How to Compensate Vendor Controls

In SOC audits, a compensating vendor control is the process of satisfying a security measure requirement that has been determined too difficult, impractical or unattainable at that particular time by using additional measures. 

Compensating controls are controls implemented to offset primary controls that are difficult to achieve. It’s a reactive control which complements its primary proactive control counterpart.

Proactive vs. Reactive Vendor Controls

To better understand what I mean, here’s a helpful example of how to compensate vendor controls:

Proactive: A control states that within three days of an employee termination, the employee’s access is removed from the network and all applications. As you’re probably aware, sometimes removing a terminated employee’s access falls through the cracks, so a compensating control would be the following reactive control.

Reactive: It could be a quarterly review of all user’s access and/or If a user does not log into an application within 30 days, the user’s account is locked out.

A Reactive Measure with a Proactive Approach

Though compensating controls are a reactive measure, they require a proactive approach. Understanding what controls are in place is critical to determine how they can be implemented. Both vendors and their clients use compensating controls. If a control is difficult to achieve alone, regardless of the best effort used to achieve it, implement additional compensating controls to CYCA – aka cover your company’s assets.

Remember, it’s everyone’s responsibility to maintain security for your organization.

Dive deeper into vendor SOC reports and the due diligence process. Download the eBook.