Third Party Risk ManagementTPRM Tuesday

TPRM Tuesday #3: Shared Responsibility Model

Good Morning🌞

Its Tuesday and it’s time for our TPRM Tuesday post. Today we will be covering Shared Responsibility Model between Vendors and their Cloud Service Providers (CSP).

🤔 Can SaaS companies provide their cloud service provider’s #SOC2 report to customers without undergoing their

own #SOC2 audit?

🚫 Unfortunately, the answer is No.

💡 Why Not?

1️⃣ Shared Responsibility Model

👉 Security is a shared responsibility between the CSPs and their customer (vendors in this case).

👉 Security responsibilities differ based on the services used, such as:

✅ With EC2, vendors are responsible for patching the guest OS, securing applications on the instances, and configuring security groups.

✅ With S3, AWS is responsible for the infrastructure, OS and platforms running the S3 service. Vendors are responsible for

managing the buckets, encrypting data, and setting permissions with IAM tools.

👉 The Vendor Contract should clearly define who is responsible for what

👉 CSPs are only 100% responsible for controls pertaining to the physical security and environmental protections of their


2️⃣ SOC2 covers entity-level controls

👉 HR, Governance, Training, Risk Assessment, Policies and Procedures, On/Offboarding, Vendor Management, Incident Response are significant controls. SaaS companies cannot rely on their CSPs for these controls and must prove to customers that they have controls in place covering these.

🎯 SaaS companies providing their CSP’s SOC2 report in lieu of their own is always a red flag to customers/Vendor managers. Vendor should avoid this costly mistake and invest in their own security.

We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.