If your vendor (i.e. ABC Company) sends a SOC 2 report for who they use (i.e. Amazon Web Services), and ABC Company does not complete a SOC 2 report themselves, what steps do you take to ensure they have adequate controls in place?
Happy to share my thoughts and experience on the topic as a former TPRM manager. but, would love to hear from others in the community about what they do.
When a vendor (e.g., ABC Company) relies on a third party (e.g., AWS) for critical services but does not produce their own SOC 2 report, organizations must take additional steps to ensure adequate controls are in place. Here's an approach aligned with interagency guidance and security frameworks like NIST (e.g., NIST SP 800-53):
1. Conduct Enhanced Due Diligence
If ABC Company does not provide a SOC 2 report, enhanced due diligence is critical. This includes:
Requesting Security Policies and Procedures: Obtain documentation detailing their internal controls (e.g., information security, data handling, incident response).
Reviewing Vendor Questionnaires: Use a detailed questionnaire based on standards like FFIEC or NIST to assess their compliance with industry best practices.
2. Evaluate the Dependency on the Subservice Provider (AWS)
Determine the scope of the reliance on AWS and ensure ABC Company has addressed:
Shared Responsibility Model: Verify ABC Company understands and manages their responsibilities in the AWS shared responsibility framework.
Flow-Down Requirements: Confirm ABC Company enforces appropriate security controls through contracts with AWS (e.g., encryption, data segregation).
3. Assess Risk and Impact
Perform a Risk Assessment: Evaluate how the lack of a SOC 2 report impacts the overall risk profile of the vendor relationship.
Map to NIST Controls: Ensure their security practices align with relevant NIST controls, such as access control (AC), incident response (IR), and system and communications protection (SC).
4. Request Alternative Assurance Mechanisms
In the absence of a SOC 2 report, request alternative evidence of compliance, such as:
ISO 27001 Certification: If available, this can demonstrate adherence to a globally recognized security standard.
Internal Audits or Penetration Testing Results: Request recent audit findings or third-party penetration testing reports to verify control effectiveness.
Control Mapping: Request documentation that maps their internal controls to SOC 2 criteria or NIST standards.
5. Onsite or Virtual Assessment
For critical vendors, consider conducting an onsite or virtual assessment to validate their control environment. Focus on areas such as:
Physical and logical access controls.
Data encryption (in transit and at rest).
Backup and disaster recovery capabilities.
6. Obtain Written Attestations
Require ABC Company to provide a formal attestation confirming:
Implementation of robust internal controls.
Compliance with applicable regulatory and industry standards.
Accountability for safeguarding sensitive data.
7. Monitor Continuously
Ongoing Reviews: Reevaluate ABC Company periodically, especially if their reliance on AWS or other subservice providers increases.
Incident Reporting: Ensure they have mechanisms to promptly notify you of security incidents affecting their services or their subservice providers.
Contractual Obligations: Update contracts to require SOC 2 reports or equivalent assurances in the future.
Key Consideration: Transparency and Accountability
Ultimately, while AWS may have a SOC 2 report, ABC Company remains responsible for its services and the security of your data. This is reinforced by interagency guidance emphasizing the need for organizations to assess the entire vendor ecosystem, including subcontractors.
If ABC Company cannot provide sufficient evidence of adequate controls, it may be necessary to reassess the vendor relationship or implement compensating controls to mitigate associated risks.