Policy, Program and Procedures

 View Only
Expand all | Collapse all

Complementary User Entity Controls for Vendors

  • 1.  Complementary User Entity Controls for Vendors

    Posted 05-05-2020 05:00 PM
    ​​Hi Everyone,

    I was wondering if anyone would be willing to share how their organization deals with their vendors complementary user controls of their third parties (our 4th parties). This is one item I struggle with as it's an additional duty I'm responsible for and I'm the only person responsible for vendor management within my organization. It's been suggested by management that we should be asking for this so I thought I'd ask what everyone else does. We currently review and complete any applicable controls that our organization is responsible for, but does anyone ask their vendor to provide the controls for their 3rd party (our fourth party)?

    Is it something that I should be trying to obtain?

    Has anyone ever had an auditor request or suggest they start doing this?

    Thanks!


  • 2.  RE: Complementary User Entity Controls for Vendors

    Posted 05-05-2020 07:47 PM
    Hi,

    I don't deal with vendor management but have a small idea of how controls works. The article in the link below might help to guide you right (if you haven't read it already). Also reach out to the author of the article for some guidance (if okay by you). The author referenced SOC Report (a report which is issued by independent 3rd party) on the control environment of a vendor/supplier. There is SOC 1, 2 and 3. SOC 2 is the one you should be focused on. Hope this helps. 

    https://www.venminder.com/blog/importance-complementary-user-entity-controls-vendor-relationships


  • 3.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 02:06 PM
    ​Thank you Afam! I will certainly do that!


  • 4.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 08:15 AM
    I have asked vendors to confirm that they've reviewed and can comply with CUECs in the SOC reports of their critical subcontractors (those subs that are listed in the vendor's SOC reports). But I've never asked to see the CUECs in the fourth parties' SOCs.​


  • 5.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 02:08 PM
    Thanks Josh! I like this approach as you still confirm that they have read​, understand and comply with the controls. I'll bring this suggestion to management.


  • 6.  RE: Complementary User Entity Controls for Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-06-2020 09:37 AM
    This message was posted by a user wishing to remain anonymous

    We utilize the Venminder SOC analysis service when needed and always to analyze SOC reports for our critical vendors.  Once the Venminder analysis has been completed, our Information Security team reviews the analysis results and related complementary user entity controls.  Information Security works with the business owner to ensure we have the required controls in place on our end.  If the SOC report/analysis/complementary user entity controls are for the vendor's third party (our fourth party), such as a data center, Information Security asks the business owner to work with our vendor to complete the document outlining the controls to ensure our vendor has the required controls in place.


  • 7.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 02:11 PM
    ​Ok so that's good to know that there are other organizations that do this. Thank you for sharing!


  • 8.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 12:51 PM
    Hi Danielle
    In my experience that can be tricky information to get. Usually what I see is a mention of subservice provider's CUEC's in my vendor's SSAE 18 SOC Report in the Provider's Assertion section. Normally it states something like...'the description (description of my vendor's system) presents xxxxxx's (my 3rd party vendor's) controls, the applicable trust services criteria, and the types of complementary subservice organization controls assumed in the design of xxxxxx's controls. The description does not disclose the actual controls at the subservice organization(s)'. Not always exactly that, but something to that effect. If by chance your 3rd party provider gives you SOC reports for their subservice providers, you would be able to see the CUEC's and cross check those against your vendor's controls that are in scope of their SOC report. It seems to be getting more difficult to get subservice providers' SOC reports from our 3rd party vendors due to privacy and confidentiality concerns. 
    I have never had an auditor or examiner ask for that level of due diligence for 4th parties (and beyond). They normally are satisfied that the subservice providers are identified and that our 3rd party vendor provides evidence that they have a vendor management program and are doing their due diligence including compliance with CUEC's.


  • 9.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 02:20 PM
    ​Thank you Mike! I appreciate your feedback and agree that it's becoming harder and harder to obtain sub service SOC reports. I have never had an auditor request it either and I don't want to start something that would delay our review process if it's not completely necessary at this point. The process is already pretty "involved" as it is. Thanks again!


  • 10.  RE: Complementary User Entity Controls for Vendors

    Posted 05-06-2020 04:25 PM

    You are very welcome Danielle! When I first started working in this space (seems like a looong time ago!) my ISO told me to never volunteer information to auditors or examiners; just give them what they ask for! You are absolutely correct that the process is "involved" enough without making work for ourselves.

    If you need any input on any other issue or question, or if you want a bounce an idea off someone, feel free to reach out.

     

    Have a great day J

     

    Michael Weaver, CRVPM III

    Vendor Management Specialist / Information Security

                              

    image001.jpg@01D497A9.F3DF4570