Although very useful in representing the efficacy of a service supplier’s third-party danger administration program, SOC experiences aren’t at all times out there. Some service suppliers both don’t have the price range for a SOC report or are unwilling to endure the laborious strategy of an SSAE-18 audit.
Whereas a scarcity of a SOC report ought to increase alarm bells through the due diligence course of, it shouldn’t essentially outcome within the disqualification of a potential vendor. Different choices for reviewing a service supplier’s Vendor Danger Administration efforts with out a SOC report can be found. On this publish, we define three totally different options for assessing the efficacy of third-party safety controls when a SOC report isn’t out there.
3 Alternate options to SOC Studies for Evaluating Third-Celebration Safety Controls in 2023
Any various to a SOC report ought to present perception into the working effectiveness of a service supplier’s inner controls. This requirement disqualifies experiences which can be half of a bigger cybersecurity technique, similar to attestations of regulatory compliance. Every choice on this checklist gives a singular perspective for assessing your vendor’s management surroundings inside a Third-Celebration Danger Administration program.
1. Danger Assessments and Questionnaires
Danger evaluation and safety questionnaires successfully extract significant details about a corporation’s data safety program. These assessments will be particular to vendor administration efforts and the management targets of a service group.
In Vendor Danger Administration, the phrases danger evaluation and safety questionnaires are generally used interchangeably.
Since a System and Group Controls 2 (SOC 2) report evaluates a service supplier’s buyer knowledge safety within the cloud; any various danger evaluation should map to a safety framework with related delicate knowledge safety requirements.
Examples of safety questionnaires that consider the information safety requirements for third-party distributors embrace.
An ISO 27001 evaluation is a good various in lieu of a SOC 2 report.
You may consider your distributors’ ISO 27001 compliance standing with this free ISO 27001 danger evaluation template.
In Europe, distributors do not normally present SOC experiences however present proof of ISO 27001 certification. Ought to ISO 27001 certification be offered as a substitute of a SOC 2 report, follow-up safety questionnaires should be required to fill any remaining safety management information gaps.
See extra questionnaire choices for evaluating delicate data controls >
When choosing a danger evaluation over a SOC report, it’s important to make sure your evaluation efforts deal with the whole scope of research lined in every sort of SOC report – SOC 1, SOC 2, and SOC 3.
Effectiveness of figuring out and addressing safety dangers to delicate knowledge.The chance of employees falling sufferer to phishing assaults resulting in knowledge breaches.Safety management methods which can be in place for mitigating knowledge safety dangers.Communication protocols for making certain knowledge safety options and knowledge programs are commonly patched.
With some creativity, another analysis answer protecting this breadth of a cybersecurity program will be established. The answer isn’t neat, but it surely ought to efficiently compensate for the dearth of a SOC report. It includes two main elements – safety scores and danger evaluation amalgamation.
Safety Scores
Cybersecurity’s mechanism for calculating safety scores.
Learn the way Cybersecurity calculates safety scores >
Danger Evaluation Amalgamation
The second element of this SOC report various is extra advanced. It entails mapping elements of varied danger assessments to every analysis class of a SOC report to supply a brand new customized evaluation.
A listing of assessments containing a point of overlap with SOC reporting that can be utilized for such functions are listed beneath:
CIS Essential Safety Controls – The CIS Controls for efficient cyber protection evaluating resilience in opposition to frequent cyber assaults. This evaluation may uncover vulnerabilities facilitating knowledge breaches.
This Frankenstein technique of manufacturing a brand new evaluation by piecing collectively the related elements of others is most effectively achieved with a customizable safety questionnaire answer.
For illustrative functions, we’ll use the Cybersecurity platform for example.
With Cybersecurity’s intuitive customized questionnaire builder, you’ll be able to rapidly modify present questionnaire mapping to frameworks similar to NIST 800-171, NIST CSF, ISO 27001, and others to create a brand new customized questionnaire assembly your distinctive evaluation necessities.
Cybersecurity’s mechanism for calculating safety scores.
Get a free trial of Cybersecurity >
Vital: When requesting a SOC 2 report from a vendor, receiving a SOC 2 report for simply their knowledge middle shouldn’t be a suitable compromise. You need to additionally perceive how the seller handles your buyer knowledge and their technique for shielding it from compromise.2. Agreed Upon Procedures Report
An Agreed Upon Procedures (AUP) report is a customized evaluation that solely evaluates safety controls which can be related in every third-party relationship. As a result of AUP experiences are much less time-consuming and less expensive, typically they’re requested instead of SOC Studies.
An instance state of affairs of when an AUP report can be used is when querying the safety controls associated to knowledge storage and processing of a software program improvement consumer. On this case, you’d interact a third-party auditor to conduct a custom-made evaluation for these safety controls. The auditor would then cowl agreed-upon procedures, consider the effectiveness and compliance of those controls, and produce their findings in a remaining audit report.
With an AUP Report, you’ll be able to assess the efficacy of a specified set of safety controls when the total scope of protection provided by a SOC report is unavailable or mandatory.
An AUP report will be created with Cybersecurity’s customized questionnaire builder, which permits fully bespoke questionnaires to be constructed from the bottom up, ranging from a clean canvas.
New customized questionniare on the Cybersecurity platform.
Get a free trial of Cybersecurity >
3. Carry out Correct Vendor Due Diligence
Vendor Due Diligence (VDD) entails a complete analysis of a potential vendor’s cybersecurity practices to find out whether or not they’d be an asset or a legal responsibility if onboarded. When carried out strategically, VDD will uncover the identical safety management dangers offered in SOC Kind I and Kind II experiences.
Learn to streamline your Vendor Danger Administration >
Vendor Due Diligence reveals the next SOC-related details about the cybersecurity efforts of outsourcing events:
Firm construction – This data may embrace particulars concerning the vendor’s knowledge middle.Information Entry – The data will reveal the seller’s required diploma of entry to your delicate buyer knowledge. This data is important for tiering distributors primarily based on their degree of safety dangers, an important apply for environment friendly remediation administration.
Obtain the free information on danger remediation planning >
Third-Celebration Danger Administration (TPRM) – This data will define the seller’s TPRM safety management technique.
Be taught extra about TPRM >
Fourth-Celebration Danger Administration (FPRM) – Many VDD efforts disregard this. FPRM is important to evaluate because it reveals the seller’s chance of struggling a third-party breach, which may have detrimental downstream results in your buyer knowledge.
Be taught extra about FPRM >
Incident Response Plan – A vendor’s Incident Response Plan reveals worthwhile data mapping to SOC reporting, together with particulars about knowledge breach communication protocols and measures for mitigating lively cyber threats.
Prepared to save lots of time and streamline your belief administration course of?