In a world where information security breaches are all too common, it’s vital that you verify each vendor’s information security control environment is adequate and designed to protect your organization and customer information. Evaluating a vendor’s information security controls isn’t an impossible feat. It’s actually easy to understand and even easier to apply. It really all comes down to the SSAE 18 and the SOC 1 and SOC 2 reports. These reports will tell you how well your vendor handles the confidentiality, integrity and availability of the data and controls under their purview.
Let’s discuss the confidentiality, availability and integrity of information triad. It’s actually this simple.
- Confidentiality: Does the vendor have measures in place to prevent unauthorized disclosure of information?
- Integrity: Does the vendor ensure the data will not be modified by unauthorized means?
- Availability: Does the vendor ensure the information is available when needed and only to authorized personnel?
These questions must always be asked as you assess the vendor and are the foundation of a strong information security controls environment. Each has multiple parts and pieces, and each has parameters that flex to fit the needs of the vendor's information security environment.
Signs of a Weak Information Security Control Environment
Sometimes you may find that a vendor’s information security control environment is inadequate. You’ll normally see this when you request the SOC reports for a vendor. A SOC report tells you how various cybersecurity controls related to the availability, confidentiality and processing integrity are being managed and if the management of those controls is adequate.
SOC 2 reports are auditing procedures that ensure your vendors are securely managing your data to protect the interests of your organization and the privacy of your customers. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS (software as a service) provider.
Controls test the physical environment, handling of information, ability to make changes to data and overall soundness of your vendor’s processes and procedures for information security. If you find a vendor with questionable controls, you may notice they have the following:
- Weak or no incident detection controls or incident response plan
- A lack of adequate intrusion detection controls
- Little or no data loss prevention controls
- Poor physical security for data centers and other facilities
- No business continuity or disaster recovery plans in place
- No data classification, retention and destruction policies
- No data encryption standards
- No security testing
- No information security training provided to employees, contractors or their vendors to ensure cybersecurity preparedness
So, what if you discover the vendor’s information security control environment is faulty? What do you do next?
5 Tips to Manage Faulty Information Security Controls
Here are five recommendations to manage faulty information security controls:
- Contact the vendor and determine if the lack of controls is temporary or if it’s beyond the vendor’s capability to deploy the relevant controls. If the vendor doesn’t have a SOC 2 report and they’re going to be handling your organization’s information or your customer’s information, that’s a key performance indicator that this may not be the vendor for your organization.
- Contractually request the vendor notify you as soon as an incident occurs. It’s important every vendor is aware that you want them to notify you as soon as a breach occurs or within an agreed upon timeframe. Set expectations in the contract, especially if their control environment seems faulty. If it isn’t part of your contract with the vendor, you may not be able to convince the vendor to comply with your request.
- Require the vendor to strengthen their controls and test frequently. A SOC report covers one year. It should be for a relevant timeframe and may have what’s referred to as a “bridge letter” accompanying it to explain the occasional few months it takes for an audited SOC report to be refreshed. Read the SOC report and see if the management responses (in the section called Management’s Assertion) the vendor supplies are reasonable explanations for why the audited items test as being weak or lacking. It your vendor’s security posture is out of whack and the vendor fails to adequately address the issues then you have another key performance indicator that the vendor has a problem with information security.
- Consider that things happen. Sometimes large data processors will find their controls have become inadequate over time. This is usually due to the growth of the organization and the need to update a process or procedure, or both, for specific security controls. If the vendor has a plan to correct the existing flaws, you may be wise to give the vendor the opportunity to make the correction.
- Determine if the vendor is still a good fit for your organization. Is the risk worth it? Is the vendor setting your organization up for so much operational and reputation risk that it may be worth making a change? That’s something you should discuss with your senior management team and the board. If your organization decides to make a change, make certain you vet the replacement thoroughly!
A stable information security control environment is important to the confidentiality and safekeeping of your organization’s data. Make sure you review the vendor’s information security posture often and request changes as needed.
Does your vendor have a strong business continuity plan too? Keep your organization safe. Download the eBook.