Even when contracting with a third-party service provider or other vendor, protecting your data is always your responsibility. Establishing a vendor management program allows you to have proper oversight of these vendors, and is an essential element of your organization’s cyber resilience strategy. You need to understand how your critical and high-risk vendors manage their own internal control environment and/or their connection to yours, so you can ensure they will meet or exceed your internal policy and standards requirements.
One component to assessing your vendors’ cyber readiness is ensuring they have the necessary security controls in place and that they are effective. A common piece of evidence that your vendor may provide as part of your Due Diligence Review is a Service Organization Controls (SOC) Report, which is the de-facto standard out there for audit reporting on critical vendors.
Two common types of SOC reports are:
- SOC 1 Report: This report is a statement on standards or statement of compliance, and is focused on financial reporting risks and controls specified by the service provider. It is most applicable when they perform financial transaction processing or support transaction processing systems. The SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 16 Guidance for service organizations.
- SOC 2 Report: This report focuses on one or more areas: Security, Availability, Confidentiality, Processing Integrity, and/or Privacy. It is applicable to a broad variety of systems under that vendor’s control.
When you receive a SOC report from a vendor, here’s what to look for:
- The Scope of the System. This is an interesting read if you don’t fully understand the scope of services that the vendor provides. It can help you understand and absorb all that information.
- List of User Entity Controls Considerations. This section will let you know what controls you need to have in place in order to support the controls they have in place. Your vendor is letting you know that their controls will only work if you do your part as well. Auditors will sometimes ask for this, and it’s easy to get caught unaware.
- List of Controls Tested. This will show the findings of the SOC auditor for each control tested. You want to look for exceptions. That signifies that the auditor tested a control and found that it was not working as intended, not working appropriately, or there were exceptions to its performance.
When looking at a SOC Report, it’s important to keep in mind that the SOC auditor does not determine the scope of the testing. The vendor is the one who determines which controls are tested. Therefore you should determine what you need to know and compare it to what the SOC contains. If you identify gaps, you need to go after that information on your own. This could be in the form of contract language for the right to audit, so you can bring in someone to get the information you need.
- Other Information. Sometimes vendors provide additional information for you in this section. This information is not “tested” by the SOC auditor, but it can provide you with useful information on their Business Continuity Program, Incident Response Program, or other practices they want you to know about, like how quickly they can recover following a disaster.
You may not be required to have a vendor management program, but if you are outsourcing critical services you should at least conduct a Business Impact Analysis (BIA). This will help you understand the implications of losing that critical service in the event systems become unavailable because of a disaster or security incident. Use it to answer questions such as:
- How much would it cost us to be down?
- How long would we be down?
- What does our vendor’s service level agreement say their Recovery Time Objective (RTO) is?
- How much is guaranteed by a contract?
If this information has not been tested as part of the SOC, or included in the “other information” section, you need to be proactive in seeking this information on your own.
For a more in-depth discussion on the different types of SOC reports check out www.ssae-16.com/soc-1/.
Need assistance with assessing the cybersecurity of your service providers?
Tyler can help! As external dependencies continue to grow, setting up and maintaining an effective cybersecurity review program can be a daunting task. We can assist with the implementation of a program that makes sense for your organization’s business needs and is tailored to the unique conditions that are the byproduct of every third-party business relationship.