Category: Assurance

Home / Assurance
Jul212019

What is a Data Breach and What Can My Organisation Do About It?

What is a Data Breach and

What Can My Organisation Do About It?


Nowadays, there is increasing news about data breaches. Entire documents and data from companies, as well as their stakeholders, are easily accessible. This can have many consequences for the stakeholders, but perhaps even more for the company.

The Dutch Data Protection Authority has defined a data breach as an incident involving access to or destruction, alteration, or unauthorized disclosure of personal data at an organisation without the intention of the organisation itself.

A data breach is an incident where information is stolen or extracted from a system without the knowledge or consent of the system’s owner. Both small businesses and large organisations can experience a data breach. Stolen data can include sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.

The consequences of a data breach can manifest as damage to the target company’s reputation due to a perceived ‘betrayal of trust’. Victims and their customers may also suffer financial losses if related data is part of the stolen information.

In this case, prevention is better than cure. Once data is exposed, it is difficult to remove. Moreover, removing the software is often not effective and is not done completely. Therefore, prevention is the best solution.

Every Company Can Address the Following Vulnerabilities:

  1. As previously mentioned, it is crucial to use the most recent operating and security systems.
  2. All programs should also be up-to-date. No errors can be allowed here.
  3. Never click on strange links in emails. Many spam emails come through websites. Always check whether it is a standard email with a link or an actual potential customer with questions.
  4. Get ISO 27001 certified. Information security is essential for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to organise information security.
Jul212019

Enterprise Risk Management

Enterprise Risk Management

If an organisation wants to achieve its objectives, it must manage and control the risks that threaten those objectives. COSO has defined the various elements of an internal control system for this purpose.

The COSO model illustrates the direct relationship between:

  1. The organisation’s objectives;
  2. The control components;
  3. The activities/units requiring internal control.
  4. COSO identifies the relationships between enterprise risks and the internal control system. COSO views internal control as a process aimed at providing assurance regarding the achievement of objectives in the following categories:
  5. Achieving strategic objectives (Strategic);
  6. Effectiveness and efficiency of business processes (Operations);
  7. Reliability of financial reporting (Reporting);
  8. Compliance with relevant laws and regulations (Compliance).

Organisations must also demonstrate to investors and other stakeholders that they properly manage uncertainties (Code Tabaksblat and the Sarbanes-Oxley Act). In Securance’s approach to Enterprise Risk Management (ERM), risks are identified and their consequences are detailed. Securance uses the latest standards, methods, and techniques in risk management.

What does Enterprise Risk Management offer?

  • Insight into the significant risks of your organisation;
  • Qualitative and quantitative assessment of identified risks;
  • Insight and advice on the current control of risks;
  • Insight into your organisation’s risk costs;
  • A basis for designing and implementing risk management within your organisation;
  • Assistance in accountability for risk management.
Jul212019

An ISAE 3402 | SOC 1 Audit Checklist

An ISAE 3402 | SOC 1 Audit Checklist

ISAE 3402 | SOC 1 is the standard for outsourcing. Most organisations outsource IT or other activities to service organisations. In this outsourcing, it is crucial that the service organisation providing ICT services is reliable.

 

Reliability can be divided into several aspects: risk management, information security, privacy, anti-fraud measures, and continuity. The ISAE 3402 | SOC 1 standard offers extensive opportunities to report on these aspects and have this report audited (certified) by an external accountant.

Since compiling SOC reports can be a complex process where you need to juggle multiple tasks, many companies find it handy to use an ISAE 3402 | SOC 1 compliance checklist to ensure all SOC requirements and ISAE 3402 | SOC 1 controls are covered:

  1. Is your company’s organisational structure defined?
  2. Have you delegated the task of developing policies and procedures to specific employees?
  3. What are your background screening procedures and employee conduct standards?
  4. Do employees and other stakeholders learn and understand how to use your systems?
  5. Are there procedures to address changes in a timely and effective manner?
  6. Have you conducted a formal risk assessment to identify, analyse, and mitigate potential threats to your system?
  7. Does your organisation regularly evaluate vendor managers?
  8. Do you annually evaluate all policies and procedures and update them as needed?
  9. Have you implemented physical and logical access controls?

Taking the time to complete an ISAE 3402 | SOC 1 audit checklist can be very useful as you organise your evidence in preparation for working with a CPA on your audit.

Jul202019

Checklist SOC 2

Checklist SOC 2

If you are a service organization and your customers entrust you with their data, you may need to pass a SOC 2 audit to sell your products. Your customers might now demand an audit report from you, or industry regulations might require it. You may need to provide proof of SOC 2 compliance to demonstrate that the data entrusted to you is well secured.

Here is a SOC 2 compliance checklist before your next audit to protect your customers’ data and your company’s interests.


1. Define Your Objectives.

SOC 2 compliance can help organizations that process customer data for other companies strengthen their reputation, financial statements, and stability by documenting, evaluating, and improving their internal controls. SOC 2 reports can offer a competitive advantage by revealing ways to operate more efficiently and securely, and you can highlight those strengths when marketing and selling your services:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight
  • Determine what you will test and why.

2. Choose the Right Trust Services Principles to Test.

SOC 2 audits assess the internal controls at a service organization relevant to the following five trust service principles or criteria, as set out by the AICPA:

Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage that could compromise the availability, integrity, confidentiality, and privacy of that information or those systems.

  1. Availability: Information and systems are available for operation and use.
  2. Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
  3. Confidentiality: Information designated as confidential is protected.
  4. Privacy: Personal information is collected, used, retained, disclosed, and disposed of appropriately.

3. Choose the Right Report.

There are two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2. The type of report you need depends on your specific requirements and objectives.

A SOC 2 Type 1 report is a quick, efficient way to ensure your data is secure and communicate that to your customers. A SOC 2 Type 2 report can provide more assurance by examining your controls more thoroughly and over a longer period.

4. Assess Your Readiness.

Preparing for a SOC 2 audit can be overwhelming, especially if you are doing it for the first time. You have many controls to choose from, and you need to meet numerous documentation requirements.

Starting with a readiness assessment can enhance the effectiveness of your SOC 2 report by helping you identify gaps in the control framework. By establishing the policies and procedures you have in place before the audit begins, you can review all controls in advance. Then you can see what needs to be done to pass each test associated with the audit.

Passing a SOC 2 audit should be challenging, but it doesn’t have to be stressful. Reviewing this SOC 2 compliance checklist before you start can help you prove that your customers’ data is safe, allowing your business to continue doing what it does best.