As I understand the SSAE18 guidance, when I came up against this question, I found the answer was yes. When the NPI or otherwise protected data is stored at a third party for the vendor [i.e. a fourth party], then requesting the SOC reviews for those was reasonable and merited.
Of course, whether I actually got them or not was often up for grabs. Not all vendors felt that they could share the SOC for one of their vendors, since there was an NDA in place. The logic gets very twisted up - we need to ask, but they get to refuse.
Fortunately, a company like AWS is used by several vendors, so I would do a single SOC review for AWS, and put it into a saved space and use the same assessment for other vendors [so long as it was still timely, of course].
The added newest wrinkle I've found is that many recent SOC reports are including a slightly deeper commentary about their own vendor review programs, which could, I suppose, mean that requesting that extra layer is not required, if the trusted vendor is saying that they are doing a review of their own backyard, so to speak.
Short answer: I would and have reviewed the data center SOCs for critical, and even High Risk, vendors.
Original Message:
Sent: 11-25-2020 09:05 AM
From: Tim Cobor
Subject: SOC Risk Assessment
Hello all.
If the vendor has a SaaS solution in AWS, Azure, GCP, etc. and the vendor has a SOC 2 Type 2 for their solution should you also ask for the AWS, Azure, GCP SOC 2 Type 2 for the infrastructure?
Thank you,
Tim
Original Message:
Sent: 11/24/2020 5:23:00 PM
From: Michael Coffelt
Subject: SOC Risk Assessment
Hello, would anyone be willing to share a checklist or document for Risk Assessments of Critical Vendors SOC Reports?