Due Diligence and Ongoing Monitoring

 View Only
  • 1.  SOC Requirements

    Posted 07-01-2024 10:03 AM

    Recently, we had a third party/technology vendor that we wanted to onboard. This organization could not supply a SOC Report, due to not having one. Their reasoning was that they do not have one due to the size of their organization. What is your organizations requirements on needing/not needing a SOC report? If they do not have one, do you require any other type of documentation? 



  • 2.  RE: SOC Requirements

    Posted 07-01-2024 12:48 PM

    One point I take away from every Venminder TPRM Boot Camp is you must address the inherent risk internally first, and then based on controls you have internally to deal with a third party (i.e., what are the CUEC's if you don't have a SOC2? How do you gather those ahead of a contract?), discover gaps and what mitigations you have. 

    So after I have a Criticality, and a Risk Rating (and a NPI Data Tier/HIPAA Data Tier Rating in my case), we flag the vendor and require a SOC2 or equivalent as part of the High/Moderate Data Tier rated vendors, Critical vendors, and additional considerations depending on the vendor's business disruption planning (if cloud based, are both primary solution and backup locations onshore only and adequate? Are codependencies thought out and covered?).  

    So whether I get a SOC2, ISO 27001, CyberGRX, HITRUST II, etc. -- I still have to merge those tested controls against our cybersecurity and HIPAA related desired controls and practices that we mark up into a questionnaire and get signed by the vendor. 

    As far as size, I have had a firm onboarded with about 6 full timers, and 4 to 6 part timers depending on their development plans. They stated with no written policies, etc. In the end we made a case in the insurance space on why using the cybersecurity program model from NY Department of Financial Services would help them help us (reinforced in contract) and open up the insurance market they were focused on since NAIC grandfathered in all states anyone compliance with NYDFS Part 500 (23 NYCRR 500). Now in second year, couldn't be happier. 




  • 3.  RE: SOC Requirements

    Posted 07-01-2024 12:49 PM

    We have some tiny vendors that are around 3-40 employees, and we do not require a SOC audit from them as they will not have one. What we DO require depends on risk - for a tiny vendor that we don't give PII or anything, we mainly just make sure we have updated contact info in case of an issue. For a tiny vendor that is more involved or higher risk, we would send a questionnaire about their security, risk, and business continuity practices instead. 

    I still ask for a SOC audit annually, and save their "we don't have one" response for our own audits.



    ------------------------------
    Diego Fable
    Enterprise Data Management Admin
    Midsize Mortgage Nonprofit
    ------------------------------



  • 4.  RE: SOC Requirements

    Posted 07-01-2024 04:33 PM

    Hi Diego, 

    Would you be able to share some of the questions you ask in your questionnaire? We are looking to "beef" up our standards for our program. 




  • 5.  RE: SOC Requirements

    Posted 07-03-2024 11:24 AM

    Hi Kelsey!

    We use the SIG or SIG Lite questionnaire. For a tiny vendor who is in our "high risk" category, I'd either a) send them the SIG Lite questionnaire and ask them to skip any non-relevant questions, or b) excise any non-relevant questions myself before sending. Then, in subsequent years, I get a pretty good response if I send them the previous year's questionnaire and ask if there have been any changes or updates.

    We get our SIG Lite from Venminder, but it can be found elsewhere. We like it because it's standardized across all of our vendors.

    https://sharedassessments.org/about-sig/



    ------------------------------
    Diego Fable
    Enterprise Data Management Admin
    Midsize Mortgage Nonprofit
    ------------------------------



  • 6.  RE: SOC Requirements

    Posted 07-05-2024 08:40 AM

    Thank you so much!