1 (888) 836-6463 CONTACT US
SOC Reports

How to Compensate Vendor Controls

Oct 16, 2019 by Desiree Ericksen

In SOC audits, a compensating vendor control is the process of satisfying a security measure requirement that has been determined too difficult, impractical or unattainable at that particular time by using additional measures. 

Compensating controls are controls implemented to offset primary controls that are difficult to achieve. It’s a reactive control which complements its primary proactive control counterpart.

Proactive vs. Reactive Vendor Controls

To better understand what I mean, here’s a helpful example of how to compensate vendor controls:

Proactive: A control states that within three days of an employee termination, the employee’s access is removed from the network and all applications. As you’re probably aware, sometimes removing a terminated employee’s access falls through the cracks, so a compensating control would be the following reactive control.

Reactive: It could be a quarterly review of all user’s access and/or If a user does not log into an application within 30 days, the user’s account is locked out.

A Reactive Measure with a Proactive Approach

Though compensating controls are a reactive measure, they require a proactive approach. Understanding what controls are in place is critical to determine how they can be implemented. Both vendors and their clients use compensating controls. If a control is difficult to achieve alone, regardless of the best effort used to achieve it, implement additional compensating controls to CYCA – aka cover your company’s assets.

Remember, it’s everyone’s responsibility to maintain security for your organization.

Dive deeper into vendor SOC reports and the due diligence process. Download the eBook.

vendor soc report

Desiree Ericksen

Written by Desiree Ericksen

Desiree is a self-motivated financial services industry leader with 14 years’ experience through nearly all financial institution operations, from teller to Vice President – IT/Security Officer. Now providing detailed analysis to financial services companies, she is able to apply years of direct subject matter knowledge, analyzing inherent risk of vendors and their subservice providers. She earned a Bachelor’s degree in Business Information Systems and is a Certified Information Systems Security Professional (CISSP). Through her experience in regulatory, internal and external audits, she has first-hand experience in what challenges financial services organizations are facing in third party risk management.

Follow Desiree Ericksen

Subscribe to the Venminder Blog