As a managed service provider, securely managing your data to protect the interests of your organization, reinforce the integrity of your business, and ensure the data security of your clients can be a challenge – but it is possible. During this free, hour-long webinar, Brain Garland and Paul Hugenberg, leaders on Rea & Associates' cybersecurity and data protection team, will guide you through SOC 2 compliance, and how this incredible tool can help you leverage your existing data security framework and business model to ensure long-term organizational success and sustainability.
Join us to learn:
- What SOC 2 is and what it is specifically designed to accomplish.
- How SOC 2 can improve your organization’s safety, credibility, and overall profitability.
- When a SOC 2 absolutely necessary to a business’s long-term financial and organizational wellness.
- How CMMC Works With SOC2
To learn more about SOC2, visit https://www.reacpa.com/contact-us/ to reach out to a member of our team.
#SOC2 #ReaCyber #ReaCPA
Kenya Coconut Production Presentation by Dr. Lalith Perera
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Providers (MSPs)
1. REA CYBER SERVICES
SOC 2: Guide for MSPs
Brian Garland
Senior Manager, Cyber Services | Rea & Associates, Inc.
Brian.Garland@reacpa.com
Paul Hugenberg
Principal, Cyber Services | Rea & Associates, Inc.
Paul.Hugenberg@reacpa.com
March
2021
REA CYBER SERVICES
SOC 2: Guide for MSPs
March
2021
Brian Garland, CPA, CISA
Senior Manager, Cyber Services | Rea & Associates, Inc.
Brian.Garland@reacpa.com
Paul Hugenberg, CISA, CISSP, CRISC, CPA
Principal, Cyber Services | Rea & Associates, Inc.
Paul.Hugenberg@reacpa.com
2. REA CYBER SERVICES
SOC 2: Guide for MSPs
2
• Common Myths Regarding SOC 2
• SOC Structure – What is it?
• What is SOC2 designed to do for your MSP
• Reasons to leverage the SOC 2 framework
• Situations when other options may be preferable
Agenda
3. REA CYBER SERVICES
SOC 2: Guide for MSPs
3
Poll Question
• Which of the following is your MSP’s primary approaches to satisfying
customer/prospect due diligence requests?
• SOC 2
• NIST
• HITRUST
• ISO
• Other
4. REA CYBER SERVICES
SOC 2: Guide for MSPs
4
• Anyone can perform a SOC for me.
• I can get a SOC 2 “Certification”.
• Technical examination only.
• All SOCs are the same. All vendors are the same.
• A SOC has no ROI for the MSP/MSSP.
• All Opinions are equal.
• A SOC2 satisfies other regulations.
• A SOC2 cannot include other regulations.
Common
Myths
Surrounding
SOC 2
5. REA CYBER SERVICES
SOC 2: Guide for MSPs
SOC 2
Security -
REQUIRED
Privacy -
OPTIONAL
Availability -
OPTIONAL
Processing
Integrity -
OPTIONAL
Confidentiality
- OPTIONAL
5
• Trust Services Criteria
(previously Trust Services Principles
and Criteria)
AICPA Service
Organization Control
(SOC 2)
6. REA CYBER SERVICES
SOC 2: Guide for MSPs
6
SOC 1
• Report on financial
controls of a service
organization
• i.e. payroll
processors, SaaS
applications critical
to financial report
(general ledger)
SOC 2
• Report on controls
over in scope systems,
regarding CIA+
• Security
• Processing Integrity
• Confidentiality
• Availability
• Privacy
SOC 3
• Same reporting
requirements as SOC
2, however
distribution is for
public use
• Higher level
PRIVATE PRIVATE PUBLIC
7. REA CYBER SERVICES
SOC 2: Guide for MSPs
7
• Review of current state compared to Trust Service Criteria
• “GAP Analysis”
• Non assurance report
SOC 2 Readiness
Assessment
• Review of control design and system description, at a point in
time
SOC 2 – Type 1
• Review of control design, system description, and control
operating effectiveness over a period of time
SOC 2 – Type 2
NO OPINION
SINGLE OPINION
DUAL OPINION
8. REA CYBER SERVICES
SOC 2: Guide for MSPs
8
SOC 2 Recap
• Trust Services Criteria
• Common Criteria – Required (33 Control Objectives)
• Other criteria are add on
• Based on the MSP’s SLAs and customer requirements
• Type 1 and Type 2
9. REA CYBER SERVICES
SOC 2: Guide for MSPs
9
Poll Question
•Is your MSP looking to expand into regulated markets?
(Healthcare, financial services)
•Yes
•Yes, in the next 1-3 years
•Not at this time
10. REA CYBER SERVICES
SOC 2: Guide for MSPs
10
Intent of SOC2 for MSPs
Demonstrating commitment to internal controls
Trust in the market
Requirement for certain industries
Competitive advantage
11. REA CYBER SERVICES
SOC 2: Guide for MSPs
11
• Recognized framework under AICPA
• Opinion based reporting on internal controls
• In comparison to other common
frameworks
• Primary documentation requested by risk
management teams
Why
SOC 2?
12. REA CYBER SERVICES
SOC 2: Guide for MSPs
12
Key questions to address
What types of requests do you get from customers/suppliers on your IT controls and data security?
How much time do you spend a month/quarter/year marketing to potential customers on your company’s
data security controls?
What type of steps does the organization perform around IT security risk mitigation?
How do other companies in your market promote/position themselves related to cyber security?
Do you consider cyber risk mitigation and reporting a competitive advantage?
13. REA CYBER SERVICES
SOC 2: Guide for MSPs
13
• Framework based information security plan
• i.e. National Institute of Standards and Technology (NIST)
• ISO 27001
• HITRUST
• Other industry specific frameworks
Other Options For MSPs
14. REA CYBER SERVICES
SOC 2: Guide for MSPs
14
MSP Market Trends
• Global Managed Services Market = CAGR ~ 11.2% 2020 – 2026 (source: Modor Intelligence)
• M&A activity expected to increase
• Migration to cloud platforms
• Customer focus on cyber security initiatives
• “….“ as a service
• Movement from break/fix arrangements to managed IT and security services