agreements.