Third Party Risk ManagementTPRM Tuesday

TPRM Tuesday #9: Common SOC 2 report exceptions and tips to avoid them.

It’s Tuesday and it’s time for our next TPRM Tuesday posting. Today we will be discuss common control exceptions on SOC 2 reports. Below is a list of the most common exceptions we typically identify. This may help you identify and work with the vendor to resolve and mitigate these common exceptions.

All employees did not complete security awareness training: Service organizations typically utilize an online training platform that enables employees to complete security awareness training at their convenience. The training platform makes it easy to track those employees who have not completed the training and will send automated emails reminding them of their requirements, and also these platforms can be configured to send alerts to respective reporting managers.

 The risk assessment is incomplete and did not include all relevant threat events: Service organizations should follow NIST’s guidance by having risk assessments that list all relevant threat events, the likelihood of the threat event occurring, the impact to the organization if the threat event were to occur, and the overall risk of the threat event. Service organizations should create a template based on NIST’s guidance (NIST SP 800-30 Rev. 1) and executive leadership needs to review the results of the risk assessment, which should be updated annually. 

Multi-factor authentication is not used for remote access. Service organizations should require employees to enter the second factor of authentication in addition to passwords when accessing the network remotely. Typical second factors of authentication are soft tokens, sent via SMS or mobile applications(Authenticator applications), or hardware tokens that must be plugged into employees’ machines. 

Superuser access is not restricted to appropriate personnel. Service organizations need to follow the “principle of least privilege” or “zero trust architecture (ZTA)” when determining which users require superuser access to the network and critical applications. For those who do not require such access, specific roles should be created that limit access to only the functions necessary to perform one’s job responsibilities.

Terminated user access was not removed in a timely manner. Service organizations should mandate that a notice of termination needs to be communicated to HR and IT prior to the departing employee’s last day. Upon receiving such notice, IT should remove access immediately or set the employee’s account to expire on his or her last day.

Independent assessments of internal controls were not performed: Service organizations should engage independent third parties to perform penetration tests, including web application penetration tests for any cloud-based products that are included in the scope of the SOC 2 report. In addition, service organizations need to run vulnerability scans on a quarterly basis to identify misconfigurations and missing patches.

Developers have access to make changes to production systems. Service organizations like software-as-a-service (SaaS) providers that develop custom cloud-based applications should restrict developers from having access to make changes to production code files. In the event that’s not feasible, the service organization should implement a monitoring control, such as file integrity monitoring software that automatically alerts management when production code files are changed. If an unexpected change is detected, management can investigate to determine if the change was unauthorized or malicious.

We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.