Risk Assessments

 View Only

  • 1.  SOC Risk Assessment

    Posted 11-24-2020 05:23 PM
    ​Hello, would anyone be willing to share a checklist or document for Risk Assessments of Critical Vendors SOC Reports?​​


  • 2.  RE: SOC Risk Assessment

    Posted 11-25-2020 09:25 AM

    Hello all.

     

    If the vendor has a SaaS solution in AWS, Azure, GCP, etc. and the vendor has a SOC 2 Type 2 for their solution should you also ask for the AWS, Azure, GCP SOC 2 Type 2 for the infrastructure?

     

     

    Thank you,

    Tim




    Original Message


  • 3.  RE: SOC Risk Assessment

    Posted 11-25-2020 10:05 AM
    As I understand the SSAE18 guidance, when I came up against this question, I found the answer was yes. When the NPI or otherwise protected data is stored at a third party for the vendor [i.e. a fourth party], then requesting the SOC reviews for those was reasonable and merited.

    Of course, whether I actually got them or not was often up for grabs.  Not all vendors felt that they could share the SOC for one of their vendors, since there was an NDA in place.  The logic gets very twisted up - we need to ask, but they get to refuse.

    Fortunately, a company like AWS is used by several vendors, so I would do a single SOC review for AWS, and put it into a saved space and use the same assessment for other vendors [so long as it was still timely, of course].

    The added newest wrinkle I've found is that many recent SOC reports are including a slightly deeper commentary about their own vendor review programs, which could, I suppose, mean that requesting that extra layer is not required, if the trusted vendor is saying that they are doing a review of their own backyard, so to speak.

    Short answer: I would and have reviewed the data center SOCs for critical, and even High Risk, vendors.
    Original Message


  • 4.  RE: SOC Risk Assessment

    Posted 11-25-2020 09:26 AM

    Venminder has a nice document at: https://www.venminder.com/library/reviewing-vendor-soc-report

    I'd be very interested to see examples of other checklists, however.

    Joe


    Original Message


  • 5.  RE: SOC Risk Assessment

    Posted 11-25-2020 11:28 AM

    RE: Joe -- Venminder is very helpful resource.  I received 3 follow-up questions to those unanswered during recent SOC2 related webinar. I appreciated that.   The next event is 12/8 2pm ET on Third Party Risk Management if anyone is interested. Visit their website.  Regarding your recommended guide, it is important to note that having the content broken into separate "Sections" is required by AICPA but AICPA specifically doesn't have any requirement for the format of the report -- I typically see Service Provider description as I and II, Auditor's formal opinion comments in Section II or III.  I see Section IV pretty consistently has all the IT Controls, findings and testing.  I only evaluate and give credit when Service Auditor shows IT Control effectiveness evidence used the AICPA language for "inspected".   I wish AICPA mandated an organization chart -- however most times, those organization charts fail to identify ANYONE with responsibility for RISK or SECURITY that you can direct the post-SOC2TypeII review's cybersecurity questionnaire to get filled out.  It just delays the process before IT can give security clearance.

    RE: Tim -- A typical third party SOC2 Type II may have a service description by the service provider that has "carve outs" where they and the auditor do not provide details on or audit in their respective sections.   (1) Complementary User Controls that are required in order for the Service Provider's security posture to be effective during operations. Sometimes simple (control your terminations and additions when your SME adds users to access the portal).  Sometimes more involved.  Be sure your Business Unit is up to handing required User Controls.  (2) As you pointed out, getting a SOC2TypeII under non-disclosure from a cloud service provider is possible.  However it is rarely enough.   Each cloud provider has a security shared responsibility model that like Complementary User Controls, the Service Provider must be able to demonstrate compliance with.    The challenge for COSO controls and AICPA guidance for SOC2 Type II Reports is to ensure the auditors cover all the Service Provider "shared" responsibilities for YOUR SERVICE you are using before you can accept what the SOC2 Type II report covers.  

    RE: Dave (to be continued)...   Larry


    Original Message


  • 6.  RE: SOC Risk Assessment

    Posted 11-25-2020 11:45 AM

    RE Dave:   I definitely feel the pain of getting all the SOC2 from all vendors involved to ensure the IT Controls under the Service Providers responsibilities are fully audited.   I have read the Service Auditor's disclaimers on many SOC2 reports and while I get a feel for the style of reports from each firm and what they will or will not "inspect" during their Section IV findings, I have never seen that their non-disclosure requirements prohibit sharing of the SOC2 to a potential customer PROVIDED THE CUSTOMER SIGNS A NDA (and restricts use of report to those that need to know, etc.).  In our case, we'll sign an NDA before we select vendors so that we can received the SOC2 Type II for the required service so we can review it for IT Control coverage and identify gaps in the Service Providers security posture. So think of it as your SOC2 reviews of fourth parties still need to be matched by a 'umbrella' SOC 2 Type II report or the equivalent managed and actively operating within the Service Providers organization.    Using our SOC2 Review process, giving credit to some of the areas covered by our cybersecurity questionnaire (CSQ) and then having the vendor's direct Security SME complete and sign the cybersecurity questions is just the foundation.   Once that is done, we have to review the CSQ and then identify where our IT Controls must be enforced directly on the vendor or if addressed by the vendor, where our continuous monitoring and processes needs to evolve to ensure coverage, detect and response capabilities on this vendor's operations and ultimately the security of the NPI involved and integrity of our business transactions that drive us in the first place. 

    I agree 100% percent of follow the data center -- I really appreciate when a Service Provider has "Carve Outs" In the SOC 2 Report that their auditor doesn't review the Subservice providers that host their primary or DR data centers, only to have the Service Provider more than make up for that slight by giving detail responses in the cybersecurity questions (CSQ) that outline many of the IT Controls we would like to have covered for their employee's cybersecurity awareness, account and privileged access  controls, data governance, isolation and encryption in multi-tenant resources, and monitoring of operating infrastructure and physical access to/from their subservice provider data centers.


    Original Message