TPRM, otherwise known as Third Party Risk Management, is a critical component of your organization’s security posture. It is a big focal point for regulators and we are even increasingly forced to consider fourth party risk management…the vendors of your vendors.
TPRM is a toolset to identify, assess, mitigate, and respond to third-party vendor risks across the engagement life cycle. A TPRM program is essential to reducing the likelihood and impact of data breach costs, operational failures, vendor bankruptcy, and reputational damage. Although your organization may rely on third-party service providers, your management team remains liable for maintaining an effective internal control system. For example, broker dealer regulator FINRA has a litany of enforcement actions against firms that did not provide adequate oversight of their third-party vendors. No one remembers the name of the HVAC vendor that led to the Home Depot hack, but everyone remembers Home Depot was breached.
Outsourcing has become increasingly important as business operations have become increasingly complex….less exciting is the ownership of this third-party responsibility.
If your organization sells technology services, customers and potential clients have probably requested a SOC 2 document or a Service and Organization Control 2 report. A SOC can only be prepared by a CPA firm with qualified technology systems auditors and its value derives from an independent third-party certifying the design of your organization’s security controls (SOC 2 Type I) and the operation of those controls (SOC 2 Type II). It isn’t just that your organization says it has adequate security controls, your organization must prove it does to an independent auditor.
Developed by the AICPA (American Institute of Certified Public Accountants), SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS organization, as well as any organization that uses the cloud to store its customers’ information. So, what does SOC 2 require exactly? It’s considered a technical audit, but it goes beyond that. SOC 2 requires organizations to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that an organization’s security measures are in line with the unique parameters of today’s cloud requirements.
In practice, there are four critical areas to SOC 2 compliance:
SOC 2 compliance centers on implementing and maintaining well defined long-term security policies, procedures, and practices.
While SOC 2 is the most requested TPRM document, the largest standards group and professional association for TPRM is the Shared Assessments Organization. Shared Assessments provides a wide array of products and services, including the well-known Standard Information Gathering (SIG) questionnaire, professional certification in third-party risk management (Certified Third Party Risk Professional), Vendor Risk Management Maturity Model (VRMMM) and Agreed Upon Procedures (AUP).
SIG is a comprehensive 1500 questionnaire that is completed and certified by an independent security professional, who evaluates and reports on the design and operation of an organization’s security controls. While that objective crosses with that of the SOC 2, the SIG is significantly different than SOC 2. The SIG, or Standard Information Gathering questionnaire, is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency. It evaluates third-party vendors based on its fifteen individual “domains” by gathering pertinent information to determine how security risks are managed.
These domains include:
If 1500 questions seems insurmountable, there’s a slim version called SIG Lite. As the name depicts, it’s SIG on a diet (but with over 350 questions, still a full meal), but covers all of the aforementioned domains and achieves its goal with less questions.
To SIG or to SOC?
Now that you know about the 2 prominent players in the TPRM game, let’s discuss which one may be a better fit for your organization and supportive reasons.
If one of your clients has asked for a SOC 2 document and your organization has gone through the process, then I send my condolences and completely understand your earlier deep sigh. SOC 2 is extremely expensive and can easily go into six figures, very complex and resource intensive, and outside of compliance requirements, it can be a challenging report to interpret. The cost, complexity, and resource drain are all significant barriers for SMBs to complete a SOC 2 audit. If your organization is an SMB and contractually obligated to provide a SOC 2 document, your organization has no choice but to bite the bullet. If not, SIG compliance can be a vastly less expensive alternative, far more useful to your organization, and more valuable to your customers as well.
Reasons for the SIG:
1. Cost for Compliance: SIG is already written, whereas the audit underlying a SOC 2 document is specific to the organization. Therefore, time spent on-site for the review is reduced significantly because an independent auditor can specify in advance the evidence that he or she will require.
2. Resource Constraints: Completing a SIG questionnaire typically should require 3-5 days, while a SOC 2 can require several weeks at the minimum on-site.
3. Narrow vs. Broad: SOC 2 audit can become very narrowly scoped relative to SIG. As previously mentioned, SOC 2 is a rigorous audit process created and maintained by accountants and focuses on technology systems that directly interact with clients’ data. SIG on the other hand provides a more holistic view of your organization’s technology stack.
4. More informative: SIG includes detailed information about sample sizes, testing methodology, and attributes considered. A client can easily glean from your SIG report that your organization has a definitive process for detecting unauthorized wireless networks, evidence the process is being utilized, whether any unauthorized wireless networks were detected in the previous six months and, if so, whether they were removed. This level of detail and granularity is not included in a SOC 2 report.
While a SOC 2 is the gold standard for third party attestation, does your organization even need it? Your organization may not be legally required to complete and maintain a SOC 2 document, but your clients are certainly entitled to put a policy in place requiring it of any of its vendors. You’re in the business of keeping your clients and growing a list of them, not losing them. As far as deciding which audit your organization must complete, let’s start with some suggestions on answering that question. The first step is to ask questions of your client to discover what they are specifically interested in. Do they want to know that your email system is secure, your file storage, your file transfer, or something else? Your client surely knows its peers in its space; don’t be bashful to ask what their peers utilize for auditing purposes. If you get a deer in the headlights look, then don’t be surprised. Most of your clients won’t truly know and understand what specific audit information is required for themselves, let alone their peers. Armed with knowledge from information here, you can easily control the direction of this conversation.
If non public personal information is at issue and your client is heavily regulated (e.g. large finance or healthcare entity), your client may be simply passing on the message and your organization will likely require a SOC 2 document. If not, then probe and understand your client’s needs. Recently, an information security officer at a large bulge bracket broker dealer insisted that a client agree to provide a SOC 2 …upon doing research, we learned that the same firm had been involved in the creation the Shared Assessments framework (along with the Big Four…did I mention that?). SOC 2 was dropped from the discussion and replaced with the SIG. My point is simply don’t roll over for a SOC 2 requirement if it is not truly required. If you push for the SIG, you are providing a compelling alternative versus not addressing your client’s concern. In short, in many cases, the SOC or SSAE 16/18 is simply the wrong sized requirement. The SIG at 1500 questions is no layup either, but either the SIG or the SIG Lite may be better suited to everyone’s needs.
In many cases, the SIG is not only less expensive and resource intensive, but also more useful, and is a better means of communicating the real information that your clients need, your organization’s security posture.
The only professionals that can decide the “best” audit process for your organization is you and your team. The decision will be obviously be dictated by the requirements of your customer base. The decision process can be augmented by a security service provider to gather your requirements and advise on your specific needs and the best fit for your organization’s auditing needs.