Risk Assessments

​We have several vendors who do not have SOC Audits but do have access to some NPI.  How does everyone handle documenting and assessing identity theft risk for these vendors.  Do you obtain ID Theft Policy/Procedures from them if available?  Do you use a questionnaire?  Does anyone have an example or template they are willing to share?

Thanks
​​

Hi, John:
There are several options to consider.  SOC audits are typically undertaken by service​ organizations who have reached a certain size or maturity stage. Other organizations (think law firms as an example) who hold NPI may not typically embrace a formal SOC engagement.  In that case, there are some compensating options to pursue with the third party.

1. Do they have any other audit review (preferably independent) of their security control environment? (IT Controls? Pen-testing? Vulnerability management?)
2. Are they contractually required to provide evidence or affirmation of the most essential controls annually? (Policy overview, risk assessment summary, pen-testing, entitlement reviews, data encryption, security awareness program, etc.)
3. Your contractual language should also land pretty heavily on liability and indemnification provisions for vendors without SOC-type reports.
4. Including audit rights in your contract may also be an option (whether you exercise the right or not).
5. And, of course, increased due diligence and monitoring is warranted in such situations too!

Hope all is well with you...  Lee

------------------------------
L. Beachy
------------------------------

Original Message:
Sent: 11-03-2020 12:44 PM
From: John Swenson
Subject: Information Security for non-SOC Vendors

​We have several vendors who do not have SOC Audits but do have access to some NPI.  How does everyone handle documenting and assessing identity theft risk for these vendors.  Do you obtain ID Theft Policy/Procedures from them if available?  Do you use a questionnaire?  Does anyone have an example or template they are willing to share?

Thanks
​​

Original Message:
Sent: 11/3/2020 1:19:00 PM
From: L Beachy
Subject: RE: Information Security for non-SOC Vendors

Hi, John:
There are several options to consider.  SOC audits are typically undertaken by service​ organizations who have reached a certain size or maturity stage. Other organizations (think law firms as an example) who hold NPI may not typically embrace a formal SOC engagement.  In that case, there are some compensating options to pursue with the third party.

1. Do they have any other audit review (preferably independent) of their security control environment? (IT Controls? Pen-testing? Vulnerability management?)
2. Are they contractually required to provide evidence or affirmation of the most essential controls annually? (Policy overview, risk assessment summary, pen-testing, entitlement reviews, data encryption, security awareness program, etc.)
3. Your contractual language should also land pretty heavily on liability and indemnification provisions for vendors without SOC-type reports.
4. Including audit rights in your contract may also be an option (whether you exercise the right or not).
5. And, of course, increased due diligence and monitoring is warranted in such situations too!

Hope all is well with you...  Lee

------------------------------
L. Beachy
------------------------------

Original Message:
Sent: 11-03-2020 12:44 PM
From: John Swenson
Subject: Information Security for non-SOC Vendors

​We have several vendors who do not have SOC Audits but do have access to some NPI.  How does everyone handle documenting and assessing identity theft risk for these vendors.  Do you obtain ID Theft Policy/Procedures from them if available?  Do you use a questionnaire?  Does anyone have an example or template they are willing to share?

Thanks
​​