A vendor is more than its data center
You know SOC 2 reports are a great vendor management tool, but are your critical vendors’ SOC 2 reports telling you everything you need to know about how well they protect your data?
Not necessarily. It depends on which report you are getting.
SOC 2 reports (short for Service Organization Control (SOC) 2 reports) summarize results of an independent audit known as an SSAE 18. The SSAE 18, developed by the American Institute of Certified Public Accountants, is the gold standard for auditing how a company manages customer data, including data stored in the cloud. These comprehensive audits are conducted by independent auditors over several months, culminating with an onsite audit to authenticate the effectiveness of policies and controls.
Unlike a SOC 1, which focuses on financials, a SOC 2 is all about compliance. It covers five areas:
SOC 2 reports come in two types.
Because they cover a longer period of time, SOC 2 Type 2 reports are more useful.
An SSAE 18 audit covers nearly everything you need to know about how an outside company protects your data—from data security and privacy to business continuity and internal policies and procedures for personnel. It also shows how exceptions are corrected—or aren’t corrected—to determine vendor reliability.
It’s all about risk management. A SOC 2 evaluates internal controls to see how well a company identifies, assesses, mitigates, and monitors risks. From the board to everyday operations, a SOC 2 can give you confidence that your critical vendor is following best practices to protect your data.
This includes:
Risk assessment. A SOC 2 will let you know how effectively a critical third-party vendor is assessing potential threats to your data. From hardware and software to the potential of staff falling for phishing attacks, the SSAE 18 audit can give you confidence that your vendor is actively uncovering potential risks.
Cybersecurity controls. Once risks are identified, controls need to be put in place to mitigate those risks. A SOC 2 will verify the effectiveness of controls.
Internal & external communication. Data security is about more than firewalls and intrusion detection. It also requires strong communication to ensure that software is proactively patched and updated, new threats are identified, and that staff is regularly trained and reminded of security protocols. A SOC 2 lets you know how well your vendor communicates when it comes to these and other critical areas.
Monitoring, prevention & maintenance. Cyber controls are not a “set it and forget it” type of project. They require ongoing cyber monitoring to ensure they continue to perform as designed. A SOC 2 shows you how effectively your vendor monitors its controls. It gives you confidence that controls are more than just empty promises—that they are fully fleshed out and active.
The SSAE 18 also requires written attestation from management that system descriptions are true and complete, providing additional assurance by creating liability and pressure for management.
All of this makes SOC 2 reports an extremely valuable vendor management tool—but only if the SOC 2 reports on your third-party vendor’s entire operation.
Vendors are happy to give you a SOC 2 report when they have one. An SSAE 18 audit is a major undertaking and companies that choose to go through the audit must be confident in their risk management to make the process worthwhile.
The problem is when a vendor gives you a SOC 2 report for its cloud data center instead of for its company.
Yes, you want to be confident that the data center your critical vendor uses to store your data is safe and secure. That is critical information. But it’s not everything.
A critical vendor is more than just a data center. It’s employees who have access to your sensitive data. It’s a vendor that uses your data to conduct activities on your behalf.
A data center SOC 2 can’t tell you about the actual vendor you’re contracted with. It only covers the actual data center. You still need to engage in due diligence with your third-party vendor to understand:
Read also: 4 Reasons to Add Cyber Monitoring to Your Vendor Management Program
Not every vendor is willing to go through the effort of an SSAE 18 audit, but that doesn’t mean they can give you a copy of their vendor’s data center SOC 2 and call it a day.
If a critical or high-risk vendor does not have a SOC report, it’s still necessary to engage in due diligence to address operational risk and ensure data is protected. It requires collecting documentation to review policies related to organizational governance, risk oversight, personnel, information security, vendor management, data and physical security, cyber controls, data privacy standards, and incident response and notification, among other areas.
As a leader in risk and vendor management, Ncontracts recognizes the burden this due diligence work puts on financial institutions. That’s why our company has elected to undergo regular SSAE 18 audits. We want our clients to be confident in our internal operations and demonstrate our commitment to being a partner that is dedicated to rigorous security, compliance, and operational controls.
Ncontracts encourages its financial institution clients to seek out third-party vendors with SSAE 18s for a more transparent and objective view of their compliance controls. We believe in practicing what we preach to give you peace of mind.