How to Decode ThirdParty SOC 2 Reports

Melissa Lent: Hello everyone. Melissa Lent: This is Melissa Lent. Melissa Lent: I’m the director of education at OAG and I’d like to welcome you to our webcast today during which we will present how to decode third-party SOCK 2 reports. Melissa Lent: We are glad you can join us for this event. Melissa Lent: Instead of completing a full standardsbased risk assessment, some vendors simply submit their most recent SOCK 2 report. Melissa Lent: However, for organizations that lack the expertise and resources. Melissa Lent: Interpreting these SOCK 2 reports can be complex and timeconuming, not to mention inconsistent with how other vendors are assessed. Melissa Lent: How do you simplify the process of analyzing SOCK 2 reports and get what you need to visualize important vendor risks? Melissa Lent: We are glad you can join us as we discuss how to analyze the effectiveness of a vendor’s security controls consistently with the rest of your third party estate. Melissa Lent: For our discussion today, we are joined by our speaker Thomas Humphre, compliance expert and content manager with prevalent. Melissa Lent: We are very pleased to be joined by Thomas as he shares his insight on analyzing the effectiveness of a vendor’s security controls and how to decode third-party SOCK 2 reports. Melissa Lent: But before we start, I’d like to take a minute to go over a few housekeeping notes. Melissa Lent: First, regarding continuing education credit, we provide NASBA approved CPE credit to you for participation in live webinars. Melissa Lent: If you have an OG All Access Pass, which you can purchase individually or as part of a company subscription, the All Access Pass includes many benefits in addition to CPE credit for webcasts, such as access to all OEG resources and ondemand education series. Melissa Lent: So, if you don’t already have a pass, I would encourage you to check it out on the OEG site. Melissa Lent: If you do have an all access pass and would like a certificate of completion for CPE for this event, please be sure to stay with us. Melissa Lent: for the entire hour and to answer all the polls. Melissa Lent: These are requirements for receiving CPE credit for this event. Melissa Lent: And please note, certificates of completion for CPE credit are available only for live events. Melissa Lent: They are not available for viewing archived webinars. Melissa Lent: Second, regarding the recording from this webcast, we will have the recording of this event posted on the OSC website. Melissa Lent: Just log into the site, then go to the webinars tab and select past webinar recordings and then this webcast. Melissa Lent: This recording may be viewed by anyone for about one week and after this time the recording may be viewed by anyone with an all accessess pass. Melissa Lent: Third, regarding upcoming events and activities, please watch your email for announcements from Og about other upcoming webinars. Melissa Lent: You can view information about these upcoming webcasts on the OEG site. Melissa Lent: So today we will address the following learning objectives. Melissa Lent: We will learn how to deconstruct a typical SOCK 2 report including the five trust services principle. Melissa Lent: Explain how to map SOCK 2 report control exceptions into risks in a common vendor risk and security framework. Melissa Lent: Describe best practices to remediate a vendor’s SOCK 2 control deficiencies and determine how to create an agile, integrated, and techdriven compliance program. Melissa Lent: But before we hand over the presentation to our speaker, we’d like to offer our first poll. Melissa Lent: And again, please be sure to answer this poll if you are interested in receiving CPE credit for this event. Melissa Lent: The first poll question is, “Do you have an OAG all accessess pass, which is a paid membership, and would you like to receive CPE credit for this event?”. Melissa Lent: Your options here are yes, I have an all access pass and I would like to receive a CPE certificate of completion for this event. Melissa Lent: I have an all access pass, but I don’t need a CPE certificate of completion. Melissa Lent: No, I do not have an all access pass, but I would like to get one and receive CPE credit for this. Melissa Lent: And future webcasts I attend or no I do not have an all access pass and I don’t want to buy one at this time so I won’t receive CPE credit for this event. Melissa Lent: As you are answering this poll I’d like to hand over the quest the presentation to Thomas to begin our discussion today.

Thomas Humphre: Thank you very much and uh hello everyone. Thomas Humphre: My name is Thomas Humphre. Thomas Humphre: I’m the content manager at Prevalent. Thomas Humphre: Um I work to build various uh assessments and frameworks built on many standards. Thomas Humphre: not least including SOCK 2. Thomas Humphre: Um, and as indicated, I’m here today to really go get to grips with um, understanding what a SOCK 2 report is all about and being able to digest the pertinent topics and aspects that will enable us to help um, understand uh, uh, risks um, and exceptions in the reports and how to ingrain them into our wider risk management third party risk management program. Thomas Humphre: So let’s make a start with an introduction to SOCK 2 assessments. Thomas Humphre: So SOCK or system and organization controls um are uh is a set of frameworks that enables organizations to demonstrate um security um and in some cases privacy controls against their own operations, systems, information and the effectiveness of those controls. Thomas Humphre: So reports are reports that are provided by uh independent bodies, independent auditing bodies. Thomas Humphre: Um and they can be split up into two types, type one and type two. Thomas Humphre: A type one sock report um is is a report that’s delivered at a moment in time by an auditor. Thomas Humphre: And the focus is very much on the design of controls. Thomas Humphre: You often find that organizations who are going for sock for the first time will typically start with a type one report um because it gives um confidence to to to develop and demonstrate that controls have been designed appropriately um policies, processes um and and control groups have have been established. Thomas Humphre: Type two reports um are longer, they’re more extensive and they provide more detail um both to the auditor um but and to the to the organization being audited but also to their wider audience. Thomas Humphre: customers, regulators, anyone else who may receive or request a sock report. Thomas Humphre: The purpose of the type two is very much looking at the operational effectiveness of the controls and as such is delivered over a longer period um typically up to six months. Thomas Humphre: The purpose of which of course being that an auditor viewing the controls needs to have confidence and to make sure that those controls that have been designed are effectively working. Thomas Humphre: Um um and more often than not you need a reasonable time frame in order to do that.

Thomas Humphre: So for example when an organization has designed controls around change management, incident management um and capacity planning they need to be able to dig into the details of existing changes and how changes are being managed for example or how capacity is affecting systems and so that’s very much the purpose of the type one or the type two report. Thomas Humphre: So the design effectiveness and the operational effectiveness. Thomas Humphre: So they delivered by independent auditors and auditing bodies who have been uh certified to carry out um such assessments. Thomas Humphre: When it comes to sock itself, there’s a lot of structure around it based on five key control groups what are termed the trust service criteria and this is criteria that we’ll touch on later on. Thomas Humphre: These set out a series of controls not too dissimilar to uh other recognized standards and frameworks. Thomas Humphre: Anyone familiar with ISO 27,000 for example or NIST or ISF um other information security or cyber security frameworks will recognize some commonality here with the type of controls that are being identified and being assessed. Thomas Humphre: So there’s a series of control groups that the auditors use um to validate against the organization. Thomas Humphre: Um but it’s important to note at this time and as we’ll see later on through the webinar that it’s not always necessary for every control group to be assessed against a particular organization. Thomas Humphre: When it comes to scoping out your assessment, SOCK 2 allows organizations to very much tailor the assessment based on their product and service delivery. Thomas Humphre: And as we will see, there are some control groups uh that organizations deem not applicable to the business. Thomas Humphre: um whether that’s logically based on the nature of the product and service they’re they’re they’re looking at or whether there are other factors that drive um the scope and ring fencing the scope of assessment. Thomas Humphre: So SOCK 2 is a structured approach that sets a framework for enabling organizations to demonstrate best practices and information security, cyber security um and in some cases privacy um which more often not is used um uh and and and delivered to their wider client base and and other external stakeholders. Thomas Humphre: So it’s important now just to perhaps take a wider look at the concept of the sock 2 report itself.

Thomas Humphre: So I’ve already mentioned um that there are two types of reports and that there are um that there are um assessed and delivered by independent auditors. Thomas Humphre: Um However, one of the key areas that we need to make clear and that may become apparent the more sock 2 reports that you receive is that they can look very very different depends upon the eiting body. Thomas Humphre: The way they structure the sock report um can be structured in a slightly different way and this can cause confusion at sometimes to say well if we’re receiving two reports um we need still need to get the same detail around does the scope match the service delivery that this vendor is providing to us. Thomas Humphre: Are we able to ascertain whether there are any exceptions or nonconformities uh that we need to pay close attention to? Thomas Humphre: However, despite the the difference in the design um and and the layout of each sock report, there are typically five areas that every report will contain. Thomas Humphre: Some will be more detailed than others, but they should still have these five areas. Thomas Humphre: And if we understand what these five areas are and you’re able to identify them within a report. Thomas Humphre: It makes it so much easier trying to get to grips with should we be concerned with this organization based on uh perceived risks or known risks um or is it a clean bill of health with the best practice standards that they’ve implemented. Thomas Humphre: So on the left hand side of the of the screen you see five bullets the auditor summary and over Overview of organizational operations processes and systems, scope of the report and the trust service criteria, control activities and audit to validation and management response. Thomas Humphre: On the right hand side, we have a sample table of contents showing some of the pertinent areas that we see in a in a sock 2 type two report. Thomas Humphre: So when it comes to the auditor summary, what are we looking at here? Thomas Humphre: So like many reports you’ll typically find a highlevel almost executive summary if you will that sets the scene for the wider report and this is where the auditor presents a summary of the results an overview of their assessment methodology. Thomas Humphre: Um they may include aspects around uh exceptions that they’ve identified. Thomas Humphre: In some instances they already report on the specific scope um of the sock 2.

Thomas Humphre: to the aspects of the trust criteria that they’re that they have assessed the organization against. Thomas Humphre: So it gives a very executive high-level overview of what’s happened and the overall performance um of the organization when they’ve been assessed. Thomas Humphre: Moving on to the overview of organizational operations, processes and systems, it’s worth highlighting section three just to underline the extent and the depth uh that this section go to. Thomas Humphre: As you can see, there’s quite a lot of uh subcontrols, sub clauses here covering quite a large volume of the of the report. Thomas Humphre: And the purpose here is to really go into detail of what processes, the interlink between processes, what systems the company uses and operates with um and how those processes and systems interact with each other. Thomas Humphre: So this could be high level from a company background perspective giving an overview of what the organization does. Thomas Humphre: So the products and services it supplies, maybe the geographies the organization operates in. Thomas Humphre: Then down to some of the more granular detail around core processes that they that they use. Thomas Humphre: So risk assessment processes, processes that enable monitoring, information and communication processes, the control environment itself. Thomas Humphre: We can then go down into a bit more depth um around some of the technical capability of the organization. Thomas Humphre: So if they use seam systems for event monitoring, if they have vulnerability assessments and penetration testing, and if they conduct information backup and the type of backup systems that they utilize. Thomas Humphre: So it can be quite overwhelming at first when you see this volume of information because it really can go into a lot of depth and some some uh independent auh auditing bodies do choose to go to that level of depth and that represents in some cases the complexity of the organiz ation. Thomas Humphre: Why is this important? Thomas Humphre: Well, obviously when we receive a report from a vendor, one of the key things we need to make sure is that the scope uh that’s been assessed against ties in or aligns to the scope of service that the third party is providing to us, the type of product and service and service delivery.

Thomas Humphre: Um if the scope um actually falls outside and is very much ring fenced for a different part of the operations rather than what this third part is providing to us. Thomas Humphre: It’ll prevents a diff then presents a completely different slant on how we interact with that third party. Thomas Humphre: Particularly if there are systems that we know have not been covered um have not been assessed for the security controls or privacy controls for example. Thomas Humphre: If it isn’t already mentioned within the auditor summary there will be a section that touches on the scope of the report and this is one of the most important parts to identify first off. Thomas Humphre: because this will detail the exact control groups that have been assessed um through the auditor. Thomas Humphre: So as we see shortly there are five control groups and at this stage we’ll have an idea of whether all five have been identified whether one has been assessed or multiple um in between. Thomas Humphre: Moving on then to the control activities and audit validation. Thomas Humphre: This is where we then get into the detail of those controls and we start to identify what the control control is how the company’s responded or or used that control and then the auditor’s response to their view and their analysis of the controls and if there are any exceptions or not that are captured as well. Thomas Humphre: If there are exceptions and I’ll explain later on what an exception is there there then will be some form of management response in the report as well. Thomas Humphre: And this is quite critical because when we’re looking through the control activities and if we’re counting and identifying where exceptions have been identified. Thomas Humphre: At this stage, it may already be a control that has been managed because through the management response is the organization’s ability and chance to explain whether there already is an action plan in place to address uh the findings that have been raised. Thomas Humphre: It may be that there’s further clarification such that a control that may be deemed an exception and is is not visible has actually been captured elsewhere.

Thomas Humphre: So it’s a good point and chance from the management side to to either recognize and and put in place and put on record the the approach the organization is going to take um or validation and verification of controls and activities that have already been put in place. Thomas Humphre: So once we receive a new sock report if can already identify these five areas from the summary through to control activities scope and any responses It should already put us in a much better position to get to the heart of what’s been captured and covered and are there any risks or not that we need to be mindful of. Thomas Humphre: So I’ve mentioned the five trust service criteria um uh multiple times and I’ve highlighted that organizations um are able to scope based on these cross criteria. Thomas Humphre: So we have five key groups security, confidentiality, processing, integrity, availability and privacy. Thomas Humphre: So what are these five groups? Thomas Humphre: So as I mentioned in a similar vein to the likes of ISO and NIST, these are top level groups under which are a series of controls um that organizations then are assessed against. Thomas Humphre: So let’s go through each one. Thomas Humphre: So from security we’re looking at controls to protect against unauthorized access, unauthorized disc closure of information and damage to systems. Thomas Humphre: So almost all SOCK 2 reports will have security under their scope. Thomas Humphre: Although it is up for organizations to determine which which control groups uh they want to cover and and and in discussion with the auditors and auditing body, more often than not we find that security being the largest control group uh is also the one that’s covered uh the most. Thomas Humphre: So what type of controls are we looking at here? Thomas Humphre: So So protecting against unauuthorized access, disclosure of information and damage to systems. Thomas Humphre: So we’re looking at everything from logical and physical access to data encryption and backup to some governance controls, setting roles and responsibilities, risk management frameworks um and and other similar physical um and and and logical controls. Thomas Humphre: So it’s very technologyheavy.

Thomas Humphre: There’s very security driven um but having having a a grouping between s of governance side and technical side confidentiality controls for protecting information designed or identified as confidential and at this stage I’ll also bring in the last control group privacy as well there’s a subtle difference between the two privacy as you’d expect the focus very much is on personal data so thinking of PII SPI any sensitive personal data medical data any of that data that’s deemed personal Um very much the focus is on controls to protect against how that’s secured, how that’s handled. Thomas Humphre: Um having uh data control officers, for example, in place and responses for data breach uh management. Thomas Humphre: Confidentiality, however, is focused more on information that’s not deemed personal data. Thomas Humphre: That may mean company confidential. Thomas Humphre: Um so this could be proprietary information, this could be intellectual property, this could be other information or information systems that classified under the banner of confidentiality. Thomas Humphre: And so the controls here are focused on protection of that confidential information. Thomas Humphre: So protection from destruction, protection in terms of the way it’s being handled and where it’s being stored. Thomas Humphre: So there’s a subtle difference there. Thomas Humphre: There’s a clear distinction for companies that choose uh that control group. Thomas Humphre: Then move on to processing integrity and availability. Thomas Humphre: Um so integrity um and again there’s there’s a there’s a anyone from an ISO mindset will recognize these terms. Thomas Humphre: So the quality assurance arm um of of data. Thomas Humphre: So ensuring the system processing is accurate is timely and is valid availability information and systems are made available and accessible at all time. Thomas Humphre: So from a processing integrity perspective make sure making sure that the way the data is being processed data that’s being transferred. Thomas Humphre: There’s nothing that interrupts and and and and uh disrupts the way the data um is structured, for example. Thomas Humphre: Whereas availability need to make sure that the data is available at all times and is accessible to those who need to to have access to it. Thomas Humphre: So some access controls um are very much the order of the day when it comes to establishing availability um um control groups.

Thomas Humphre: Now, it’s key to reiterate here that it’s it’s the organization who identifies the scope. Thomas Humphre: Um, and it begs a question, well, why not capture all scopes? Thomas Humphre: Why not all five groups? Thomas Humphre: Um, uh, is it not the case that every company should adhere to security through to privacy? Thomas Humphre: And the answer is no. Thomas Humphre: Of course, it’s very much up to them. Thomas Humphre: And there’s various reasons behind this. Thomas Humphre: So, on the one side, when an organization sets out to achieve sock 2 accreditation or at astation um it needs to look at where do these controls fit within its organization. Thomas Humphre: So if for example based on the product and service provision of the business they don’t interact with or handle personal data in any capacity that only seems right that the privacy control groups are not relevant. Thomas Humphre: Likewise if they’re handling uh systems that are sensitive uh that are capturing client confidential information. Thomas Humphre: Uh maybe they’re they’re they’re providing those systems but also inputting that information um on behalf of the client. Thomas Humphre: Again, it only seems right that the confidentiality control group should be included. Thomas Humphre: And so it very much depends on the scope um of what the business operates under, the scope of what they’re performing. Thomas Humphre: But it’s also important to think about scoping in terms of uh the areas it needs to go for Sock 2 accreditation for if under contract for example there’s a need to call out um and and to receive sock 2 at a station it may be very much ring fence due to a particular type of product or service and through that determination of ring fencing that’s part of the business rather than being all-encompassing that in itself may identify the best control groups that need to be uh captured um and assessed by auditors So before we move on, just have a uh a second poll question here. Thomas Humphre: Are you looking to augment or establish a third party risk program in the coming months? Thomas Humphre: We can answer yes, no, or I’m not too sure. Thomas Humphre: Okay. Thomas Humphre: So, are you looking to augment or establish for the first time a third party risk program um um across the coming months? Thomas Humphre: So now move on to take a look at exceptions and what does an exception mean in the concept of sock 2 but also thinking about how you manage risks and how you interact with um your third party program.

Thomas Humphre: So On the screen here we can see a sample of criteria taken from a sock report that captures a particular control. Thomas Humphre: In this case looking at CC 3.4 which comes from the trust service criteria and we can see a breakdown of what the criteria is. Thomas Humphre: So what the organization is required to do the organization’s response. Thomas Humphre: So what controls what policy sees what processes they’ve implemented to meet that criteria. Thomas Humphre: Then the testing from the auditor themselves. Thomas Humphre: So what validation verification techniques, what tests, what inspections or interviews have they carried out to make sure what the organization has said matches the criteria and then final results from the auditor. Thomas Humphre: So in the first case if you look at the control activity so the company identifies and assesses changes that could significantly impact the system of internal control and if the organization has stated that well changes to the business structure and operations are considered and evaluated as part of an annual risk assessment. Thomas Humphre: So the organization considers business and operational change as part of its wider risk assessment program um and and and risk registers. Thomas Humphre: So given this is what the organization has said we can see the assessors now inspect the risk assessment worksheets. Thomas Humphre: They’ve looked at the most recent risk reviews and and and risk assessments and they’ve aimed to verify that any change to business structure andor operations have been considered and evaluated. Thomas Humphre: In this first instance, we note an exception. Thomas Humphre: So there’s a lack of visibility for identifying business structure or operational change as part of the annual risk assessment. Thomas Humphre: So in this case, The auditor has gone in, it’s reviewed the risk documentation, it’s taken into consideration the activities the organization has specified, but they have been unable to find anything that validates uh the auditors the organization’s statements versus the first result. Thomas Humphre: As you can see, no exceptions have noted. Thomas Humphre: So they’ve again inspected the the risk assessment. Thomas Humphre: They’ve inspected uh the requirement in this case change to regulatory or economic or physical envir ments and they’ve seen evidence to suggest that there is no further exceptions noted. Thomas Humphre: There’s no issues to be raised on nonconformities.

Thomas Humphre: Secondly, we’re looking at a different control here where the organization has built a security instant analysis that’s performed for any critical instance in order to determine root cause impact and identify and reach some form of resolution. Thomas Humphre: And again, we can see the auditor has indicated that upon inspection of security or critical security incidents. Thomas Humphre: There has been no root cause, no system impact or resolution that been documented. Thomas Humphre: So, we’ve got a clear example of an organization stating here’s our working process. Thomas Humphre: This is what we do and this is the steps that we need to take. Thomas Humphre: But now, we’ve got evidence to show that those steps have not been taken. Thomas Humphre: Now, one of the key things that’s important to note here uh that is is uh can be perceived as missing versus other assessments and assessment types is outside of the exception that’s noted. Thomas Humphre: There’s no indication of how severe this is. Thomas Humphre: We have a statement and we have an exception. Thomas Humphre: We haven’t got any other indication of are these mission critical. Thomas Humphre: Um are these what you might call critical high, medium or low risks or red risks, whatever the methodology is to define that exception. Thomas Humphre: And that’s important. Thomas Humphre: know within SOCK 2 assessments um we can find and and hopefully get to a stage where we can consolidate a list of different exceptions um if there are any that the auditor has has identified. Thomas Humphre: Um but we can’t go to the level of do we consider this has the auditor considered this to be a critical risk and this is where bringing them into our own risk program can help to set uh that expect help to define that. Thomas Humphre: Uh there are cases of course when we see in sock two reports where there are no exceptions noted what you might call a clean bill of health. Thomas Humphre: The author has gone in and it hasn’t identified any controls where it hasn’t been designed effectively or the operational effectiveness is sound. Thomas Humphre: The control has demonstrated and achieved what it set out to do. Thomas Humphre: Lastly, uh Before we move on, looking at the test results themselves, because this information is coming straight from the auditor, we’ll always see a slightly different variance in the way test results are reported. Thomas Humphre: So there’s no strict hard or fast rule in terms of the level of detail that you want to go in.

Thomas Humphre: In these cases, it’s quite clear on what they’ve seen or what they’ve not seen um based on the organization’s um uh control. Thomas Humphre: So what they’ve stated they have. Thomas Humphre: There will be some instances where you’ll have less information. Thomas Humphre: Um, obviously the more information that’s detailed in terms of the type of inspection and verification processes, the more detail in terms of the test result obviously the easier it’s going to make the process to bring these exceptions across to our wider risk program and then when we start to engage with the third party. Thomas Humphre: So when we think about mapping these exceptions across to our own risk platform, our own risk processes. Thomas Humphre: Firstly, it’s we need to think about that level of detail. Thomas Humphre: So where there’s enough detail from what the auditors provided in the report where there’s management management uh responses and perhaps they’ve given further detail in terms of what aspects um of the result um they have achieved. Thomas Humphre: Um if the company for example already said understand moving forward. Thomas Humphre: We’ve adjusted our process to make sure that the necessary detail is captured as part of the uh instant tickets and maybe there’s some man and toy elements we’ve we’ve we’ve we’ve we’ve added in checks to enforce that level of detail that will only help to aid our process when it comes to taking those exceptions and building them in within our risk process. Thomas Humphre: So when we say map exceptions to risks. Thomas Humphre: What do we mean? Thomas Humphre: So, because there hasn’t been uh enough detail uh from the auditor in terms of is it a critical high, medium or low risk or exception or any indication of impact scores, likelihood or some of the standard terminology you’d expect in in risk management. Thomas Humphre: That’s where we look to leverage our own existing risk tools and risk management processes. Thomas Humphre: So, if we have a process that follows um best practice staticis such as ISO 31,000 or the NIST risk management framework may we may already have a clear structure in how we impact identify an impact score and a likelihood score and give an overall risk rating or we use a traffic-like system to indicate the criticality.

Thomas Humphre: So if we already have those tools in in um established it’ll then make it easier to take those risks and say well based on what the auditor has said based on the exception there’s no Ed, do we deem this a critical risk or a low risk for example? Thomas Humphre: And of course the more established that risk management tool is then obviously the more comprehensive we can go into that detail around justifying why we’ve raised and calculate the risk in the way we have. Thomas Humphre: One aspect where we do find sock 2 reports um uh being requested is where uh organiz send out assessments to third parties, assessments or surveys related to a particular control group. Thomas Humphre: So for example or or or standard and best practice. Thomas Humphre: So in the event for example that we see uh ISO 27,01 um or CIS surveys being sent out to organizations and then a SOCK 2 report being received back because the vendor says we don’t have time to fill out a lengthy assessment or before we send out we fill out your assessment. Thomas Humphre: We have this SOP 2 report that demonstrates the best practices that we’ve implemented and we believe this is sufficient um before we we proceed with completing an assessment. Thomas Humphre: So if there’s already a clear structure there in terms of expectation that 27,01 or CIS or other frameworks um should be used to assess vendors when we bring in the exceptions such as the the two above as we’ve seen. Thomas Humphre: we can already start to map these to those standards. Thomas Humphre: And so if we consider for example a lack of root cause analysis, a poor security instant management process, poor security instant ticketing as a critical risk because it’s deemed a mandatory control in our ISO assessment or our CIS assessment. Thomas Humphre: That’ll help us to to to judge and to provide a clear statement as to why that risk is listed as critical. Thomas Humphre: for example or high or medium. Thomas Humphre: So leveraging those existing risk tools, risk management tools you may have, identifying the impact and likelihood so we can assign some reasonable risk scores again taking into account any existing management response that may or come from the organization. Thomas Humphre: And then finally we can start to assign those tasks that are related to managing the assessment. Thomas Humphre: So in the case where exceptions have been raised have been identified.

Thomas Humphre: However, um there has been no management response or management have simply identified that yes, we’ll take action to resolve it. Thomas Humphre: We need to start thinking about we now brought these exceptions into our platform. Thomas Humphre: How do we now engage with our vendors um to make sure that those actions, those risks or non-conformities are managed effectively are closed off. Thomas Humphre: So turning exceptions into risks. Thomas Humphre: So once you got the idea of of the risk. Thomas Humphre: We’ve identified the calculation and the level or risk rating that we want to apply. Thomas Humphre: Uh we can then start to look at other aspects to help us bulk out the exception and get a wider case that’s going to help make that process of engaging with the third party so much easier. Thomas Humphre: So firstly, can we map it to standards that we we that are are key to us? Thomas Humphre: So I gave the example of of of ISO 27,000 if there are clear key clear controls already within that standard we can map that exception to it’ll make it easier when we start to engage and identify some of the recommendations or remediation steps. Thomas Humphre: Are there existing risk types in our own risk register that can we can apply this risk to? Thomas Humphre: So can we apply tags and and and risk types around incident management around particular sock 2 controls If we’ve done that type of mapping, do we have a standard risk register that we can um uh carry all these risks into so that when we start to receive more sock 2 reports um we could start to do more trend analysis and overall uh viewpoints particularly when there are similar risks and exceptions that are occurring. Thomas Humphre: Developing the risk itself. Thomas Humphre: So can we apply a risk name a description and risk ownership? Thomas Humphre: So if we’ve seen a risk from the the exception from the auditor. Thomas Humphre: Is there enough information for us to determine why it was a risk? Thomas Humphre: Is it a clear process gap for example? Thomas Humphre: Um is there a particular aspect of the control that was missing? Thomas Humphre: So can we start to bulk out the description and understanding of where this risk has come from, where it was established? Thomas Humphre: Um and then risk ownership as well of course is a particular function within the business that we need to reach out to. Thomas Humphre: um who do we need to start um having those discussions with to work out time frames for setting risk remediation.

Thomas Humphre: So turning that exception into a into a wider risk um in your platform go through several steps. Thomas Humphre: But as I mentioned at the start, a lot of this can depend on the level of depth that’s seen through the sock 2 report. Thomas Humphre: There can of course be some instances where there’s not as much det captured by the auditor. Thomas Humphre: Obviously, we can’t go back and speak to the auditors. Thomas Humphre: The it’s it’s something that’s independent and of course uh the the report has already been published and completed. Thomas Humphre: But obviously, if there’s an insufficient information, we can still start to capture some of that detail, but that’s when we need to then engage the the third party perhaps at an earlier stage so we can get more detail to understand where the actions come from, what are the ongoing activ activities. Thomas Humphre: So we can start to fill out our own risk register, our own third party risk process um with the pertinent detail around uh how and why it was established and what are the current steps the organization is taking. Thomas Humphre: Before we move on um got the third poll question. Thomas Humphre: So what What prompted you to join this webinar today? Thomas Humphre: Is it educational purposes? Thomas Humphre: So purely for educational experience and just understanding more about sock sock 2 project research of an upcoming TPRM project. Thomas Humphre: Perhaps you’ve already started your TPR program and you’ve identified that sock 2 is an area where you’re going to see a lot of traction or perhaps you requesting sock 2 assessments from your vendors or you’re using that as a key driver to assess vendors against. Thomas Humphre: I’m sure why I’m here or how am I again? Thomas Humphre: Um so uh there should be a a poll that’s that’s flashed up on the screen. Thomas Humphre: So um if you’re able to enter in um your appropriate response. Thomas Humphre: Thank you. Thomas Humphre: So we’ve got to the stage where we’ve established this OPT report. Thomas Humphre: We’ve received it. Thomas Humphre: We’ve understood uh the detail, the exceptions and the scope. Thomas Humphre: We’ve identified that the scope matches what the product or service is being supplied to us by the vendor. Thomas Humphre: We’ve identified now that the exceptions have been have been captured and we’ve got to a stage where we’re recording them within our own risk register um and hopefully with sufficient detail that we can now start engaging with the third party. Thomas Humphre: Now it comes on to the remediation.

Thomas Humphre: So what do we do now? Thomas Humphre: We’ve got these these these actions um where there may or may not be some form of management response. Thomas Humphre: So we should start now develop ing a playbook that enables us to remediate those sock two exceptions. Thomas Humphre: So we got four key decisions to make and three actions to consider. Thomas Humphre: So firstly minimum or mandatory requirements. Thomas Humphre: So are there any mandatory requirements from the business? Thomas Humphre: So what do we mean by this? Thomas Humphre: So I mentioned that uh from the outset there may be some uh security assessments uh that you’ve already launched or that you’re considering launching to the vendor, you already have a feel for what the vendor does, what it supplies to yourself, and through that process, have you identified any mandatory controls that you would expect an organization to have in place by default? Thomas Humphre: So, thinking about that exception around insufficient or poor quality in terms of incident response and the way incidents are recorded or the way they’re not recorded. Thomas Humphre: If you see this as a best practice to every organization, should be implementing. Thomas Humphre: This may be considered a mandatory requirement and that provides extra emphasis on the way it’s remediated or the time in which it’s remediated. Thomas Humphre: Are there any best practices the organization is following? Thomas Humphre: Are there any industry standards whether coming down from regulators um and legislation or coming from industry best practice or even the own organization has decided that these are the areas that it wants to follow? Thomas Humphre: If there are best practices such as ISOs and NISTs of the world um and and and SIG in the United States. Thomas Humphre: Can that help lend a hand in terms of identifying those mandatory requirements and also what’s required? Thomas Humphre: What type of remediation um is necessary? Thomas Humphre: Time frames are critical here. Thomas Humphre: How soon should the risk be addressed? Thomas Humphre: If through our risk identification process, we’ve identified that those exceptions we classify as critical risks particularly where they are still open and management response to them has been we’re still addressing them or we’re still reviewing those those those exceptions.

Thomas Humphre: We need to start thinking about well what time frame should we be setting on the third parties both from perhaps an immediate response to state what actions they will be taking and then a follow-up time frame of when they expect uh controls to be implemented or adjusted or updated. Thomas Humphre: So How soon do we expect those risks to be addressed? Thomas Humphre: And then finally, decisions or resulting actions. Thomas Humphre: So what happens to remediated risks? Thomas Humphre: What’s the point and stage that we get to where we can say we’ve identified the the exception? Thomas Humphre: We’ve classified it from a risk perspective. Thomas Humphre: We’ve engaged the third party and we’ve stated what we expect uh to happen or there’s been agreement between the third party and us in terms of what mitigating actions are required. Thomas Humphre: um what’s the final decision point? Thomas Humphre: Can we reach a stage based on our own risk appetite and criteria for risk acceptance where we can close the risk down or we can lower it to an suitable or an appropriate level? Thomas Humphre: So when you’re thinking about remediating vulnerability, there’s a few different key points that we should be looking at here. Thomas Humphre: And once we’ve stated and identified what the best practice ES are if it’s a mandatory control and if there are any clear steps that we’d expect a third party to undertake. Thomas Humphre: These requirements or expected remediation can then be uh uh enveloped within the wider risk uh risk report and obviously communicated as appropriate to the third party. Thomas Humphre: So in this case thinking about a lack of root cause system impact or resolution that’s documented across uh security uh incident tickets. Thomas Humphre: We may develop a remediation that states we require vendors to identify the impact caused to business operations. Thomas Humphre: It needs to be documented the root cause of incidents and actions taken to resolve and there should be clear uh visibility within every incident ticket or record produced that shows what actions are being taken. Thomas Humphre: And then finally perhaps we need them to to embellish or enhance um the method of of uh of how instant tickets are communicated and completed. Thomas Humphre: So communication staff awareness for those who are responsible for managing incidents.

Thomas Humphre: So we’ve thought about where perhaps the where the root cause of this issue lies and we’ve identified a suitable recommendation or remediation plan which you can then pass on to the third party and then upon agreement between both organizations, we can now start to monitor that remediation um all the way through to either successful completion or to a stage where we feel this risk um from a scoring perspective can either be lowered or the risk itself can be removed um because sufficient information has been implemented by the third party uh such that this risk no longer exists. Thomas Humphre: So we captured quite a lot of detail there um across um detailing what a sock 2 report is. Thomas Humphre: um and some of the key steps we need to look at. Thomas Humphre: There’s a few areas I’d like to reiterate here. Thomas Humphre: Um particularly those who are just starting out with a third party risk management program and those who are particularly um either starting to receive or will be expecting to receive sock 2 reports. Thomas Humphre: So firstly from a risk management perspective so assess your third party risk management requirements. Thomas Humphre: So determine where those b practices are required and where standards are being followed. Thomas Humphre: Do we already have a clear approach, a clear security assessment, security framework that we’re launching out to third parties or that we’re auditing third parties against? Thomas Humphre: If there are, have we got any suitable mapping across to those standards such that when you receive a sock 2 report, we’ve got some clear guidance in terms of do these exceptions that may that may be raised. Thomas Humphre: they fit with our information security assessment. Thomas Humphre: Determine minimum requirements. Thomas Humphre: Are the mandatory controls that you expect all third parties to carry out um or or or to have in place? Thomas Humphre: Um are these controls driven um by those best practice standards? Thomas Humphre: Maybe they’re driven across the industry or from regulators just based on what’s happening within the industry. Thomas Humphre: And this actually becomes a very cyclical approach. Thomas Humphre: So you’re continually reviewing Do those best practices meet our aims and needs of assessing our third parties? Thomas Humphre: Um, are we using the right standards? Thomas Humphre: Are we using the right controls?

Thomas Humphre: Um, do those minimum requirements or mandatory controls that we’ve identified from the outset, do they still remain true? Thomas Humphre: Um, or do we need to adjust and identify additional controls that we’d expect our vendors to adhere to? Thomas Humphre: And then finally, can we map these two sock two requirements requirements from the trust criteria? Thomas Humphre: here and then once we’ve done this we’re then looking at the actual assessment of the sock two reports itself. Thomas Humphre: So once you receive that sock 2 report uh can through the report we identify what the scope has the scope that’s been used um and where exceptions are noted. Thomas Humphre: Does the scope meet our expectation of what is being supplied by the third party? Thomas Humphre: Has the order provided indication of where there are exceptions to the rule where exceptions have been identified um and where there are gaps in processes and policies and systems? Thomas Humphre: Once we’ve identified that, can we get to a stage where we can extract those exceptions and put them into our third party risk program? Thomas Humphre: So, we capture them in risk reports um within each vendor’s uh risk profile um that are able to align them to um the way we calculate risk. Thomas Humphre: And then finally, make sure you have that process in place that manages those exceptions to ensure a correct out front outcome, correct risk treatment and a successful uh result is is um obtained um through risk remediation and then through um that level of engagement with party. Thomas Humphre: It’s also worth noting just finally from a sock 2 report um I mentioned at the beginning um there will always be some occasions where no exceptions are noted. Thomas Humphre: So the auditor has gone in um it’s reviewed to one or multiple uh control groups and it’s it’s a complete clean bill of health. Thomas Humphre: We do see this particularly with some of the larger organizations um particularly where SOCK 2 has been um conducted um year by year by year. Thomas Humphre: So it’s become a quite a mature process. Thomas Humphre: Um and that’s not to say that the then is no longer valuable. Thomas Humphre: It then obviously provides a different route in in how we how we use that information with our TPRM. Thomas Humphre: Um but certainly that’s a very positive um um uh outcome uh that we can use to haps perhaps demonstrate and identify best practices that some of these organizations are taking.

Thomas Humphre: Particular if we want to then see where there is trends and trends analysis between similar vendors that are providing us with sock reports. Thomas Humphre: Just finally just to note from from from Preven’s perspective. Thomas Humphre: So Preven has developed a sock two and third party risk management uh checklist which discusses those trust service principles um maps the T prime capabilities but also how to simplify compliance reporting. Thomas Humphre: Um this is something that’s that’s readily read really uh available um and and and free to download um through through the link that you see um on the page. Thomas Humphre: So that concludes my webinar. Thomas Humphre: Um and I now would like to open up and take a look at any questions. Thomas Humphre: So okay, so we have a couple of questions that’s starting to come in. Thomas Humphre: Does the sock auditor follow up with a firm through mediation for any exceptions, any control exceptions noted. Thomas Humphre: Does a sock auditor follow up with the firm through mediation for any control exceptions noted? Thomas Humphre: Good question. Thomas Humphre: Now, as we’ve already identified, um the sock will provide this detailed report and it provide a list of exceptions. Thomas Humphre: Now, on the typical case, uh uh on the on the typical case, the sock two reports will be uh conducted once then they’ll be repeated on an annual basis. Thomas Humphre: It’s common to see companies being reviewed and assessed on an annual by-anual basis. Thomas Humphre: Uh there is a potential to be uh assessed more frequently if the business wishes um or if as part of um uh as part of contractual agreements. Thomas Humphre: Um and of course during that pro that time in that process yes the so would follow up with the organization to identify based on exceptions noted last time. Thomas Humphre: Uh where the improvements have been made based on the management responses um and and uh any information that the management has committed to to improving practices whether they have been followed through and are complete.

Thomas Humphre: And as part of that yearby-year basis, the socks will yes then look um at those at those findings and and particularly with a view to uh what’s changed in the coming years or whether there’s been any improvements particularly if you’re getting quite a lot of um exceptions in in a particular area, it may be pertinent for the sock socket assessor um to dig deeper in that particular area when they’re scoping out their report. Thomas Humphre: Um this is a typical scenario you do find um if if there’s a particular issue in in a in a control group. Thomas Humphre: Um so for example, if we’re looking at the security control group and there’s a series of access control requirements um and there’s a continuation of exceptions that have been At least it may be pertinent for the assessor to to follow up with that that organization and say we need to look more detailed to here to make sure that any actions you have taken um have been successful and that we’ve got to a stage where the process is now operating effectively and running effectively as well. Thomas Humphre: Uh so yes there is a follow-up from the auditor um and and um on at least an annual basis but in some cases it could be more frequently as well. Thomas Humphre: Uh we have a second uh question here. Thomas Humphre: Does the finding of exceptions automatically mean the issuance the issuance sorry of a qualified opinion? Thomas Humphre: Does the finding of exceptions automatically mean the issuance of a qualified opinion? Thomas Humphre: That’s an interesting question. Thomas Humphre: Um because there’s there’s two uh styles um of opinion that can come up um that that may be noted which is called an unqualified opinion and a qualified opinion. Thomas Humphre: Um and it’s it’s interesting you to understand what what this actually means or what is considered a qualified or unqualified um report or opinion. Thomas Humphre: So um the answer is it depends on the exception. Thomas Humphre: So there can be occasions where exceptions are um uh captured and raised and are very severe or very serious. Thomas Humphre: A perfect example of this is where a process has been documented but there is no evidence to suggest that process is performing particularly when you’re looking at type two and looking at the operating effectiveness. Thomas Humphre: So it could be uh quite a a a uh a a serious uh issue.

Thomas Humphre: On the other side, there could be exceptions raised that are are raised, but uh the process can still operate. Thomas Humphre: So, anyone of an ISO mindset might hear the words um uh observations, minor and major non-conformities and it’s a similar process. Thomas Humphre: So, if there are issues that that have been raised and there needs to be aspects of a process or a policy or control that need to be improved that hasn’t had a detrimental impact to the to the wider organization and this will be the difference between uh uh the issuance of a qualified opinion. Thomas Humphre: So if if a sock report it’s probably worth worth mentioning the unqualified as well. Thomas Humphre: So where a sock report is issued with a qualified opinion this basically is an indication that either a single or set of controls have either not been designed type one or operating effectively thinking of type two. Thomas Humphre: Um so if it’s a qualified report those exceptions have been significant enough to deem uh one or multiple controls to be wholly ineffective. Thomas Humphre: On the other side of the coin then an unqualified opinion or an unqualified report uh indicates that any controls that have been tested again either type one or type two design operating effectively have been effective. Thomas Humphre: It may be in in such a scenario that either there are no issues that have been identified or no exceptions or there have been some issues but these issues are not causing that detrimental impact. Thomas Humphre: So very much depends on the severity of that exception that you determine is this issuance of a qualified opinion from the auditor or an unqualified. Thomas Humphre: Um, hope hope that makes sense. Thomas Humphre: Um, final question here. Thomas Humphre: Can I’ve heard the term bridging letter used before um for some companies. Thomas Humphre: What is that and is it a a replacement for a sock 2 report? Thomas Humphre: Um interesting interesting question. Thomas Humphre: Um so a bridging letter uh can be used um across many companies and this is basically thinking as a as a gap hence the term bridge and what this means is the data of the last sock 2 report that was carried out and every sock report will have a clear indication of um of of of dates. Thomas Humphre: Um but then may be a gap between the last sock report that was carried out and the next sock report that’s that’s or sock assessment that’s carried out.

Thomas Humphre: If there is a significant gap which typically means any gap um uh 3 months or longer a letter can be issued that basically is a validation from the the company that states we haven’t had any changes any significant changes for our controls that covered under the purview of our sock 2 or our sock two that was that was issued last time. Thomas Humphre: There’s been no significant operational or business changes that have affected our controls. Thomas Humphre: So, it’s a cover point to say this is not a replacement for a sock 2 report, but it helps to provide that assurance particularly to clients um if there’s a significant gap between um between uh sock 2 to sock 2 audits. Thomas Humphre: And we do find that often used across many companies particularly some of the large companies um the larger multinationals who have had sock two for many years and through through one reason or not there has been a gap between two reports and so yes it’s that that level of assurance um which is issued and signed by the organization themselves so it’s not uh verified by an auditor um it’s but it is delivered from the organization so it’s something that’s always worth considering from the client from a client’s perspective from your own perspective but bearing in mind that as say it hasn’t been validated by an auditor It’s simply that organization’s response to say we can confirm there has been no significant change um since our last sock two and in preparation for our next uh scheduled assessment. Thomas Humphre: Okay. Thomas Humphre: Um see no further questions at the moment. Thomas Humphre: If you do have any more questions following this webinar um um do let us know and I’ll be more than happy to um uh to provide answers. Thomas Humphre: Thank you. Melissa Lent: Great. Melissa Lent: Uh, thank you so much, Thomas, for joining us today and sharing your insight on how to analyze the effectiveness of a vendor’s security controls and how to decode third party SOCK 2 reports. Melissa Lent: Uh, we really appreciate all your insight here. Melissa Lent: And to our audience, we’d love to have you join us for other upcoming OAG webinars. Melissa Lent: Please watch out for emails from OAG regarding these future events. Melissa Lent: This concludes our webcast today. Melissa Lent: Thanks so much for joining us, everyone.