3 Golden Ways To Overcome The Flaws Of SOC2 Compliance

 

One of the biggest issues today in the world of Cyber is that of Vendor Management.  With the world become interconnected on a daily basis, outsourcing certain business processes has become the norm.  For example, a business can find a third-party supplier overseas, or even here in the United States.  But whoever you choose to work with, it is highly imperative that that vet your partner as much as possible, in order to make sure that their levels of Cybersecurity come up to par with what you have.

In this regard, it is the “SOC” compliance framework that is most widely used in order to confirm just how Cyber strong and resilient a potential third-party supplier is.  It is an acronym that stands for “Service Organization Control”, and there are actually three different versions of it.  It is the second one, officially known as “SOC2” which is the most common standard.

From within this, there are two different types of “SOC2”, and they are as follows:

1)     SOC 2, Type 1:

This focuses strictly on the effectiveness of the controls that reside within the IT/Network Infrastructure of a third-party supplier.  This is primarily used to determine if these controls are enough to safeguard the datasets that you will be entrusting them with.

2)     SOC 2, Type 2:

 

This is a much more exhaustive study, and examines the effectiveness of the controls in the IT/Network Infrastructure of the third-party supplier over a defined period of time.

But there are three short comings of the SOC2 Framework, which need to be addressed:

1)     The Scope:

Unless it is requested by the business that is seeking a SOC2 compliance report from a third-party supplier, not all of the controls will be included.  Therefore, there is no guaranteed way of finding out if all of the controls have been upgraded and/or fully optimized.

2)     The Timeframe:

Most SOC2 assessments only provide a review of the controls at one point in time (unless the Type 2 study is specifically requested).  Therefore, it really has no value afterwards, because the Cyber Threat Landscape is always changing, on a dynamic basis.

3)     The Subjectivity:

Typically, it is the third-party supplier that will perform the SOC2 assessment on those controls that they deem is important.  While the business that is vetting out potential vendors will have input, it is no guarantee that they will actually be honored.

So while the SOC2 framework does offer some benefits, it does have its disadvantages as well.  So what can a business do?  Here are some tips:

1)     Create a questionnaire:

Just like how insurance carriers are now requiring potential policy holders to fill out an exhaustive survey attesting to their controls, you should do the same for the third-party suppliers that you are scoping out.  But, take this even one step further.  After they have filled out your questionnaire, have an outside auditor conduct the validity of it.

2)     Do more exhaustive testing:

In this regard, require that the potential third . ty suppliers conduct both Vulnerability Scanning and Penetration Testing to make sure that all gaps and weaknesses have been uncovered.

3)     Have airtight contracts:

Once you have selected a third-party supplier, it is absolutely critical that the contracts you have them sign are completely “airtight”.  This means that they have attested to, under the penalties of perjury, that all of the needed controls are in place and will be optimized on a continual basis.  Also, your goals and expectations need to be clearly spelled out here as well.  Always get a reputable attorney to draw up these contracts for you, don’t rely on a Generative AI tool like ChatGPT to do this for you.

My Thoughts On This:

Although risks can still happen, it is up to you in the end to select the third-party supplier that not only best meets your needs, but also their levels of Cybersecurity are also on par with yours.  In the end, if they are the victim of a Data Exfiltration attack, you will be ultimately held responsible for it, not them.

Finally, it is also equally important that you maintain a clear and transparent line of communications with them, especially when it comes to the sharing of Cyber Intelligence about potential Threat Variants that could be coming down the road.