We are a MA based bank so our questionnaire is based on MA privacy requirements. We essentially took each of the MA data privacy requirements and turned it into a question (17.03 section 2 a through j and section 17.04 sections 1 thru 8).
201 CMR 17.00: Standards for the protection of personal information of residents of the CommonwealthWe have added to it recently to try to get a better handle on where our data is located as well, specifically have added the following:
1) Do you have internationally located data centers (outside US)
2) Please list locations of all data centers- international and US located
Also looking to add some questions specific to IoT (internet of things) as this is our next area of focus from a data security/privacy standpoint. For IoT the initial plan is to start small and then tailor based on risk so something like:
1) Do you have an IoT Policy?
3) If "no", do you maintain a complete, up to date inventory of IoT devises and applications?
4) Are IoT devices and networks secured with proper controls and are those controls monitored?
Hope this is helpful,
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------
Original Message:
Sent: 01-06-2022 09:15 AM
From: Kelly Pickle
Subject: SOC 2 vs ISO 27001 & ISO 27701
Michelle, would you be willing to share your InfoSec/Data Privacy Questionnaire?
Thank you,
Kelly
Original Message:
Sent: 01-06-2022 09:05 AM
From: Michelle Chase
Subject: SOC 2 vs ISO 27001 & ISO 27701
There may be some adjunct policies that could be provided that would document that test plans exist and have a required schedule- DR/BCP Policy, Audit Policy, TPRM Policy, InfoSec Policy. That might add the connection you are looking for between having controls in place and actively testing those controls although the results of those tests would still be absent.
Honestly, in a situation like this I would look to see what they can provide versus requiring something that they don't have. Run into similar situations with financials allot. For legal resources, we do modify the due diligence requirements based on the nature of the services provided and would not require a SOC. We do have an InfoSec/Data Privacy Questionnaire that we require depending on the volume of NPPI involved.
As an earlier poster noted, this is not usual for this kind of third party relationship (legal) so foregoing this relationship may not be a viable option.
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
Original Message:
Sent: 01-05-2022 05:41 PM
From: Mark Ewert
Subject: SOC 2 vs ISO 27001 & ISO 27701
Because we share confidential corporate and PHI information with a law firm we asked them to provide a SOC 2. The firm responded to our request by providing ISO 27001 & ISO 27701 certificates. They further commented "We do not undergo SOC audits, as we provide legal services, so we have provided an ISO27001 certificate (valid through 07/15/2024) as well as a certificate for the ISO27701 Privacy extension (we were the third firm to be granted that certification.)"
As the certificates provide no detailed information like a SOC, do you accept the documents on their face value and move on? Do you do something else? Our CISO indicated the provided ISO27701 indicates they have established processes, but the process doesn't actually test them the way a SOC review would.
Advice?
------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------