Common Criteria 9.2

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.2 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s take a look at key ways organizations can manage vendor risk.

Managing Vendor Risk for SOC 2 Compliance

It’s rare in today’s society that organizations operate without utilizing third-party vendors to carry out some sort of their business function. From payroll processors to electricians, managing vendor risk is paramount to ensuring that a service organization is secure. Think of it like this: what would be the impact if a third-party vendor was impacted by a natural disaster and couldn’t fulfill a critical function of an organization’s business? What if a third-party vendor hosted all of an organization’s sensitive data and was later breached? It’s happened before, and it will happen again. This is why during a SOC 2 audit, an auditor will validate that organizations comply with common criteria 9.2 by using the following points of focus as a guide to ensure that organizations are managing vendor risk.

  • Does the entity establish requirements for vendor and business partner engagements?
  • Does the entity assess vendor and business partner risks?
  • Does the entity assign responsibility and accountability for managing vendors and business partners?
  • Does the entity establish communication protocols for vendors and business partners?
  • Does the entity establish exception handling procedures from vendors and business partners?
  • Does the entity assess vendor and business partner performance?
  • Does the entity implement procedures for addressing issues identified during vendor and business partner assessments?
  • Does the entity implement procedures for terminating vendor and business partner relationships?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Common criteria 9.2 for the 2017 SOC 2 Trust Services Criteria has to do with assessing and managing risks with vendors and business partners. This world has completely changed in the last three years in relation to the third-parties we do business with. Gone are the days where we simply have a written agreement with our client or we have an NDA signed, and that’s really the extent of our knowledge of what the vendor does or how they operate. So many compliance standards, like SOC 2, have changed to specifically address how organizations should deal with risk from third-party vendors or business partners. What are the things that could happen on their side that could impact us? We need to take ownership of those risks, because they’re our risks. If the third-party has some type of threat that’s realized in their environment, it’s going to impact you, so you need to account for it. You can’t abdicate responsibility and leave the responsibility solely in the third-party vendor’s hands. Moving beyond the written agreements with clients involves truly understanding what the third-party vendor does for you and what are the risks that the relationship poses? Once you understand what they do and how they could impact your organization, you can design a way to manage that risk. For example, you might request a specific report from third-parties before engaging with them, you might want to be notified if the organization experiences turnover, or you might even decide to do site visits to verify the controls they have in place or send an auditor to assess their controls. You’re really trying to think more specifically; you don’t want to apply one way of managing vendors for all vendors because every environment is different. You really need to get to a place where you can do an assessment of what they’re doing for you and how they’re doing it, so then the controls that you’ve put into place are relevant to the information that you’re asking them to provide to you.

The GDPR has quickly reshaped attitudes towards data privacy around the world and has given EU data subjects more autonomy over how their data is used than ever before. Personal data increasingly flows between organizations because most businesses partner outsource some aspect of their business functions, creating webs of responsibility and oversight.

However, with many ambiguous requirements for data controllers, processors, and sub-processors, entities might still have questions about certain requirements under the law, such as what must be included in a data processing agreement (DPA). These data processing agreements are critical to ensuring the privacy of data subjects’ personal data.

Let’s review what a DPA is, what needs to be included in a DPA, and examples of DPA clauses.

What is the Data Processing Agreement for GDPR?

Article 28(3) of GDPR requires that controllers, processors, and sub-processors must enter into written contracts, or data processing agreements, in order to share personal data. Data Processing Agreements (DPAs) establish roles and responsibilities for controllers, processors, and sub-processors, and create liability limitations.

Essentially, a DPA is a form of assurance that the processor or sub-processor performs their due diligence to ensure the privacy of personal data. For instance, if a controller and processor enter into a DPA and the processor experiences a breach, then the DPA would potentially limit the controller’s liability for breaches.

Data Processing Agreement Requirements

What needs to be included in a DPA? GDPR is very prescriptive when it comes to DPA requirements. Article 28(3) states that DPA’s must include specific details regarding the processing of personal data, including:

  • The subject matter of processing
  • The duration of the processing
  • The nature and purpose of the processing
  • The type of personal data involved
  • The categories of data subject
  • The controller’s obligations and rights

Additionally, DPAs must include specific requirements for processors:

  • The processor must only act on the controller’s documented instructions unless required by law.
  • The processor must ensure that people processing the data are subject to a duty of confidence. This can be accomplished through employee confidentiality agreements or acceptable use policies.
  • The processor must take appropriate measures to ensure the security of processing. This can be accomplished through third-party audit reports or information security questionnaires.
  • The processor must only engage with a sub-processor with the controller’s prior authorization and under a written contract.
  • The processor must take appropriate measures to help the controller respond to request from individuals to exercise their rights. This can be accomplished through features within software applications or through manual processes.
  • Taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments. Contracts should specify the type of information and timeframes required for breach notification.
  • The processor must delete or return all personal data to the controller at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage.
  • The processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations. GDPR is unclear regarding the extent to which controllers can exercise their audit rights so your contract should be specific about the nature of audit rights (frequency, type of audit, cost).

Examples of GPDR Data Processing Agreement Clauses

Whether you’re a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, ensuring that the specific wording of your DPAs meets these requirements may seem challenging. Fortunately, the European Commission has published model clause examples for controllers, processors, and sub-processors to reference. While these clauses are designed for international data transfers, standard clause language that’s been approved by the EU is used, which allows organizations to have access to real contract language that adheres to the requirements of Article 28.

Additionally, as many data controllers work with more than one processor or sub-processor, creating a new DPA for each partnership is daunting. This is why many service providers, such as Amazon Web Services and SalesForce, have made their DPAs publicly available online for controllers to use.

While the GDPR enforcement deadline has now passed, it’s never too late to start your compliance efforts. Have questions about creating a DPA? Want to learn more about how KirkpatrickPrice can help you achieve your GDPR compliance objectives? Contact us today.

More GDPR Privacy Resources

Which GDPR Requirements Do You Need to Meet?

GDPR Readiness: Are You a Data Controller or Processor?

10 Key GDPR Terms You Need to Know

The Cost of GDPR Non-Compliance: Fines and Penalties

From WeWork, Impact Hub, and Knotel to Serendipity Labs, Green Desk, and Techspace, coworking spaces are revolutionizing how people work. A shared working space, or a coworking space, is an environment that fosters collaboration by allowing companies and employees of all sizes and industries to share equipment, offices, and in some cases, ideas. These coworking spaces offer a variety of benefits including flexible leasing or membership options, more affordable working spaces, resources for start-ups, offices for conferences and meetings, the list goes on and on. It’s no surprise that remote employees, start-ups, and established enterprises have all begun to use these innovative shared working spaces. However, with coworking spaces at such a high demand, one must stop to ask: what are the information security concerns for shared working spaces? What potential risks do shared working spaces pose for the various clientele they serve? Let’s find out.

Top 4 Information Security Concerns for Shared Working Spaces

While the benefits of using coworking spaces are enticing, organizations must be aware of the information security concerns that shared working spaces pose to their security posture. When working in an environment that caters to a variety of organizations, industries, and clientele, businesses and coworking facilities must perform their due diligence to ensure that their organizations’ assets remain secure. So, how can this be done? We believe that organizations should review these top four information security concerns for shared working spaces before signing up for any type of membership.

Physical Security

Perhaps one of the top information security concerns for shared working spaces is physical security. With the number of members coming in and out of the coworking space each day, shared working space facilities must have processes for verifying the identify of members. This might be ID badges, key fobs/cards, biometric access controls, security guards, and/or receptionists. There should also be some type of video surveillance, monitoring, and logging so that if an unauthorized person gains access to the facility, there will be documentation.

Internet and Cybersecurity Policies

Another top information security concern for shared working spaces has to do with Internet and cybersecurity policies. Does the shared working space offer unique WiFi credentials for each user or company? How does the coworking space segment each member’s access to the Internet? A malicious hacker could easily purchase a day pass to a coworking space, hack the WiFi, gain access to members’ sensitive information, and breach the data of multiple organizations. If you’re going to work out of a shared working space, make sure that the organization has strict Internet and cybersecurity policies to keep you and your data protected from potential hacks.

Device Security

Depending on the type of membership one purchases, there are different concerns for device security. If a start-up purchases a monthly membership and plans to work out of the office every day, they might want to leave their equipment in the coworking space. This would call for greater security controls to be implemented in addition to the physical security controls mentioned above. In this case, the coworking facility would need to offer lockers or locked rooms to keep devices from being stolen. On the other hand, if a remote employee uses the coworking space on a day-to-day basis and has no need for leaving their devices overnight, there still needs to be device security controls in place to ensure that their device remains secure. What if a remote employee gets up to grab a coffee? What security measures are in place to ensure that the device left on the table isn’t compromised while they’re away from their desk?

Personnel Security

In a collaborative environment, it can be easy to overhear confidential conversations or shoulder surf, which is why it’s paramount that the coworking facility offers solutions to mitigate this. Let’s say that two competitors work out of the same shared working space. If one company overhears a product pitch and decides to copy the idea, that could be result in the demise of the other company. There needs to be conference rooms or secure locations where members can share ideas and hold confidential meetings without the risk of sensitive information being overheard and/or stolen. To mitigate the risk of shoulder surfing, on the other hand, each member should take their own precautions and utilize polarized screen shields and lock their screens whenever not in use.

The allure of coworking spaces doesn’t seem like it’s dying down anytime soon. If your organization is considering utilizing a coworking facility, make sure you perform your due diligence and ask questions about how the shared working space addresses these top four information security concerns. If they don’t have established and effective policies and procedures for physical, Internet, device, and personnel security, they aren’t a secure facility.

Interested in learning more about how you can stay protected when working in a shared working space? Contact us today.

More Assurance Services

Are Your Remote Employees Working Securely?

Remote vs. Onsite Assessments: What Do I Want?

5 Strategies to Keep You From Wasting Time on Security Questionnaires

In February 2018, the US Securities and Exchange Commission (SEC) affirmed something we know to be true: as organizations rely more and more on technology, the frequency and complexity of cybersecurity threats continue to increase. The SEC issued interpretive cybersecurity guidance, which builds upon the Division of Corporation Finance’s guidance from 2011, for public companies to follow when dealing with cybersecurity incidents and risks.

This cybersecurity guidance communicates several major points to the public, including guidance for disclosing cybersecurity incidents, the prevention of insider trading, and developing comprehensive policies and procedures.

The Need for Cybersecurity Risk Management

Organizations, no matter their size or industry, must be aware of cybersecurity risks and have a plan to mitigate them. It’s reassuring to hear that the SEC recognizes just how real cybersecurity risks and threats are. The 2018 cybersecurity guidance states, “…the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks.” Going even further, it makes this parallel, “As companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased. Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”

At KirkpatrickPrice, we often communicate that the cost of cybersecurity risk management is a smart investment, rather than spending that money on remediation from cybersecurity incidents. The SEC’s 2018 cybersecurity guidance does a great job of outlining just how much the recovery from cybersecurity incidents can cost. If you’re hesitant to undergo audits, penetration testing, or begin cybersecurity risk management at your organization, consider the following recovery factors from the SEC:

  • Increased cybersecurity protection cost
  • Lost revenue
  • Remediation costs
  • Litigation and legal risks
  • Increase insurance premiums
  • Reputational damage
  • Damage to the company’s competitiveness

Disclosures and the Security Paradox

How much should companies disclose about their cybersecurity incidents or their cybersecurity risk management efforts? That’s the ultimate security paradox – how much do you share, and how much do you keep internal? Many organizations adopt the approach of refusing to release any information about their cybersecurity practices, even during an audit or penetration testing. They tend to think, “By not sharing information, we’ll be more secure. Why would we give away information about our security?” We believe that the more you isolate yourself, the less secure you are.

The SEC’s cybersecurity guidance addresses this very subject and says, “This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.” The expectation is that companies disclose cybersecurity risks and incidents that would be significant to investors, like those that have financial, legal, or reputational consequences.

SEC Guidance on Policies and Procedures

Policies and procedures are vital to any company’s cybersecurity risk management program. They are so important, in fact, that every major framework has at least one entire section devoted completely to policies and procedures. The SEC’s 2018 cybersecurity guidance is no different. The guidance encourages comprehensive policies and procedures related to cybersecurity and overall compliance, but there is a heavy emphasis on disclosure controls. The guidance states, “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

In September 2018, the SEC charged Voya Financial Advisors (VFA) with failure in cybersecurity policies and procedures that led to a hack which compromised their customers’ personal data. The SEC reported that the attackers used social engineering tricks to get VFA’s contractors’ passwords reset, which gave the attackers access to the personal information of 5,600 customers. There were multiple points where VFA failed to follow their policies and procedures, but from the moment employees fell for the social engineering scam, they were failing to follow their policies and procedures regarding contractors.

Trying to ensure that your company is correctly interpreting the SEC’s 2018 cybersecurity guidance? Want some help developing comprehensive policies and procedures? Let’s partner together!

More Cybersecurity Resources

SEC’s Cyber Enforcement Actions

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

How to Lead a Cybersecurity Initiative

Independent Audit Verifies American Financial Resources’ Internal Controls and Processes

Parsippany, NJ – American Financial Resources, a full-service mortgage lender, today announced that it has successfully completed its SOC 2 Type II audit. This attestation provides evidence that American Financial Resources has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of American Financial Resources’ controls to meet the standards for these criteria.

“For the last 20 years, our industry success has been built upon the trust and confidence of our customers, clients and suppliers.” said Bill Packer, executive vice president and chief operating officer, American Financial Resources. “This attestation is independent validation and further proof of our ongoing commitment to hold ourselves to the highest of industry standards, which enable us to provide best-in-class service to all those we serve.”

“The SOC 2 audit is based on the Trust Services Criteria. American Financial Resources has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “American Financial Resources delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on American Financial Resources’ controls.”

About American Financial Resources

American Financial Resources, Inc. (AFR), the leading FHA 203(k) lender for sponsored originations in the country and an innovator in the construction and renovation lending area, is ranked among the nation’s leading mortgage lenders. AFR utilizes the latest technology and delivers educational resources to mortgage brokers, loan originators and their customers. For more information, visit www.afrcorp.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.