Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

Hello!

We have a few third-party vendors who don't have their own SOC2 reports and urge us to use the SOC2 reports from their sub-service organizations instead. Do you review the SOC2 reports generated by their sub-service organizations instead of their own internal documents? Is it necessary to include on the vendor's contract to state that they must provide internal documentation to my organization when requested? 

I appreciate any feedback on this.

Original Message:
Sent: 11/15/2021 9:52:00 AM
From: Anonymous Member
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

This message was posted by a user wishing to remain anonymous

Hello!

We have a few third-party vendors who don't have their own SOC2 reports and urge us to use the SOC2 reports from their sub-service organizations instead. Do you review the SOC2 reports generated by their sub-service organizations instead of their own internal documents? Is it necessary to include on the vendor's contract to state that they must provide internal documentation to my organization when requested? 

I appreciate any feedback on this.

We are running into this issue with one of our Critical Vendors.  Since the due diligence items aren't listed in our contract, they feel they're not contractually obligated to release the requested items.  

I personally wish we included ALL due diligence requirements in all of our contracts.  Especially since every audit and/or exam seems to be touching Vendor Management in some capacity.
Original Message:
Sent: 11-15-2021 09:52 AM
From: Anonymous Member
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

This message was posted by a user wishing to remain anonymous

Hello!

We have a few third-party vendors who don't have their own SOC2 reports and urge us to use the SOC2 reports from their sub-service organizations instead. Do you review the SOC2 reports generated by their sub-service organizations instead of their own internal documents? Is it necessary to include on the vendor's contract to state that they must provide internal documentation to my organization when requested? 

I appreciate any feedback on this.

It is an interesting struggle with the potential for larger ramifications around creating a precedent mandating fourth party reviews. If a vendor is leveraging AWS, Azure, GCP for their platform then they are effectively a third-party/sub-contractor for the vendor with whom you are doing business. If you can even acquire a fourth-party's SOC2 (and we've struggled to get those when we have tried), are you now obliged to evaluate every sub-contractor/sub-vendor that your prospective vendor is using in the event that any of those vendors is a weak link or potentially can access your NPI? With enough time, money and personnel the answer would be an easy yes but at what point does due diligence become a logistical nightmare? I received info from one company which detailed a dozen subsidiary vendors that they leveraged. One security review becomes thirteen...

Your post brings up another thought - whether or not a SOC 2 report from AWS, Azure or GCP is enough to satisfy due diligence. Those platforms in and of themselves have certain parameters but those are only a piece of the entire puzzle. Each of those vendors has and expects their clients to maintain a long list of critical CUEC's (complementary user entity controls) without which the system is only partially secure. And not every SOC2 does a great job of assessing mixed SaaS environments - the physical/virtual office AND the physical/virtual application space to include the proper configuration of cloud-provider CUEC components.

If anyone has had success in these areas, I'd love to brainstorm some approaches as our institution has also seen much more attention paid to our vendor risk management program (of which I am only a subset - InfoSec and Business Continuity).

Let's keep this conversation rolling as I'm keen to learn from my peers!  

Original Message:
Sent: 11-15-2021 11:28 AM
From: Ashley Balletto
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

We are running into this issue with one of our Critical Vendors.  Since the due diligence items aren't listed in our contract, they feel they're not contractually obligated to release the requested items.  

I personally wish we included ALL due diligence requirements in all of our contracts.  Especially since every audit and/or exam seems to be touching Vendor Management in some capacity.
Original Message:
Sent: 11-15-2021 09:52 AM
From: Anonymous Member
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

This message was posted by a user wishing to remain anonymous

Hello!

We have a few third-party vendors who don't have their own SOC2 reports and urge us to use the SOC2 reports from their sub-service organizations instead. Do you review the SOC2 reports generated by their sub-service organizations instead of their own internal documents? Is it necessary to include on the vendor's contract to state that they must provide internal documentation to my organization when requested? 

I appreciate any feedback on this.

We have focused on material subcontractors/4th Parties- providers of services to our primary relationship that materially impact our usage of the product or service or that process, transfer or access out customer NPPI.

We started by just tracking material subcontractors for critical and material vendors so we could better manage concentration risk and be in a better position to move quickly for the next SolarWinds type incident.  We then added in some basic tracking of some key demographic information on each to build out our risk analysis.  We don't assess these subservice providers in the same way or same detail that we do the primary service provider.  The current caveat is offshored subservice providers (outside US).  We perform a detailed risk analysis on those.

To support the above we do add (or attempt to add) contract language concerning subservice relationships- notification and in some cases approval as well as contract language relating to due diligence.  Re due diligence contract provisions, I try to keep the provision broad and at my discretion.  I don't want to lock myself in to only specific items.  We also have added a TPRM/Vendor Management Policy requirement to our due diligence so that we understand how our vendor is managing their third party relationships (our 4th party/material subcontractor) we also review and report on controls around this as part of our SOC analysis.

If we have a provider without a SOC we will usually require alternative due diligence such as a questionnaire or expanded due diligence requirements.  

I agree this is an a great conversation so far.  To me its a but of a slippery slope, at some point will 4th party providers not be enough and I need to look at 5th party providers?  

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 11-15-2021 12:18 PM
From: John Martin
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

It is an interesting struggle with the potential for larger ramifications around creating a precedent mandating fourth party reviews. If a vendor is leveraging AWS, Azure, GCP for their platform then they are effectively a third-party/sub-contractor for the vendor with whom you are doing business. If you can even acquire a fourth-party's SOC2 (and we've struggled to get those when we have tried), are you now obliged to evaluate every sub-contractor/sub-vendor that your prospective vendor is using in the event that any of those vendors is a weak link or potentially can access your NPI? With enough time, money and personnel the answer would be an easy yes but at what point does due diligence become a logistical nightmare? I received info from one company which detailed a dozen subsidiary vendors that they leveraged. One security review becomes thirteen...

Your post brings up another thought - whether or not a SOC 2 report from AWS, Azure or GCP is enough to satisfy due diligence. Those platforms in and of themselves have certain parameters but those are only a piece of the entire puzzle. Each of those vendors has and expects their clients to maintain a long list of critical CUEC's (complementary user entity controls) without which the system is only partially secure. And not every SOC2 does a great job of assessing mixed SaaS environments - the physical/virtual office AND the physical/virtual application space to include the proper configuration of cloud-provider CUEC components.

If anyone has had success in these areas, I'd love to brainstorm some approaches as our institution has also seen much more attention paid to our vendor risk management program (of which I am only a subset - InfoSec and Business Continuity).

Let's keep this conversation rolling as I'm keen to learn from my peers!  

Original Message:
Sent: 11-15-2021 11:28 AM
From: Ashley Balletto
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

We are running into this issue with one of our Critical Vendors.  Since the due diligence items aren't listed in our contract, they feel they're not contractually obligated to release the requested items.  

I personally wish we included ALL due diligence requirements in all of our contracts.  Especially since every audit and/or exam seems to be touching Vendor Management in some capacity.
Original Message:
Sent: 11-15-2021 09:52 AM
From: Anonymous Member
Subject: Third-party urges use of their cloud-platform provider's SOC2 Report

This message was posted by a user wishing to remain anonymous

Hello!

We have a few third-party vendors who don't have their own SOC2 reports and urge us to use the SOC2 reports from their sub-service organizations instead. Do you review the SOC2 reports generated by their sub-service organizations instead of their own internal documents? Is it necessary to include on the vendor's contract to state that they must provide internal documentation to my organization when requested? 

I appreciate any feedback on this.