Apache Log4j Vulnerability: 8 Questions to Ask Your Vendors

Meeting SOC 2 Requirements for Third-Party Risk Management

How Third-Party Risk Management can help you address, audit and report against SOC 2 and the Trust Service Principles
Scott Lang
VP, Product Marketing
May 12, 2020
Blog soc 2 0520b

This post reviews considerations for third-party risk management under SOC 2, and it explains how you can meet SOC requirements through combined vendor risk assessment and third-party monitoring.

About SOC 2 and the Trust Service Principles

Service Organization Control (SOC) 2 is a standard that is designed to provide assurance that an organizations’ systems are set up to cover five (5) core subject areas: security, availability, processing integrity, confidentiality, and privacy of customer data.

These five core subject areas are commonly known as Trust Service Principles. The purpose of a SOC 2 (also referred to as a Type 2 report) is for an organization to detail the operational effectiveness of their systems, based on the Trust Service Principles. To achieve compliance against a SOC 2 assessment, organizations must develop a clear documentation framework, built around security policies, security procedures and supporting evidence.

The Trust Service Principles are further defined to account for criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories. Clear objectives for each principle are set out within the Trust Services Criteria and provide an organization with clear expectations to look for when validating or verifying security controls. This is where third-party risk management comes into play.

SOC 2 Requirements Relevant to Third-Party Risk Management

Third-party risk management solutions can enable you to address the following SOC 2 requirements:

Requirement CC1.1: Roles and responsibilities for privacy and data governance are defined and communicated to personnel as well as to third parties

A third-party risk management platform can be used to profile your customer base and define roles and responsibilities for privacy and data governance (and understand how they relate to product scope or service provisioning). A TPRM solution can also provide a central repository for vendor management, with capabilities such as rule-based profiling and tiering logic for scoping your vendor ecosystem and prioritizing vendor risk assessments.

Requirement CC3.1: The entity has defined and implemented a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.

An automated TPRM platform can help you manage the vendor risk assessment process, including setting risk impact scoring based on risk acceptance criteria and tolerance levels.

Requirement C1.2: Personal information involved in business processes, systems, and third-party involvement is clearly identified and classified based on severity and risk within data management policies and procedures.

A TPRM solution enables you to centralize agreements, contracts and supporting evidence. For instance, it can help you collect and manage documents that validate how third-party providers address privacy requirements when accessing personal information.

Addressing SOC 2 Compliance with Prevalent

With Prevalent, you can address SOC 2 third-party risk management requirements by:

  • Assessing third parties with a comprehensive SOC 2-based questionnaire
  • Automatically generating a risk register upon survey completion to zero-in on potential areas of concern
  • Creating an audit trail that maps documentation and evidence to risks and vendors
  • Reporting against SOC 2 compliance

The Prevalent platform is backed by advisory and consulting services to help you scope vendor assessments and define risk levels, as well as managed services that can handle the risk assessment and analysis process for you.

We also offer a SOC 2 Report Review Service, which is a managed service delivered by the Prevalent Risk Operations Center (ROC) that transposes SOC 2 report control exceptions
into risks in the Prevalent Third-Party Risk Management Platform.

Visit our Solutions section to learn more about meeting SOC 2 compliance requirements with Prevalent.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo