Vendor Risk Assessment - Reading the SOC2 report

Fri, 14 Apr 2023 14:59:12 GMT

You've got your vendors SOC2 report in hand. Now what?

Hey there!

If you're a startup health-tech/med-tech/healthcare organization looking to evaluate a SaaS service provider's compliance with HIPAA and other relevant regulations and standards, you might want to consider reviewing their SOC2 Type 2 report. Here's how we review a SOC2 Type 2 report from a SaaS service provider to evaluate compliance for our clients:

First, we work with our clients to make sure that the service provider is a good fit for their needs. This means c hecking their capabilities, experience, reputation, and compliance with relevant regulations and standards.

Once the client has identified a suitable service provider, we will ask the service provider to send over a copy of their most recent SOC2 Type 2 report. Most service providers either have a way to request the report through their service portal or require a signed NDA.

The first time we review a SOC report from a service provider we have not reviewed before, we do read the report it cover to cover. This helps us really understand how the service provider describes their services, and how the auditor addressed the service controls. After the initial read through, we go back and dig a bit deeper into some sections.

We look at the auditor's opinion. This is a key component of the report, and I want to make sure that the service provider's controls are well-designed and operating effectively. We are looking for a “clean” opinion, without any observations if possible.

We also review the system description, which provides detailed information about the service provider's system and the controls they have in place to safeguard client data. This section covers topics like network security, physical security, access controls, and data backup and recovery procedures. We look to align the system description with the specific services our client is using from the provider.

Then, we look at the control objectives and related controls. These describe the specific objectives that the service provider is being evaluated against and the controls they've implemented to achieve those objectives. We want to make sure that these controls align with HIPAA and other relevant regulations and standards. We want to make sure that security and availability principles are covered in the control objectives at a minimum , again relevant to the services used by our client. This section is usually the most detailed part of the report. We use this section to determine two things. Are the controls appropriate for the services and are there any observations for any of the services.

If there are any Complementary User Entity Controls (CUECs), we dig into those as well. These are controls that need to be implemented by our client that work alongside the service provider's controls to mitigate risk. We want to make sure that any CUECs are appropriate for the services provided and have been associated with well-designed and effective controls in our clients’ operations.

If a management response section exists in the SOC report, we carefully evaluate this section. This is where the service provider responds to the auditor's findings and any identified areas of improvement. While the management response isn't audited, we still want to read it to understand how the service provider plans to address any identified deficiencies. If management responses exist in the report, it’s important to follow up with the service provider to ensure that planned improvements are still proceeding or have been completed.

Finally, we consider any other relevant information provided by the auditor or service provider.

That's it! Reviewing a SOC2 Type 2 report is an important step in evaluating compliance for our healthcare clients but it's just one part of a larger due diligence process that includes contract negotiations, risk assessments, and ongoing monitoring vendor compliance and updated SOC report.

Vendor Information Security Program

Mon, 27 Mar 2023 15:53:53 GMT

Top 5 Actions for a Vendor Information Security Program

As companies continue to rely on third-party vendors for their operations, vendor information security programs have become increasingly critical. It is no longer enough for companies to solely focus on securing their own networks and systems. They must also ensure that their vendors and partners are taking the necessary steps to protect their shared data.

Here are the top 5 actions required for a successful vendor information security program:

Vendor Assessment and Selection: The first step in a vendor information security program is to assess the security posture of your vendors. This includes reviewing their security policies, procedures, and controls. It is important to ensure that your vendors have adequate security measures in place to protect your shared data. You may also want to consider conducting background checks on your vendors to ensure that they have a good reputation and a history of providing secure services.
Contractual Obligations: Once you have selected your vendors, it is important to establish clear contractual obligations regarding information security. These obligations should be included in the vendor contract and should cover aspects such as data protection, incident reporting, and security audits. It is also important to define the consequences of any security breaches or violations of the contractual obligations.
Ongoing Monitoring and Risk Assessment: A vendor information security program should include ongoing monitoring of your vendors’ security posture. This may include periodic security audits, vulnerability scans, and risk assessments. It is important to identify any potential vulnerabilities or threats and take appropriate action to mitigate these risks.
Incident Response Planning: In the event of a security breach or incident, it is important to have a well-defined incident response plan in place. This plan should outline the steps to be taken in the event of a breach, including who to notify, how to contain the breach, and how to recover any lost data. It is also important to communicate this plan to your vendors and ensure that they have their own incident response plans in place.
Employee Training: Finally, it is important to ensure that your employees are trained on information security best practices and are aware of the risks associated with vendor relationships. This may include training on topics such as phishing attacks, social engineering, and secure data handling. By educating your employees on these topics, you can help to reduce the risk of security incidents caused by human error.

In conclusion, a successful vendor information security program requires a multi-faceted approach. It involves vendor assessment and selection, contractual obligations, ongoing monitoring and risk assessment, incident response planning, and employee training. By taking these steps, companies can help to mitigate the risks associated with third-party vendors and ensure the protection of their shared data.

Next: How to Review a SOC2 report from a vendor

7a36e8e9

Vendor Risk Assessment - Reading the SOC2 report

You've got your vendors SOC2 report in hand. Now what?

Vendor Information Security Program

Top 5 Actions for a Vendor Information Security Program