SOC 2 & Third-Party Risk Management: Pros and Cons

Ash: Hello and welcome everyone. We are stoked to have you all. Uh I will give you all a minute while we wait for everyone to get situated and dialed in. But in the meantime, I’m going to go ahead and launch our first poll because we’re curious to see what brings you to today’s webinar. Is it educational? Are you a current prevalent customer? Uh are you bored and just want to hear the sound of our voices? Either way, just let me know. Uh can’t forget about some introductions. My name is Ash. and I work in business development over here at Prevalent. And we are joined with two very special guests, our very own project director, Joe Tolley, and our very own content manager, Thomas Humphre. And of course, I can’t forget about Scott Le, our very own VP of product marketing. Hey, Scott. Scott Le: Hey. Yeah. Ash: Uh, and just a little bit of housekeeping, uh, this webinar is being recorded and we will be sending out the recording along with the presentation slides shortly after the webinar. Um, You’re all currently on mute, but we do encourage participation. So, please put any questions in our Q&A box so we can go over them at the end of the webinar. Uh, today Thomas and Joe will be exploring the pros and cons of using SOCK 2 reports and your TPR program. So, gentlemen, I’ll pitch it over to you. Thomas: Fantastic. And a very good morning, afternoon, and good evening to everyone. Um, let me go into presentation mode. So, as is very kindly introduced. We are here with you today to go through sock 2 discussing what sock 2 reports are and sort of how you can use them um in in in the best and most practical way um within your existing TPRM or if you’re just um starting up a TPM as well. My name is Thomas Humphre u I am the content manager um so I work to develop uh assessments and frameworks within prevalent within the prevalent platform um particularly focusing around information and cyber security Um and with me is uh Mr. Joe Tully. Joe. Joe: Yes. Thanks Tom and hello everyone. Um so I’m the uh project director at Prevalent. I spend a lot of time working with clients to get their programs up and running. Um usually have some frontline experience of some of the challenges that clients have as well. Um more recently around the focus area of SOCK 2 being presented instead of assessments being completed. So it should be a good interesting session. Thomas: Fantastic. Thank you. And um just to reiterate Um we have uh a session that’s going to run for up to an hour, but at the end of the session, we’ll hopefully have time for some Q&A. Um hopefully you uh there is a dedicated Q&A window for you to type in any questions. Um we will answer any um at the end of the session, but along the way we may dive into some um if they’re pertinent to the area to the slides that we’re discussing um at that point in time as well. So without further ado, let’s have a quick look at the agenda. So we’ll start getting to grips with what SOCK 2 is um and what we typically see within within SOCK 2 reports. Uh we’ll then start to focus on some of the challenges of coming into contact with SOCK 2 reports for the first time and and um how they can sort of hamper your wider um risk management process. We’ll then look at the other side of the coin and how you can start to blend what you can get out of SOCK 2 and build it within your wider program and and use it to strengthen parts of your program and your engagement with third parties. And then we’ll touch on risk management elements and how you can extract some of the uh actions and activities from a sock 2 and build it into your wider uh sort of risk management approach. So let’s make a start with getting to grips with sock 2. So 2 is is being used across more and more industries and sectors. as a recognized framework and and a way for organizations to demonstrate um the delivery of security controls um in some cases privacy controls as well. So it’s used to help demonstrate a level of best practice um based on um a scope of operations and and products and services they’re delivering. U it’s delivered by um breaking down into five key groups called the trust service criteria. And this provides a framework for going into detail on specific controls and control points. Um, as we see from the bottom of the screen, these split up into security, confidentiality, integrity, and availability, so the CIA triad, and then privacy as well. Um, these SOCK 2 reports, what’s notable about them, um, compared to some other, um, attestations is that they’re viewed and reviewed from an independent view, um, with an independent eye. So with independent auditors and auditing bodies will come in and assess organizations against these series of controls and control areas and then provide a final report that summarizes the best practices that are in place and in some cases where there are issues or deviations or exceptions which are terminology that sock uses. Um one of the key things to note as well when you see a sock 2 report is that there each report is slightly different and we’ll go into some of the uh perhaps reasonings behind that and some of the uh challenges behind that in the short while. What this means is it allows organizations to scope an assessment to fit their own needs to ring fence based on a full encompassed business operation and operational control or looking at particular aspects of what the business does particular business units operational areas operational infrastructure and so on and so forth. So it’s quite a dynamic report but ultimately gives a viewoint point of where an organization is at a point in time and and the effectiveness of the design of their controls and how those controls are being operated um and the effectiveness of of those operations as well. Joe: Yeah. And Tom, a quick question from me if I may. Yes. Um we obviously have uh a lot of uh clients coming to us asking us what to do when they’re provided with a sock two instead of an assessment. So it’d be great to hear from you. I know you spent a lot of time working with content and building out assessment uh content for us. It’d be great to know how the two or the trust criteria align to other standards and frameworks that might be more traditionally used through an assessment process like a SIG assessment or uh an ISO 217 27,01 assessment. Um whether it does cover the majority of those controls or if there’s any sort of clear areas to be aware of or cautious of when we’re provided with a report. Thomas: Very good question and yes, as as you as you said, we we as we’re think as we’re seeing more and more in organizations presented with sock 2 or sock 2 seen as a good way to demonstrate um um governance and and and and delivery of security controls um there are actually increasing mappings we’re finding between sock and other frameworks now you obviously mentioned ISA mentioned n uh sig and n is al perhaps another um um common framework to focus on um there is a lot of commonality that we can see from these areas. So to take the security control group for example, trust criteria look at pertinent areas around data encryption around access control, the use of access right reviews and using privileged accounts to manage access to critical systems and this actually mirrors quite nicely some of the areas that the likes of ISO and NIST go into as well. So we can find that there is a lot of similarities and when you start to compare the two frameworks together say so S sock and sig or sock and list or sock and ISO to take those three examples. There is a lot of similarity is important to point out and this is there that we’ll go into um in the short while as well is understanding where those gaps are and so if you think about for example the NIST framework 853 as we know from NIST it covers a lot of control areas similar to sock but then also goes to another level and covers a lot of technical detail around areas that perhaps sock doesn’t go to that length um and It’s important to realize where those sort of gaps or or or variations lie. Joe: Yeah. Perfect. It sounds like it’s a good indicator that that controls are in place. They’ve obviously Thomas: absolutely themselves independently assessed to be able to provide this report. So, it’s a good indicator that they’re mature from a security standpoint and consideration standpoint. Um, it sounds like it’s more about making sure the scope of what’s covered within the reports meets the the level of detail that you’re looking for from an assessment standoint. point. Thomas: Absolutely. And you sort of hit the nail the head from from two aspects there. One is that independence. It’s always a bit more comforting, isn’t it, when we see sort of attestations and reports where we know there’s had that there has been an independent eye cast over the operations, processes, procedures, policies that an organization has has used or implemented um uh to demonstrate that what we’re putting in place is good practice. But it’s that scoping piece which again we’ll go to um over the next couple of slides which is very critical and can also be part of the challenge to work out um is this scope very much ring fenced and isolated or is it all encompassing and covering a wide variety of aspects of this business and what this business does. Joe: Great. Thanks Tom. Thomas: So taking a a short look at what a sock two report is and and I’ll go into detail in terms of how to to pick apart a sock two report and some of the key uh areas to look at. One thing to note is that actually being faced with a sock report and particularly when you’re faced with multiple sock reports for multiple organizations or vendors um it can prove quite difficult in terms of understanding and working out where do we go from here? What should we be looking out for? So reports contain um an extens um an extensive set of information which can make trying to identify all those pertinent areas quite difficult. If you think of an organization that is all-encompassing within the sock every part of the business operation and functions we want captured when we’re reviewing against security CIA and privacy for example to take that extreme um it means that the report can be quite large quite lengthy and go into a lot of detail into a lot of individual areas. So trying to pick apart and understand where when we think about that third party or that vendor and what they’re going to be providing to us or what they do provide to us, is it clear from the outset what that report is trying to say and are we able to identify the parts that are important to us based on the product or service delivery. Now one part that’s also key to mention is the level of inconsistency. So you You could have two vendors, two organizations presenting you with a sock report. Both may be having uh very similar service deliveries. Both may be say application or system developers for example. But the fact that each individual organization can effect uh suit the scope of the sock to fit their own business. You could have two very similar businesses but one that which say only focuses on security and the security side of the trust criteria. It could have another organization that focuses on security with confidentiality and maybe privacy as well. And so each report can end up being very different and looking at very different aspects. And so that again that that question of is what this report is saying and being presented to us, does that actually align with what we’re after what we’re engaging this third party to do to us? Um and of course if it doesn’t and if they’ve ring fenced it so much that it’s looking at other areas of the business that are actually nothing to do with the product and service they’re providing to us. How do we take that? Is this still a useful document? Can it still show us the best practices and overall good use of of security and having a good security posture? Or do we need to look at and ask other questions? Thomas: And obviously outside of all of this, we need to start looking at well, how can we take this report and where there is this hay stack of information, this expanse of information, and how can we make it fit what we’re doing? Um um and and particularly when ingraining it within our own TPRM. Joe: Yeah. And it sounds like Tom from the way you described it there, you know, these textheavy long reports that um yeah, a hay stack of information as you described, it sounds like at the point we’re provided with this sock 2 report, we have to be aware there’s going to start to be inefficiencies in our, you know, typical assessment process. We’re asking questions and we’re getting back binary responses as to whether, you know, control requirements are in place or not in place. Thomas: Absolutely. Joe: So, Joe: it sounds like we’re going to have inefficiency, but it’s all about being aware of the um the inefficiencies that we’re going to encounter and preparing for them so that these types of processes where we are reviewing reports um don’t take us by surprise. You know, we have ways of of approaching it. And if we are given a sock two report, we’re not prepared for this type of uh exercise. It’s only going to add to that inefficiency while we actually decide how we’re going to manage this this sock two report being p provided to us. Thomas: Absolutely. And and being able to get to a stage where we can say we’ve got this single or series of sock reports, but through our process and the way we we’ve been able to identify the pertinent areas, the areas that matter to us, whether it’s the findings, the context of what the business does. Um it’s only going to make it a lot easier in working out how closely aligned are they to the typical assessments that we’re using for the rest of our third third party base or a wider third party um uh uh set or set of companies. And so it’s it’s it’s it’s can be quite a manual process certainly, but yes, there there’s certain sort of tricks that we need to do to make sure we prepare ourselves in the best possible way in terms of understanding what these sock reports are about. Joe: Yeah. And I think from a process standpoint as well, there’s going to be other considerations as well, like you know, as soon as we stray away from our standardized assessment process where we have our scorings in place and our thresholds and everything’s defined and optimized. Um, as soon as we go down this other route where potentially there’s a misalignment in what we’re asking or the information we’re we’re absorbing, it’s going to mean that we can’t then compare vendors to other vendors. Um, from a reporting standpoint, you know, risk profiles are going to differ between those that went through our standard appro assessment process versus this process. So, I guess one thing um we should always try and do is push for vendors to go down our typical assessment route um where we do get that one for one with what we’re looking for and then should that fail or should a a vendor not be willing to participate in that assessment then go to this style of approach where you know we accept some of those uh differences in how we’re going to get results from the data. Thomas: Absolutely. And and again as as we’ll see as we go through the discussion today the more obviously mature. Um, but the more that that we we we see a third party program where where there is a very clear understanding of risk and the way risk is managed and and the way assessments are designed and the way um the type of assessments we’re focusing on on organizations. It’ll only make it easier to then adopt and understand and get to a point hopefully where we can say we can accept the sock 2 report and actually it meets hopefully the majority of what we’re expecting vendors to provide us anyway. Um when we engage them or we go through that process, um it won’t necessarily always be 100% but obviously the closer we can get to that stage and the more aware we are of what’s important to us as a business, what are those mandatory elements and controls that we need to focus on obviously the easier that process is going to be. Thomas: Great. So why so two reports can hamper your team PM. So we’ve already discussed this idea of of sock reports being complex or horribly complex. A lot of information, a lot of data. Like all frameworks and best practices, SOCK is not um a stranger in this fact that has a lot of unique terminology. Um the way it describes findings um it describes exceptions, the way the report is built and has a order to attestations, audits to summaries and management responses and the way that they they they respond to the findings of the of the auditing body as well. Um, one thing that’s quite interesting about SOCK is they have um uh two particular phrases called qualified and unqualified an unqualified auditor report or sock report sorry and a qualified sock report. And and and these um basically demonstrate the responses of the auditor. So where auditors may finding findings um but they’re not enough to to to demonstrate an inability of processes um or material weaknesses in the control environment um which is unqualified versus qualified where there still is DA and O testing design testing operational effectiveness testing but there may be some issues that are found that one or more controls are deemed ineffective and there needs to be more focus on what those ineffective controls are. So there’s some unique terminology that you find in sock 2 and and the way that the reports can be presented and obviously understanding that type of terminology again will help um when we work out how can we use this to the best of our ability. Thomas: I mentioned obviously at the start one of the large parts was the expansion of information and this is what’s typically called overview of organizational operations and this can cover a lot of different topics system scope individual components, tools in many ways, different frameworks an organization uses, their IT and network infrastructure setup and user responsibilities. We’ve seen sock report to have the nth degree in terms of type of controls we use, type of tools we have um within firewall system setups, for example, intrusion detection systems and event monitoring solutions as well as the how the network operation is structured and the data mapping. Um when it comes to the scope of the report as well, I’ve already mentioned obviously this can vary from vendor to vendor. Um what we mean by this is when we have a look at the TSC or the trust service criteria and we have those five areas from security, CIA and privacy. Um we can get some reports that only focus on security, some that only focus on security and confidentiality and some offer all five. And so from vendor to vendor despite doing very similar work and very similar processes or or or service delivery, you can get some reports that are far more complex than others and offer a far greater insight into some of the controls that they they’re working with. Thomas: When it comes to sock 2 as well, we have two types of reports. Some that are focused more on design type one and type two that offer offer more operational effectiveness of the controls. So any water goes in not only saying Do you have policy and process for these areas such as access or encryption or or or or processing arrangements? But how are they actually operating? How are they working? Are they operationally effective? And then of course audit auditor to experience and depth of cover coverage can vary as well. And what’s important here is that you can have multiple auditing bodies who provide an audit to report but each report can look very different despite the fact that they may all be sock 2 type two reports. And I guess the trick here is understanding despite there being different variances because of different organizations carrying out and conducting and delivering these reports is knowing those areas to look for in terms of commonalities in how exceptions are reported or presented or the way we can pick apart and identify what controls have been assessed. So there’s a lot to unpick about an individual stock report that can give a lot of headaches and certainly cause a lot of confusion. Joe: Yeah. One thing I wanted to touch on in a bit more detail Tom is scope. Thomas: I understand that obviously the scope of controls might vary but from my experience with looking at a few so two reports uh usually they’re focused on a particular scope of service within the business as well. Thomas: Yes. Joe: So when we receive one and uh you know in lie of a of an assessment we have to be very careful that the scope of the report that’s being provided to us matches the service that we’re actually consuming from that vendor as well. Absolutely Thomas: perfect. So I know one thing that we’re always recommending clients to do is make sure we have enough context internally about the service that’s being provided. So if you are a representative of the TPRM program for example and you’re receiving this sock 2 uh report, you already have as much information from the business owner for example as to what the service is that you’re consuming from the vendor so that you have the enough of the the context to make sure that the report matches what’s being consumed by you. And that way you know there’s no misalignment and potential areas of of risk or controls that aren’t covered. Thomas: Yeah, very much so. And yeah, completely agree. Um the more the more we have visibility of of obviously what the vendor what the organization does um and and particularly when we we have identified through that scoping of report that actually yes this does cover those same areas, those same operational controls, those that same infrastructure for example um or those same services. It then then becomes a far more value adding service um and and enables us to I guess more accury do a deeper dive in terms of what controls are important to us based on based on that service. Joe: Yeah, I think some of the um sort of profiling questions that we recommend that uh that we ask internally from from business owners when they’re you know on boarding a vendor or requesting to on board a vendor include the the location for example that the the service being provided from what type of data is going to be interacted with Um, also I think we cover off, you know, how the service is being delivered as well, just so we have those validation checks that we can perform to make sure that, you know, we’re ticking those boxes. Yes, this service does match exactly what we’re expecting. Thomas: Exactly. Absolutely. And and by being able to unpick that type of information from the sock report based on that overview of organizational operations can help immensably in in working out particularly if you go through a tiering exercise of saying based on the complexities of what they do and for example the data aspect and the way data flows throughout the organization. Do we consider these to be a critical tier one priority one vendor or or can we can we bring them down to a tier 2 tier three party two party three vendor and the more information we can gauge and ascertain from what we know about the vendor and what this the uh tool provides um the better. Good Joe: stuff. Thank you. So you looked at the complexity of a sock two report. Now let’s look at the other side around a TPRM program. A program that’s already been built or or is going through through a stage of of of developing. So obviously we’re looking at designing a set or or single or siloed or multiple set of assessments. Let’s say we’re choosing to go down ISO 27,0001 to assess our vendors against or NIST. maybe a collaboration of multiple assessments. Maybe we’re using say ISO and some GDPR if we’re looking at some privacy based uh uh requirements as well. We start to design a different set or multiple set of assessments with which to ask questions of our vendors and those questions can be geared towards different tiers as well. So more complex assessments for tier ones, more of a light touch approach or mandatory controls for the tier twos, threes and fours for example. At what some point we’ll need to develop and establish a risk process and a risk program. So how we identify and manage risk and get to a stage where we can start looking at treatments, remediation and mitigation controls and mitigation processes as well throughout this process and as as as you mature and and establish those assessments and different types of assessments. We then look at those mandatory control requirements based on industry or sector or based on other risks that we’ve encountered as a business. Are there particular controls that we want to enforce when we engage the vendors? Um maybe it’s if we’re looking at companies where they’re holding sensitive data, there may be a lot of data security based control points that we’d expect vendors to implement and have to demonstrate that they have implemented sort of best practice for the way that data is secured or transferred or stored. And so we can automatically see that we could get to a stage where we’re looking at certain programs, let’s say 20 7,0001 or 853 in NIST. But then we’re also presented with stock reports that may not contain all of that information. May it may not have some of those mandatory control requirements, particularly if we are presented with a sock report that it turns out is only focused on one particular aspect of the trust criteria. So if you think of the scenario of a company that’s sending out security and privacy based uh assessments and the vendor then presents the sock report that only focuses on security. We then know from the outset before going into that assessment that there’s going to be a whole ream of questions and and and and control requirements from a privacy perspective that we know that won’t be answered. And so we then find that problem of can we accept that sock report from a security aspect and still issue them a privacy assessment? Do we still ask them to fill out both security and privacy assessments? How far mapped are those sock controls and how far apart are they compared to our wider TPM program um and our our delivery of mandatory control requirements. So that alignment between what a sock report delivers and the business assessments that we’re sending out to our vendors um is where we can see a lot of potential gap um and where we need to focus on in terms of extracting what’s in the sock 2 and where does it fit if we layer it on top. um of our of our business assessment. Joe: Yeah. Yeah. And I mean each of these um sort of bullet points you have on the right here, some really interesting, you know, specific sets of assessments, questions geared towards different vendors, risk remediation, mandatory control requirements. These are all um parts of a of a of a sort of welloiled um assessment process. But as soon as we’re given that SOCK 2 report, these are all areas that sort of detract from that. And um tend to sort of stray the the workflow off on a different course. So I think uh making sure we are preparing for this use case as as as much as possible to pull this process back in line with our sort of standard workflow the better. Um and obviously the earlier we can do that the better as well so that we’re prepared for these types of um these types of scenarios. Thomas: Yeah. AB absolutely. Um and of course the more mature I guess the the TPRM program is and and and the longer it’s running If it’s that welloiled machine, let’s call it um it it can make it um in many ways easier I think personally to to to bring areas such as sock attestations and sock reports in if we already know how we’re going to approach managing risk and risk assessments for example how we’re going to classify um sort of impact around risks or exceptions to use the sock terminology and again that’s something that we can go into um in a short while. So if we take a step back, let’s think about what are we trying to achieve here um both with sock 2 and and when we receive sock 2 reports and our TPM program as a whole. So one it’s about establishing that vendor’s security posture um or privacy posture whichever the focus may may be um but principally I guess from a from from from this discussion we’re talking from a security angle. So how well ingrained is security within the organization’s operations systems best practices? Can we align sock controls to our own TPM requirements? And that should always be one of the aims. How how closely can we align what the sock requirements are with what our exist existing requirements, our existing assessments are. And obviously the closer we can align them and obviously the closer the gap or the smaller the gap rather, obviously the easier it’s going to be. Um not always the case that you’re going to get 100% mapping um from from from assessment to assessment of course, but the more we do this up front and the more aware we are of where those gaps are is going to make it much much easier. Joe: Yeah. And this is where you’re pulling that process back in line with the the original workflow here. Thomas: Absolutely. Yes. Um And then of course that whole risk structure that sits around it and and and how you respond to risk and likewise if that’s structured in an appropriate way and you’ve thought about how you deal with risk and acceptance criteria and and and managing remediation when it comes to exceptions or risks raised from a sock perspective. Again, it’s going to make it so much easier. So we need to make sure we’ve established what the vendor is doing and the security posture and the best practices they’re following. we’ve aligned or we need to align that level of control and overlay it with what we’re asking vendors to do from other business assessments or security assessments and then making sure we’ve got formal process to manage and and and manage risk but drive continual improvement um through through the remediation um uh process. So let’s take a step back now and look at the report itself. So I mentioned earlier that you can have multiple auditing bodies, multiple certification bodies who go out and and conduct the audits and they provide the the the sock two reports, the type two audit reports. But each one can look slightly different. The way it’s laid out, the way they describe auditor summaries, for example, maybe the way that um the management of the organization being assessed responds to exceptions if exceptions are being raised. However, despite these differences, there are some common areas that’s worth highlighting, some of which we’ve already covered. And it’s being aware of these areas and where to look for that will make it so much easier when presented with a sock 2 report and working out what do we need to focus on. Joe: Yeah. Yeah. So, it’s not a case of always going to this particular section name where you’re going to find X, Y, and Zed. There’s going to be a sort of loose framework or or a process to follow to identify the right information. Um, but it’s going to require some ual interrogation of the data. Thomas: Absolutely. Yes, it it can seem quite a quite a manual process, but yes, you’re right. There’s although some the the terminology and the phrases will be different. Um, for example, there will always be an area of the report that focuses on, as I’ve called it, the overview of the organization’s operations. Um, so as you can see here in this report example, um, they have aspects that touch on components of the systems, different aspects of the control environment, communic ations um and and the company background. So what’s being scoped out in terms of what does the company do? Um so this is an area that you’ll always find regardless of the auditing body um conducting the the the sock 2 assessment. Um and that’s really the best place to start um making sure we we’re fully understanding how how expansive or how isolated or siloed um um the assessment has been. the scoping in more detail scope and the description of the services provided. This is where we can start to see the different trust criteria that they’ve selected as well. So there’ll always be areas um of the sock report where we can dive deeper to understand are they covering all the five aspects of the trust criteria? Are they covering one? Are they covering a mixture um of of of those areas? And of course scoping as well in terms of the operational areas that are being covered. So as well as looking at the overall technical operate technical side of operations. Um if we can focus on that scope of does this align with what they’re providing to us as an organization um it’ll make the process of understanding and reviewing the stock sock report so much easier. And there’ll always be an area typically um closer to the end section 3 four five um where we go into the detail around the actual control activities. So we’re looking at the trust criteria and we’re looking at uh the auditor’s response and the auditor validation. So we’re looking at the criteria around access controls or incident management for example. And it’s here where we’ll find some of the auditor uh statements around effectiveness of controls, whether there are exceptions or whether there are no exceptions. Um and this this is where we start to piece together how effective the organization approach has been um to to delivering these controls. Um and of course where there are exceptions raised you do find a level of management response as well which is where there’s always an opportunity um particularly throughout the audit uh where management have been given an opportunity to say acknowledge the exception um or nonconformity in I so speak and this is our approach this is our plan um of attack or this is what we’ve done to address it or this is what we’re doing to to this is what we will be doing to address it. Um, and having that level of detail can help so much, particularly when you’re trying to bring those control um, exceptions um, from the sock into your own TPM and starting to work out what level of remediation do we need to go through, what type of tasks or or or mitigations do we need to ask of the vendor? Um, if they’ve already got some that information, it makes that job so much easier. Thomas: And Tom, um, from a from a control standpoint. What are the things that we’d expect to see consistently between these reports? Do they always refer to the controls as the same sort of names within there? What can we look for to start that alignment process? Thomas: Yes. So, um there is some consistency because they’re all using this same trust service criteria. Each of the individual criteria controls um will have um control identifiers in the similar way that ISO has with its annex controls a dot something. These will have um for example common criteria controls always start with a CC and a respective number and that will be consistent throughout regardless of which auditing body um is is is conducting the assessment. Um and there’ll also be some some consistency in terms of where um the auditors report on exceptions for example. Um so you can start and there’s done a very tabular format in terms of this is the requirements, this is the investigation we carried out and this is the result. So there is some consistency there um um particular if you want to very quickly get to have there been any exceptions and what are they um and just just knowing this will make the process a lot quicker um to sort of digest a report. Joe: Yeah, always helpful when there’s a table of information at the back of a report. Thomas: Absolutely. Absolutely. Get to the crux of the matter. Should we be worried or not? Um absolutely. Um so if we move on now to look at more from the TPRM side. So we have our sock 2 reports. We’re aware of some of the key areas we should be looking at in terms of what the business does and if there are exceptions or or or issues or risks. So before we even got that report however are there things we could be doing within our own TP RM program to help prepare us for when we receive these type of documents. Absolutely. One of the first things is conducting that gap assessment. So if we take ISO for example or the NIST 853 if we already know that this is the assessment that’s going out to vendors and they’re assessing them against having a clear idea of how far did the sock 2 controls across security through to privacy are captured within this 850 or ISO 27,0001 or or cloud assessments or any other framework that we’re using. So having that gap assessment where we can work out there’s 80% coverage there’s 100% coverage less likely um but as close as possible where that gap is um where do we need to focus on I mentioned obviously this idea of mandatory controls many organizations already have a clear idea not only once they’ve established say we’re going based on this or ISO But we know where our critical controls are particularly if we’re going through a tiered approach of v tier one tier two tier three vendors um and maybe further down the road as well and obviously if we’ve identified those mandatory controls we know that through the mapping of sock 2 to ISO to N or anything else we can also start to map where those mandatory controls are and obviously this will make it much easier if say an exception arises in sock 2 let’s say there’s an exception against um lack of data uh encryption, encryption at rest controls. Um, and there’s some some exceptions that have been raised there. If we know that this is considered a mandatory control from our wider ISO framework, we know that we need to pay this a bit more attention. Perhaps we need to spend a bit more focus on well, why is this exception existing and how do we engage the vendor um when approaching remediation for that control? And of course, what’s critical that underpins all of this is ident ifying that process of managing vendors where those sock reports do not have the coverage and this is quite a conundrum sometimes it’s in many ways we see obviously organizations um that that do not want to fill out an assessment to be saying please fill out this ISO 27,000 framework uh assessment it’s 150 questions and covers everything from A to Zed of ISO and they say well we don’t want to fill this out here’s a sock 2 report and we know that the sock 2 report if it contains say 80% of what ISO contains there’s a gap of 20% additional questions from ISO. What do we do then? Are we willing to accept that sock report and say well there’s good coverage there’s no exceptions they make 80% of what ISO asks for case closed or do we offer a tailored approach of saying it’s covering 80%. But we still need that further 20%. Because there are areas that are covered in ISO or NIST or SIG that sit outside of what sock is asking for and because we consider these create key areas we still require you to complete an assessment but very much reduced or cut down assessment because you’ve already got the validation through that gap assessment and through mapping sock to ISO controls for example so identifying that process of what do we do where there is a gap um and and how do we approach that with our own lenders do we offer them an isolated or simplified assessment or are we willing or happy to take the sock two results um um as a good representation if they are to complete um our our our own assessment or our own framework. Joe: And this is where I guess profiling and tearing becomes even more important. Joe: If we know that the vendor provides a particular service to us and they’re really really important to us then some of these key controls or some of these gaps might be um you know multiplied purely because of the fact they’re so important to us and we need to know this information where as if they were slightly lesser importance to us, perhaps, you know, our risk acceptance um sort of tolerance might be slightly lower and we’d be more willing to accept some of these gaps in Thomas: coverage. Abs. Absolutely. Yes. And that’s that’s a very good point because of course every not only is every every vendor unique, but when we think about that tiering process, we’ll have a different view of what’s expected from a tier one versus a tier two or tier three. In particular, when we get to a stage of some companies start very very small u almost those mom and pop shops you find in the United States and and and in the UK where we have maybe two employees or or five employees very small organizations so the way we address security in those will certainly be very different from the large software houses that we may be engaged with for example or the global organizations so yes it does play quite a critical role I think in that in that decision process um for how how we’re addressing or how we’re responding into sock two reporting. So we’ve got to a stage where we’ve we’ve we’ve we’ve done a gap assessment. We’ve managed to map um the control requirements of sock 2 to our own TPM program um and and we’ve got a stage where we we have built or we’re starting to build a risk um process, a risk management process, a risk framework. So we can then start to do a deeper dive into or more confidently do a deeper dive into where there are exceptions that have been raised in the sock report and how we deal with them. So you mentioned earlier um Joe that yes there is there’s some consistency in terms of how reports are are published and particularly in terms of uh the way that auditors report on results. Um you’ll see from the screen here that we have a series of of um of columns and rows that identify the trust control area and the control criteria activities that the organization says they do the testing that the auditor does and then the necessary test results and we can see from the far left we have a control number CC3.4 and then the far right we have two columns uh sorry two two rows one says no exceptions noted and second um with some information about an exception that’s been raised So if we think if we’ve if we if we’ve already identified and mapped those sock controls and the trust criteria control numbers to our own third party assessment, it’s going to make it a lot easier of knowing where to place the exceptions when it comes to putting them into our own risk framework and our TPRM. If we’ve already identified that CC34 aligns to ISO clause A.6, for example, and it’s a similar control, we know that there’s a onetoone mapping there. We know that if this exception is raised, um and it relates to the same area that’s covered in 27,000. We one we know where to place this control within our risk framework. Um and so having that gap assessment first makes it so much easier to know what do we do with these exceptions or at least where do we place them? How do they align with um a similar maybe not directly but a similar question that we would have asked had they completed their ISO assessment for example. Joe: Yeah. And from a uh reporting standpoint does the sock 2 report provide any guidance on next steps or recommended actions uh resulting from these findings. Thomas: So it’s yeah the the the assessments are quite interesting because one there there’s a few things you may see from here and as you go through a sock report that are lacking um um so we can see that the auditor has given details of of of a control or or a lack of control. So a lack of visibility for identifying structure or operational change as part of an annual risk exercise. Um I mentioned earlier that there is um sort of manager or management response as well. Um and there’s there’s dialogue between the auditors and management and it’s through these areas and these areas of the report where we can start to see actions being taken or actions being proposed. So we can start to piece together not only here’s a gap or here’s a gap um or an exception that the auditors raised, we’ve al we already starting to get an action plan and an idea of the story, you know, so what’s behind it and and and what’s being done what’s being proposed is is is done to address it. Um one area that is missing you might note from here um and if we continue on to the next next slide as well um is so you have your exceptions um and it may be creating a new risk um if it’s an error that the sock sock maybe identifies but your own assessment doesn’t or maybe an air that as say you’re able to map but what about how do we classify this? So you’ve got an issue here. There’s no root cause analysis. There’s no system impact or resolution as part of incident tickets and instant incident monitoring and incident reporting. So is this a critical risk? Is this a high, medium or low risk? What’s the impact? What’s the likelihood of this? So these are areas that the sock report doesn’t contain. And that’s why it’s then so very important to have that established risk pro. process so that if for example we know that we’re following say an ISO 31000 or a NIST RMF risk management framework best practice approach for how we identify and classify risks and how we categorize them high, medium, low, red, amber, green, whatever is appropriate um will make it easier to say we’ve got a risk here. Um there needs to be something done to tighten up the way instance being managed or instance are being dressed or recorded based on our own risk management process. and maybe similar risks we’ve seen from other vendors who’ve completed a similar scenario that we can classify this as a critical risk or a medium or a low risk based on our own acceptance criteria and the way we classify these type of risks. So it’s important to note that that that we can have a series of of of exceptions um um but until we go through some of the detail or until we align it to our own risk approach we need to work out How damaging is this to the business or our own perception of it? Um how much of an incident or risk is this to us? Um and are we prepared to accept it? Um based on the management response or based on what’s being being captured as part of the audit to detail. Joe: Yeah. Thomas: So the actual risk approach um it’s obly managing stock exceptions um the same way as risks in your wider TPRM. So I mentioned if you’re using a best practice say ISO 31,000 for risk management for example um you should already have a fairly good idea of how to identify say impact over likelihood what type of risk scoring um particular if you’re using existing risk management tools and tool sets to help drive this to help document and record risks and assign risk remediation. Um obviously as part of this process should be identifying risk accept criteria and and at what stage would you be willing to say accept low and medium risks and not accept high and critical risks and demand some level of mitigation or risk remediation. Once we have that process in place and we able to extract those exceptions from the sock report into our risk criteria, it then makes it much easier to work out what are we doing with these exceptions. Do we need to re-engage the vendor or are we confident based on what they’ve said or or the level and severity of that exception that actually we only need to monitor it or we don’t need to um take any further action. So having that structured risk management approach in place learning make it easier to work out what do we do with these exceptions Joe: and from a a process and workflow flow standpoint. This is where that uh that deviation of workflow based on being provided so two report suddenly joins back into that you know straight line assessment workflow that we’d fine-tuned because now we’re managing risk in exactly the same way. Thomas: AB: Absolutely. Um, and that’s what we’re looking for, right? It’s it’s that streamlined approach. It’s approach that still is it’s giving us that value of of what we’re trying to get out of the sock assessment um that still demonstrates the effectiveness of our TPRM as well. And of course, the more detail we we’re ascertaining from the sock report and and if we’ve got a process set up and how risks are captured and identified, it may makes it easier in terms of how we present this internally. or to senior management or even back to the vendors themselves. Um, still we’ve got clear mapping of exceptions to standards and regulations. Perhaps we already putting that within our risk process. So, we’re classifying risks based on particular areas, instant management for example, and sock controls. Maybe we’ve got existing risk types and risk registers that we’re using around information security, cyber security, um, ISO 27,01. We start to record how those risks have been established and how they’ve been um um formed and using more of that sock sock auditor’s descriptions to help to build out that risk. So what type of risk is it? Is there a name? Is there a clear description? Can we use um um the wording straight from the sock report? Um are there recommendations based on the management response? Um so it’s trying to extract as much of that data and information as possible from the sock report to tell that story. for you within our TPRM. Um, and of course, what makes this um can make it an easier process is if if we’re starting to see um commonality between exceptions raised through sock reports and other risks in our platform from other vendors. So, if there’s consistency there in terms of the type of incidents, type of risks being raised, that can help us make that decision of how critical is this as a risk area, particularly of course if it’s an area that we’ve deemed mandatory, as a mandatory control. uh that we’re trying to focus on. So, it’s really taking as much data and trying to know how to extract that information as much as possible from the sock report um and and putting it into our into our own processes, our own practice um third party risk. Joe: Yeah. And then we maintain that sort of full auditable trail of how we’ve managed a sock two rather than just blindly accepting one for example. Thomas: Abs. Absolutely. Yes. And I think that’s a key point, isn’t it? It’s it’s um it’s Yeah, it’s it’s building it out in the most efficient process or the most efficient way. So, this is all about focusing around the pros and the cons of Sock 2. Um, and I think it’s it’s clear there there sort of both sides of the coin have have interesting sort of areas to contribute. Um, with the depth that a sock two report can bring, a Sock 2, um, it can provide a lot of insight into what the vendor does, their operations, the level of detail of how infrastructure is is built, is designed um and maybe critical um tooling that they use um um to to secure data or data processes. For example, we are finding that more and more standards are are doing mapping between sock 2 um and I say the likes of NIST and ISO and many many more and I think this is only going to continue um as sock two becomes more of a um um almost go-to tool as a way to demonstrate best practice. Um and it could be a good demonstration of of a good posture particularly given the fact it is as I say an independently assessed it’s not just an organization saying we’re telling you what we do take it. It’s it’s also independently assessed by an auditor and they’ve given their uh professional view on um whether these controls meet the requirements. On the other side of that coin, however, that information can be overwhelming, particularly if if you’re still trying to work out what the vendor is doing for you, what product or service are they supplying. And as I say, if the scope is very much ringing fenced um and if it’s identified that the scope of the sock report sits outside of the scope of services that they’re providing to you, how do you take that? Are you still going to say we can still use it? it’s a demonstration of best practices across other parts of the organization. Um, or do we need to reject it because it’s actually not fulfilling the areas that we’d expect to fulfill in terms of the type of operations or infrastructure or systems that they’re supplying to us. Um, that inconsistency um between different vendors, the way they can ring fence and look at different scopes and how that impacts your TPM program. So again, that example of if your focus is on on data privacy for example, but the sock reports don’t cover the privacy arm. How do you take that? How do you address it? You still need to have further conversation um around um uh asking vendors to complete privacy based assessments for example and where that gap is between what the sock asks for and your own assessments and frameworks. Um if there’s a small gap, say it’s 80 85% 90% coverage between what sock 2 and ISO asks for does that mean you can accept SO 2? Um and or or is there sufficient enough gap that it’s only given you half the picture and there’s still a lot of control areas that are missing and that you need to engage further. Um is and is this slowing down the process? And that’s a key point as well because obly what we don’t want to do is get to a stage where it makes the process slower um because we’re having to filter through and manly review so many stuff in control documents um particularly when the end result is there’s such a small gap there’s such a large gap sorry between what it’s offering and what we’re asking for. Ash: Excellent. Well, thank you so much uh Thomas and Joe. Let’s go ahead. We got about three minutes left to get through some of these questions. Uh you guys may have noticed that I launched our second poll while they were still presenting. As we go ahead and answer that, we greatly appreciate it. But Nadia asked with new privacy laws and CPRM changes coming up. Would a sock 2 report still be enough to give us an accurate view of an organiz organization’s security posture? Thomas: Um, very good question. So, yes, what’s what’s what’s interesting is there’s a lot more and you’re right, particularly from a privacy perspective um and and um and and and and view of how TPR is being managed. Um there still is there still is a lot of benefit. I think there still will always be level of benefit of what a sock 2 can provide. Um um as is the case with all of these frameworks at a point in time the trust criteria will be updated again and I’d expect when it does that it would reflect some of these changes as well. That’s that’s quite a common approach. But nevertheless at the moment um there will still be there will always be a gap. Let’s say let’s put it that way. Um, but I think what’s important is to be mindful of how big a gap that is. Um, because that could be the difference between saying how much we can accept a sock two or not. Excellent. Thank you so much, Thomas. And I appreciate everybody’s questions. We did have about 40 plus questions. Unfortunately, we just don’t have enough time to get through them. So, Joe, I’m going to let you go ahead and dig through some of these and pick out something you think would be useful. Joe: Oh, I think a good question. here is uh if more than one v if more than one vendor and all have various different frameworks then how to proceed um I know Tom you’ve had a lot of experience with mapping numerous frameworks to singular assessments uh so I think it’s all about the preparation you know if you’re seeing that commonly you’re provided a particular um framework uh based report then you know that mapping is something you should prepare for um and I think that content is always going to evolve you know if you’re suddenly seeing more and more different frameworks being presented to you. It’s all about making sure you find the time to prepare your content and perform that mapping as accurately as possible. Thomas: Yep, completely agree. Um, yep. Thomas: Let’s see if we got time for one more. Uh, would there be a process to follow up with the auditor that conducted the assessment regarding the remediation of items that resulted in the qualified opinion? How you feel about that one? Um yes that’s that’s an interesting question. Um it can be difficult sometimes because of course the order two is t is say tied is is is contracted by say vendor A to conduct the assessment. Um and so it’s it’s it’s up to them whether they want to engage further um with with another company that’s not tied or associated with them. Um so I don’t I don’t want to say it’s not possible. Um, but I guess the best practice would be to go through the vendor first or the organization you’re engaged with. Um, and for them to ask the necessary question and and and data. Um, technically I guess there’s there’s no reason why the auditor can’t be engaged, but I guess the key thing there is it’s not under their um they’re not uh what’s the word? Contractually agreed to. Um, but necessarily if if if there is something I guess that’s fundamentally an issue within the sock report or there’s perhaps a major uh exception um and and and the report is is not so clear. It’s it’s going back to the vendor first to clarify um what was discussed and what action plan had been agreed between them and the vendor. Ash: Excellent. Well, thank you guys so much and everyone for all of your questions. I do apologize we weren’t able to get through all of them, but if you do have still have questions, please feel free to email us. after you receive the copy of the recording in your inboxes. Um, they gave us some great information to take in today. So, I hope to see all of you either in your inboxes or at a future prevalent webinar. Cheers everyone and enjoy your weekend. Thomas: Thank you. Thank you all.