IT leaders assess security providers based on certain criteria, i.e., cost, capabilities, and vector coverage. Trust is leveraged in this assessment, especially if referral-based. However, when it pertains to protecting your business assets i.e., sensitive data, due diligence is key. Not validating claims of accreditation, or tendered value with evidence is a risk you do not want to take.
In this post, you will learn more about the importance of Service Organization Controls (SOC) in selecting your service providers. We have also taken into consideration that not all SOC 2 audits are created equal and removed the guesswork by providing specific questions you can use to vet each provider’s commitment to data privacy compliance.
Though Service Organization Control has an identical abbreviation with the Security Operations Center (SOC), and overlapping context when it comes to cybersecurity, they are not the same. Now that we have cleared that up, let’s dive in.
What are Service Organization Controls (SOC) and why are they important?
The primary objective of the SOC 2 is information and system security. It isn’t a requirement, but it says a lot about a company’s services and culture and ultimately crucial in vendor selection.
SOC 2 reports contain the outcomes of the audit conducted by a credible external auditor, preferably one certified by the American Institute of Certified Public Accountants (AICPA). SOC 2 focuses on five service tenets— information security, availability, process integrity, confidentiality, and privacy controls. The reports address the controls of a service organization, relevant to their operations, to ensure best-practice informed data security solutions.
For context, this looks like:
1) Protection against unauthorized access
2) Assurance of the availability of information and operational system
3) A comprehensive, accurate and authorized system processing
4) Safeguarding confidential data, and
5) The proper collection, disclosure, and disposal of personal information
SOC 2 is advanced and more thorough than privacy regulations like the European General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), but ultimately is also driven from the concept of protecting information.
Why should I look for a security provider with SOC 2?
Remember when we talked about trust? SOC 2 is a stamp of approval for service providers and cements their credibility. Handling sensitive information is a core element of cybersecurity. You want to be confident in who you entrust your data to. We mean what we said earlier—not all SOC 2 are created equal. So, take care to invest in either a SOC auditor or Chartered Professional Accountant (CPA) to investigate and verify the details provided by the vendor. Read more on the importance of the SOC 2 certification. Below are some sample questions to ask your cybersecurity vendor. For access to more probing questions, download our cyber vendor evaluation package.
1) What data does the cybersecurity provider collect and how?
Every organization captures, stores, and secures data. But what is collected, and how, differs. For IT leaders, visualizing the vendor's process will give insight into the validity of the capabilities and outcomes described. An awareness of the type of data collected by your service provider, i.e., sensitive (PII, financial records, proprietary information), non-sensitive or meta is also beneficial to knowing expected procedural (governance and accountability) rigor.
2) Where does the cybersecurity provider store your data?
Many vendors will simply rely on the fact that they can use cloud services from one of the three main cloud service providers (CPSs) to host data— delegating data security to that provider. Chances are that the security afforded by providers like AWS, Google, and Microsoft are indeed superior to on-perm data centers. While this is good, it’s important to assess the answer given by the provider in the context of the first question, and with their credentials in mind.
3) What is the geographic location of my organization’s data?
There is a lot of debate about where data should reside. The provisions of the United States-Mexico-Canada Agreement (USMCA) which loosens the strings around data transfer, without removing the ability to create data rules around ePII itself, has fostered even deeper conversations since 2020. It is much safer to store data where it is processed, so make sure to ask if your data is stored in your country of residence or elsewhere, presumably where the vendor’s Data Science team is located.
4) How does SOC 2 protect my data from exfiltration?
Some vendors will check-off the SOC 2 boxes and claim they are secure. But are they really? Does your vendor provide intrusion protection? Firewalls? Encryption? Are they storing sensitive data in ways that are resistant to decryption (e.g., hashed and salted)? Do they require the use of multi-factor authentication? What data loss prevention (DLP) solutions or processes do they have in place? Or, if they’re saying their perimeter approach will prevent exfiltration, what measures do they have for you to assess its efficacy?
Look for vendors who offer privileged access management (PAM) and a robust security awareness training (SAT). You want a security partner that will continuously monitor your network looking for signs of breach attempts, or any activity that could cause damage to systems, or compromise the availability, integrity, confidentiality, and privacy of information on your systems.
5) What security tools does your service provider use for data processing?
Security is a multi-pronged effort. It requires people, process and technology. Trusting your provider’s systems and its technicians is fundamental to a successful partnership. This means ensuring your IT supply chain is secure. For more on this, see our whitepaper: 6 steps to secure your IT supply chain.
These days, the average enterprise software contains a host of different third-party code dependencies, which signals the heightened potential for risk. Consequently, a significant part of IT supply chain security is monitoring and assessing how much risk your provider introduces into your environment.
Only consider providers that purchase mature tools – not open source – or, who build their own. Your provider’s systems should include an exhaustive redundancy and disaster recovery plan to ensure the availability of data and systems when needed.
6) What change management processes are implemented by your security provider?
The process of change management ensures the maintenance of high availability systems, which is very beneficial to your business.
ActZero has an established change management process that involves identification, risk assessments and logging system changes. This includes employee and user entity notifications, approval of proposed changes, an evaluation on the effects of approved changes, and testing the changes to verify operational functionality.
Infrastructural and software changes are developed and tested in a separate test environment pre-implementation, which helps to mitigate prospective risks.
Let’s face it, these are unprecedented times, both in the real and cyber world. Designing resilient security systems is no easy feat. But you can pass the buck by investing in a reputable service provider. It’s a partnership that will yield high returns for years to come.
Your security matters to us and we are committed to protecting your data. To get you started on the right path, schedule your complimentary Ransomware Readiness Assessment today. Or, to learn more about our approach to SOC 2 controls, reach out to us here.