In today’s day and age, most organizations rely on vendors for portions of the services they provide or to assist with the security and integrity of their technology and data. Managing the relationships with these vendors is important, in addition to monitoring the ongoing performance of the services provided by these vendors.
When pursuing a SOC 2, a framework developed by the American Institute of Certified Public Accountants (AICPA), onboarding and the ongoing monitoring of key vendors is a critical aspect of the SOC 2 Trust Services Criteria that must be demonstrated. Weaknesses in vendor management can lead to vulnerabilities, which in turn could impact the services being provided.
Why Vendor Management is Important in a SOC 2 Engagement
When a service provider undergoes a SOC 2 examination, it’s not just the service provider’s internal processes and controls that are scrutinized, but the examination extends to any vendor that is key to the services that are provided to its clients. These vendors are also referred to as key subservice organizations.
Effective vendor management helps make sure that key subservice organizations meet the same standards of security, availability, processing integrity, confidentiality, and privacy that are expected in your organization.
Vendor management is addressed in the common criteria under the Risk Mitigation subsection. Specifically, the AICPA criteria CC9.2 as part of the common criteria states: “The entity assesses and manages risks associated with vendors and business partners.”
While this is a high-level requirement, the AICPA has established Points of Focus that could address this criteria. But please note, not all the Points of Focus are required and may not even apply to all organizations. The Points of Focus are just example controls that could be utilized to meet the criteria. Many of our clients only have a few of these Points of Focus in place and spelled out as controls in their SOC 2 report and some clients have established different controls altogether to meet the required criteria.
Vendor Management Controls in a SOC 2
As stated above, the required criteria to be met is high level and there are many different controls that can be put in place to meet the criteria based on a service provider’s processes. There are thirteen Points of Focus (all content in italics below sourced directly from this AICPA Trust Services Criteria documentation) we will go through in this section to cover possible controls that can be implemented (if they are not already in place at the service provider) to meet the SOC 2 criteria. And, as stated above, not all of these are required to meet the criteria and only those that are relevant to a service provider should be considered.
1. Establishes Requirements for Vendor & Business Partner Engagements
The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
A great start for vendor management is identifying all your vendors and classifying them based on the type of services they provide and what access they have to your systems and data. Vendor services can include a wide range from IT services to payroll processing. Categorizing them helps in prioritizing the oversight efforts required and the frequency.
2. Identifies Vulnerabilities
The entity evaluates vulnerabilities arising from vendor and business partner relationships, including third-party access to the entity’s IT systems and connections with third-party networks.
As part of the onboarding of a vendor, it should be assessed and documented what access the vendor will have to systems and data.
3. Assesses Vendor & Business Partner Risks
The entity inventories, tiers, and assesses, on a periodic basis, threats arising from relationships with vendors and business partners and the vulnerability of the entity’s objectives to these threats. Examples of threats arising from relationships with vendors and business partners include those arising from their (1) financial failure, (2) security vulnerabilities, (3) operational disruption, and (4) failure to meet business or regulatory requirements.
Vendor risk should be included in the overall risk assessment policy and process, but additionally, a risk assessment can be performed as part of the vetting of potential vendors. This risk assessment could include the potential risks associated with the services they provide, their access to systems and data, and their security posture.
4. Assigns Responsibility & Accountability for Managing Vendors & Business Partners
The entity assigns responsibility and accountability for the management of risks and changes to services associated with vendors and business partners.
Centralizing and streamlining the tracking of vendors helps make sure that the inventory of vendors is kept up to date and appropriate personnel are involved with the onboarding and monitoring of vendors.
5. Establishes Communication Protocols for Vendors & Business Partners
The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
If not established in the contract with the vendor, communication protocols should be established so the vendor can be easily reached if there is an issue with the services that are being provided.
6. Establishes Exception Handling Procedures From Vendors & Business Partners
The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
Requirements should be clearly outlined in contracts and service level agreements (SLAs). When services provided are outside of these agreed SLAs procedures should be in place for the communication and remediation of the issue(s).
7. Assesses Vendor & Business Partner Performance
The entity assesses the performance of vendors and business partners, as frequently as warranted, based on the risk associated with the vendor of business partner.
Continuous monitoring of established vendors is essential to ongoing vendor compliance. Having regular assessments of vendors (at least annually) helps validate they are adhering to expected security requirements. Typical reviews could include:
- Reviewing the most current SOC 1 or SOC 2 report.
- Performing periodic security reviews and risk assessments.
- Monitoring vendor performance against SLAs.
8. Implements Procedures for Addressing Issues Identified During Vendor & Business Partner Assessments
The entity implements procedures for addressing issues identified with vendor and business partner relationships.
A process should be established with vendors for when issues are identified during the vendor evaluation. The vendor should be prepared to respond and remediate potential identified issues.
9. Implements Procedures for Terminating Vendor & Business Partner Relationships
The entity implements procedures for terminating vendor and business partner relationships based on predefined considerations. Those procedures may include safe return of data and its removal from the vendor of business partner system.
As part of the contracting process with the vendor, there should be clear procedures for terminating the relationship. The procedures should include making sure that all data is returned or deleted and that access to key systems is revoked.
10. Obtains Confidentiality Commitments from Vendors & Business Partners (only for clients performing the Confidentiality criteria)
The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information.
Confidentiality language should be included in contracts with vendors or a separate confidentiality agreement should be provided and signed by the vendor.
11. Assesses Compliance With Confidentiality Commitments of Vendors & Business Partners (only for clients performing the Confidentiality criteria)
On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements.
As part of the periodic assessment of vendors, compliance with confidentiality commitments can be reviewed. If there is noncompliance suspected with a vendor, a separate assessment can be performed.
12. Obtains Privacy Commitments from Vendors & Business Partners (only for clients performing the Privacy criteria)
The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information.
If personal information is accessed by vendors there should be privacy language included in the contract with the vendor or a separate privacy agreement should be provided and signed by the vendor.
13. Assesses Compliance with Privacy Commitments of Vendors & Business Partners (only for clients performing the Privacy criteria)
On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary.
As part of the periodic assessment of vendors, compliance with privacy commitments can be reviewed. If there is noncompliance suspected with a vendor, a separate assessment can be performed.
Responsibility for Vendor Management & Monitoring for a SOC 2 Engagement
Many of our clients, especially our smaller and mid-sized clients, often want to know who should be responsible for the onboarding and monitoring of vendors. Of course, this will depend on the size of the organization, but vendor vetting and then the ongoing monitoring of vendors should be completed by someone in the organization who is familiar with the services the vendor provides. For example, if a key subservice organization such as AWS is used, someone familiar with the AWS configurations utilized by the organization should be included in the annual review of the AWS SOC 2 reports.
Centralizing vendor management can help streamline oversight of vendors throughout the organization. Tracking vendors in all the same place (e.g. system, tool, spreadsheet) will help keep track of the inventory of vendors, services provided, frequency of audits, etc.
Conclusion
Effective vendor management is a key part of SOC 2 compliance. By implementing an established process for managing vendor relationships, organizations can mitigate risks, increase security, and make sure vendors uphold the same high standards of security that organizations strive to maintain. Having vendor management controls not only supports SOC 2 compliance, but also can build trust with clients and stakeholders by demonstrating commitment to safeguarding data and systems for clients.
Our team at Linford and Company possesses considerable expertise in helping businesses develop and refine their vendor risk management strategies. We invite you to reach out if you’re interested in exploring how our services could benefit your organization.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.