Information Security

Hello,

I have a new vendor that has only provided AWS SOC 2 report and certifications for security. On their company website the page for their privacy and security reports link directly to AWS. They have not provided any internal information security procedures, standards or reports. This is a red flag for me for a cloud-based platform usually used by Marketing departments or small businesses. How do other companies handle vendors like this? What questions should I ask? Are there any substitutes for information security reports you have requested? Thank in advance. 

I don't know if it is a red flag or not but it is concerning. The purpose of a SOC 2 is for a vendor to show how they manage security and related controls and unless they are Amazon, what they provided has minimal value.

I am going through a similar issue with a vendor that our external auditor flagged for providing a third-party SOC 2 report and a letter saying they have to follow the same controls. The auditor and myself are in agreement that we need to have a report for that vendor. If they won't provide one, the auditor and I will recommend that a replacement vendor be found.

If your vendor is providing a service that may impact upon financial reporting, the business function needs to go back to them and tell them they need to do their own SOC report.

There are no real substitutes for a SOC report. However, you can ask if they have had a security assessment based on NIST, ISO or other recognised security standard performed by a third-party. If so, ask for a copy of the report.

Hope this helps.

Hello,

I have a new vendor that has only provided AWS SOC 2 report and certifications for security. On their company website the page for their privacy and security reports link directly to AWS. They have not provided any internal information security procedures, standards or reports. This is a red flag for me for a cloud-based platform usually used by Marketing departments or small businesses. How do other companies handle vendors like this? What questions should I ask? Are there any substitutes for information security reports you have requested? Thank in advance. 

I agree this is frustrating. We often see this from start-ups and smaller (perhaps local) companies. A SOC audit can be fairly expensive and very time-consuming, and a small company may not have those resources. Partnering with a cloud provider like AWS does ensure a certain level of security, but you should also request documentation of completed AWS CUECs from your vendor.  An ISO security (27001) certification audit performed by an independent third-party is a comprehensive audit.  Request the entire audit - not just the certification. Clearly communicate your expectations to your vendor. Successful completion of a SOC audit can be written into your contract. However, understand that a SOC 2 audit requires a year of detailed record-keeping, BEFORE the audit is performed. Many companies start with a Type 1 audit because of that, and a Type 1 audit is also less expensive.

I don't know if it is a red flag or not but it is concerning. The purpose of a SOC 2 is for a vendor to show how they manage security and related controls and unless they are Amazon, what they provided has minimal value.

I am going through a similar issue with a vendor that our external auditor flagged for providing a third-party SOC 2 report and a letter saying they have to follow the same controls. The auditor and myself are in agreement that we need to have a report for that vendor. If they won't provide one, the auditor and I will recommend that a replacement vendor be found.

If your vendor is providing a service that may impact upon financial reporting, the business function needs to go back to them and tell them they need to do their own SOC report.

There are no real substitutes for a SOC report. However, you can ask if they have had a security assessment based on NIST, ISO or other recognised security standard performed by a third-party. If so, ask for a copy of the report.

Hope this helps.

Hello,

I have a new vendor that has only provided AWS SOC 2 report and certifications for security. On their company website the page for their privacy and security reports link directly to AWS. They have not provided any internal information security procedures, standards or reports. This is a red flag for me for a cloud-based platform usually used by Marketing departments or small businesses. How do other companies handle vendors like this? What questions should I ask? Are there any substitutes for information security reports you have requested? Thank in advance.