Best Practices for Reducing Third-Party Risk Through Vendor SOC Reports
Does this sound familiar? You are searching for a new vendor. Armed with a vendor due diligence checklist, you came across a promising candidate. The vendor told you that they have a SOC1 report, so you put the check mark next to “regular security assessment performed” and moved on to the next item in the checklist. You are done, right? Well, not exactly.
According to Symantec’s 2015 Internet Security Threat Report, 60% of all targeted attacks struck small and medium sized businesses, which puts them and their business partners with robust security infrastructures at risk.
It’s much easier for hackers to penetrate smaller third-party vendors to get to their larger business partners with strong security controls. Vendor risk is real. And the value that third-parties bring can quickly be eroded by the associated risks.
How to Reduce Third-Party Risk
Reducing third-party risk starts with selecting vendors with a robust approach to risk management. In our work with clients going through internal audits and security assessments, we’ve advised them to seek out vendors that go through regular attestation audits for reports such as SOC1 and SOC2. However, your job doesn’t stop at a checkbox. Look further into the reports and ask yourself two key questions:
Is it a SOC1 or SOC2 Report?
- A SOC1 report evaluates internal controls over financial reporting, while a SOC2 report evaluates an organization’s information system relevant to security, availably, processing integrity, confidentiality and/or privacy.
- A SOC1 report is adequate if you are only interested in assessing the vendor’s internal controls impacting your financial reporting.
- If you are considering a vendor to hold, store or even process your information such as a data center, IT managed service, SaaS vendors and many other technology and cloud-computing based businesses, you should look for a vendor with a SOC2 report.
Is it a Type I or Type II Report?
- Type I reports simply provide a report of controls an organization has put in place as of a point in time. In contrast, Type 2 reports have an audit period (typically six months to a year) and provides evidence of how well an organization operated their controls over a period of time.
- Type I assessments are a good starting point for vendors to get to the ultimate goal of successful Type II assessments. Ultimately, a Type II report will show how those internal controls are actually operating in an organization. Remember, vendors with a Type II report are a definite plus.
How to Address Controls
Now that you have determined which report best fits your needs, it’s time to think about controls. Ask yourself these two questions as part of your third-party due diligence.
Does the report cover controls in place at the software vendor or just at a hosting data center?
- Infrastructure for software applications is often hosted at a third-party data center. Therefore, it’s important to make sure that you obtain a SOC report covering both the software vendor and the data center. The report for the software vendor covers controls regarding their people, policies and procedures, and data management in place at the vendor (e.g. user access, change management, operations, etc.).
- The report from the data center will cover physical and environmental (and if applicable technical) controls in place. If a vendor provides you with a report for the data center only, ask for a report for the vendor. If they don’t have it, be prepared to perform due diligence on the vendor, which will require extra effort, cost and time.
Are all the internal controls that your company requires in place at the vendor?
- Be sure to confirm that the internal controls in place at your organization are also in place at the vendor. The best way to verify this is to map the company’s internal controls to the vendor’s controls included in the report. If there is a gap, look for other controls in the report that may reduce the risk and make sure you identify and address any remaining gaps. In addition, review the exceptions listed in the report if any, and make sure the report shows that the exceptions were addressed by the vendor.
- An often overlooked section of the report is the Complimentary User Entity controls section. This is the list of controls that the vendor has identified as being essential to achieving some of its own controls objectives. If these controls are not properly implemented and operating at your organization, vendor’s corresponding control objective will fail. For this reason, make sure you map these controls to your internal controls to identify and address any gaps in your control environment.
Bringing It All Together
Your security is as strong as your weakest link. Monitoring third-party data security and privacy risk requires a strong and effective process for ongoing vendor management that starts long before the contract is signed. By performing due diligence upfront, you will have a better understanding of your vendor’s security posture and be able to ensure that their controls are at least as strong as yours and meet your security requirements.
Contact Bridgepoint Consulting to talk about how our experts can help you navigate the complexities of third-party risk. We provide advisory services to help companies of all sizes solve complex challenges and supports a broad range of organizational transformation services. IT services include Cloud Migration, Cybersecurity/IT Risk & Compliance, Enterprise Solutions and Systems Integration. Additionally, Bridgepoint offers services and support to help companies optimize NetSuite and Salesforce. Learn more about Bridgepoint’s IT services and clients here.