A System and Organization Controls (SOC) report is an independent evaluation of a service provider's controls, risks, and effectiveness. In an ideal world, every vendor provides a (SOC) report to demonstrate their commitment to security and compliance. The reality, however, is that many vendors – especially smaller or newer companies – may not have undergone a SOC audit. This doesn't necessarily make them risky, but it does mean you'll need to assess them in a hands-on manner.

Here are 10 ways to evaluate vendors when they don't have a SOC report:

1. Understand Why There's No SOC Report

First, inquire about the reasons for the lack of a SOC report. The company may be too new or small to justify the expense of a SOC audit, which can be costly and time-consuming. This is often the case for startups or small businesses. Alternatively, they might be in the process of obtaining a SOC report. If so, ask for their timeline and any interim measures they're taking to ensure security. Some vendors may use alternative compliance frameworks, prioritizing other certifications more relevant to their industry or client base. Understanding the context can help you gauge the vendor's attitude towards security and compliance.

2. Request Alternative Documentation

While not as comprehensive as a SOC report, other documents can provide insights into a vendor's security practices. An ISO 27001 certification focuses on information security management systems and can be a good indicator of a vendor's security posture. For healthcare-related vendors, a HITRUST certification, which combines various security standards, may be particularly relevant. If the vendor handles payment card data, PCI DSS compliance reports are essential.

Don't overlook the value of internal security policies and procedures; these documents can reveal the vendor's approach to security governance. Results of recent penetration tests or vulnerability assessments can demonstrate the vendor's commitment to identifying and addressing security weaknesses. While these alternatives don't replace a SOC report, they can provide valuable insights into the vendor's security practices.

3. Conduct a Detailed Security Questionnaire

Develop a comprehensive security questionnaire covering key areas of concern. Inquire about data protection measures, including encryption methods, data classification, and data lifecycle management. Ask about access control policies, focusing on user authentication, authorization processes, and privileged access management.

Understanding their incident response procedures is crucial; find out how they detect, respond to, and mitigate security incidents. Assess their business continuity and disaster recovery plans to ensure they can maintain or quickly resume operations after a disruption. Evaluate their program for educating staff on security best practices. Inquire about network and system security controls, such as firewalls, intrusion detection/prevention systems, and security information and event management (SIEM) tools. Ensure the questionnaire is tailored to the specific services the vendor will provide to your organization.

4. Perform Virtual or On-Site Assessments

If the vendor will be handling sensitive data or providing critical services, consider conducting more in-depth assessments. Virtual walkthroughs of their security processes can be very informative. Use video conferencing to observe their security operations center or data center. Schedule video conferences to discuss security measures in detail, allowing for real-time Q&A with their security team.

If feasible, consider on-site visits to inspect their facilities and operations. This can provide firsthand insight into physical security measures and day-to-day operations. While these assessments require more time and resources, they can provide valuable insights that aren't captured in documentation alone.

5. Review Technical Controls

Ask for evidence of implemented technical controls. Understand the encryption methods used for data at rest and in transit, including the algorithms and key management practices. Verify that multi-factor authentication is enforced for all critical systems and user accounts. Assess their patch management processes to ensure they apply security updates to their systems in a timely manner. Understand how they detect and respond to suspicious activities through log monitoring and alerting systems. These technical details can give you a clear picture of the vendor's security infrastructure and practices.

6. Assess Third-Party Dependencies

Understanding the vendor's own supply chain is crucial. Find out if they rely on other third-party services and how critical these are to the services they provide to you. Inquire about their process for assessing and managing their own vendors, looking for a formal vendor management program. Determine what controls are in place to mitigate risks from their suppliers. This might include contractual obligations, regular audits, or technical controls. Remember, your vendor's security is only as strong as its weakest link, which may be one of their own suppliers.

7. Evaluate Incident Response Capabilities

Request information about past security incidents and how they were handled. This can reveal their real-world response capabilities better than any plan on paper. Review their incident response plan and team structure to assess the comprehensiveness of their plan and the expertise of their team. Pay close attention to their notification procedures in case of a data breach. Ensure their timeline for notification aligns with your requirements and any relevant regulations. A vendor's ability to effectively respond to and communicate about security incidents is crucial for maintaining trust and minimizing damage.

8. Consider Contractual Safeguards

In the absence of a SOC report, strong contractual terms become even more crucial. Include clear security requirements and expectations, specifying the security controls you expect them to maintain. Ensure you have right-to-audit clauses that give you the ability to conduct or request security audits. Clearly define how your data should be protected and used through data protection and confidentiality agreements. Specify timelines and processes for security incident communication. While contracts can't prevent security incidents, they can provide important protections and set clear expectations for security practices.

9. Monitor Their Security Posture on an Ongoing Basis

Establish a process for continuous assessment of the vendor's security posture. Schedule regular security check-ins or reviews, such as quarterly or bi-annual meetings to discuss their security posture. Conduct annual reassessments to identify any changes or improvements in their security practices. Set up alerts for news or announcements related to the vendor's security, monitoring public sources for any security issues or breaches. Remember that security is not a one-time assessment but an ongoing process that requires regular attention and updates.

10. Risk-Based Decision Making

Ultimately, assess the potential risk against the business value the vendor provides. Consider what type of data or systems the vendor will access, classifying the sensitivity and criticality of the assets involved. Determine how critical the service is to your operations and the potential impact of a security failure on your business. Explore whether compensating controls can be implemented on your end to mitigate risks. This risk-based approach allows you to make informed decisions about vendor relationships, balancing security concerns with business needs.

Conclusion

While a SOC report provides a standardized way to assess a vendor's security controls, its absence doesn't automatically disqualify a vendor. By taking a thorough, multi-faceted approach to vendor assessment, you can still gain confidence in a vendor's security practices. Remember, the goal is to understand and mitigate risks, not to create insurmountable barriers. With careful evaluation and ongoing monitoring, you can make informed decisions about vendors, even without the benefit of a SOC report. This process may require more effort, but it can lead to stronger, more secure vendor relationships in the long run.

When all else fails, tell your vendors to use HyperComply's Trust Pages so they can make it easy to assess their approach to IT compliance.