Common Criteria 3.2
While organizations must consider the risks to their operations, finances, and reputation caused by threats inside their organization, they must also consider outside risks from business partners and third-party vendors. During a SOC 2 audit, organizations will have to demonstrate that they consider the risks from business partners and third-party vendors in order to comply with the SOC 2 common criteria 3.2, which states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Let’s take a look at the reasoning behind this, other frameworks that have vendor compliance requirements, and what can happen if an organization fails to manage the risks from business partners and third-party vendors.
Vendor Compliance Management for SOC 2 Compliance
As organizations increasingly outsource components of their business, it’s more crucial than ever to have a strong vendor compliance management program. Why? Because working with vendors puts your organization at a greater risk for data breaches or security incidents. By having an effective vendor compliance management program, you will be able to identify, mitigate, and better control risks from business partners and improve the security of your organization.
Think about it this way: what happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what liability is held to your organization? These are the types of scenarios that your organization must consider when selecting vendors and effectively managing vendor risk, especially in order to comply with common criteria 3.2.
Vendor Compliance Management for Other Information Security Frameworks
Vendor compliance is a hot topic in the information security industry. Aside from SOC 2 compliance, having a vendor compliance management program in place is a critical component of many other information security frameworks, such as:
- PCI DSS: PCI Requirement 12.8 asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could negatively impact the security of cardholder data. PCI Requirement 12.8.1 also specifically asks that entities maintain a list of service providers including a description of the service provided.
- HIPAA: In order to comply with the HIPAA Privacy and Security Rules, covered entities must enter into Business Associate Agreements with their business associates or vendors. Such agreements must adhere to the standards set forth in 45 CFR 164.504(e), which addresses proper uses and disclosures, safeguards, incident reporting, and termination rights.
- NY CRR 500: NY CRR 500 requires two elements for effective vendor compliance management: a cybersecurity policy (Section 500.03) and a third-party service provider security policy (Section 500.11).
It’s no surprise that so many frameworks require that organizations must have a vendor compliance management program in place; breaches caused by vendors have skyrocketed recently. In June 2018, Ticketmaster UK discovered that its customer support chatbot software from Inbenta was hacked. It was later discovered that this breach exposed a much greater one: a massive credit card skimming campaign by the threat group Magecart, something that may have been prevented if a vendor compliance management program was effectively in place. That is just one example; the list goes on and on. Companies like Best Buy, Delta Air Lines, and Sears, as well as Lord & Taylor and Saks Fifth Avenue all experienced vendor-related breaches that could have been prevented.
More SOC 2 Resources
A very common thing that we find missing in risk assessments when we’re trying to comply with SOC 2 common criteria 3.2 (CC3.2) is not including risks from business partners and vendors. This is a hot topic these days. All of the information security frameworks have been updated to include the issues that affect us from third-party vendors who might have security issues that impact us. You need to make sure that you include that as one of the risks that you consider in your own risk assessment.