• JIT Access
        • Self Service Secure Passwordless Authentication

        • JIT Policies
        • Effective Access Policy Control for your entire organization

        • PAM
        • Simplified Privileged Access Management for the cloud and onPrem

        • JIT Approvals
        • Secure Custom Non Repudiation Approvals Management

        • Healthcare
        • Learn how to completely secure the Healthcare environment.

        • Legacy Devices
        • Learn how to leverage our JIT platform to secure your legacy and IOT devices.

        • Vulnerability Mitigation
        • Discover how using JIT Access and PAM can prevent a variety of CVE’s and attacks.

        • Compliance
        • Learn more about how our audit and compliance tools can help you maintain compliance.

        • Passwordless
        • Going passwordless doesn’t have to be hard. Find out how we can get you up and running fast.

        • Protecting Users with Intent
        • Upgrade your security, reduce costs and empower your users by capturing intent.

Are you using SOC 2 compliant vendors?

Why it matters for the future of cybersecurity in your organization

As an InfoSec officer, you’re not sitting around twiddling your thumbs, so you may feel confident you don’t need to worry about SOC 2-compliant vendors. After all, you’re working hard every day to make sure your house is secure. 

When your team is in the trenches, executing plans to shore up the crown jewels of your company, do you really need more cybersecurity products or to spend time double-checking that you’re using SOC 2 compliant vendors?

Actually, it’s quite important because a gap in vendor security can all too quickly lead to a vulnerability in your own security. It just takes one skillfully executed supply chain attack like the infamous SolarWinds hack.

individuals working on cyber security

What is SOC 2 compliance?

If you don’t know what a SOC2 report is, you’re probably not asking your current vendors to show you theirs or using it as a criterion for potential vendor selection. The quick explanation: SOC 2 is an auditing system designed to provide third-party confirmation of a certain level of security.

SOC stands for System and Organization Controls and the auditing system was developed by the American Institute of CPAs (AICPA). It outlines trust principles that help companies assess risk.

The 5 trust principles that can be audited for a soc 2

There are five trust principles that can be audited for a SOC 2 report, but only security is required. They are:

  • Security — how are systems and information kept secure?

  • Privacy — how is personal information obtained, secured, and destroyed?  

  • Availability — how does an organization access others’ information as a third-party service?

  • Processing Integrity — how is system processing completed and authorized?

  • Confidentiality — how is confidential information secured?

For vendors to become SOC 2 compliant, there are a lot of measures and controls that need to be strategized, deployed, and tested. That requires a time and resource commitment. Once those controls are in place, a company can undergo a SOC 2 Type I audit.

After this test, a SOC 2 Type II audit monitors compliance at six- to twelve-month intervals, verifying that the systems continue to work over time. An audit costs tens of thousands of dollars on top of the cost of developing and implementing a comprehensive compliance plan. 

By doing all the work of setting up, demonstrating, and verifying their security, when a company succeeds in its audit, it is showing a dedication to also maintaining the security of its clients — this is what you want to know during vendor selection!

Computer hardrive

Why SOC 2 is important to vet third-party vendors

Large enterprise companies have rigorous vendor management plans and generally only work with SOC 2 compliant vendors because it is the growing industry-standard in cybersecurity.

But it’s not only important for large companies to ensure their vendors are secure. Any organization that uses SaaS, cloud, or other kinds of network services should make sure their information is in the hands of reputable third parties that take the security of your information as seriously as you do.

The benefits of a soc 2 report

It may seem sufficient, at first, to know that you’re working to make sure your company is secure and your vendors are working to make sure their company is secure. The benefit of a SOC 2 report is it adds a third, impartial attestation that objective security standards are being met and maintained over time.

It’s also important to differentiate whether the service you’re using is, itself, a SOC 2-compliant vendor. Some companies, when asked, will provide a report for their data center provider like AWS, Azure, or GCP, but have not been audited themselves. This is a start, but a fourth-party data center isn’t the only vulnerability.

humans shaking hands

How to conduct vendor due diligence

Once you’ve decided that it’s important to ensure that you’re using SOC 2-compliant vendors, you need to determine how to conduct due diligence during vendor selection. It’s also critical to maintain ongoing confirmation checks for existing vendors.

Here’s a basic strategy for putting due diligence procedures in place:

  • Assemble a team — If you’re a large company, put together a whole team. Include anyone with relevant insight into InfoSec and compliance.
  • List your current vendors — If you’re too small to need an entire team, at least compile all the third-party services your company is currently using.
  • Who knows what? — Identify which vendors have access to networks and data and at what levels.
  • Monitor current vendors — Once you’ve verified your company is working with SOC 2 compliant vendors, continue monitoring their status and performing security checks.
  • Vet potential vendors — As you conduct future vendor selection, add SOC 2 Type II reports as a criterion for consideration.

Ensuring cybersecurity with SOC 2 compliant vendors

Every security measure in the world that your team rolls out across the company can be skirted if an attacker comes through the side door. Any vendors whose security standards are not up to your company’s standards will pose a threat to your information.

It is possible to perform a security audit yourself during your vendor selection process. But the SOC 2 auditing system exists for just that purpose, saving you time and energy. The fact that it’s carried out by a third party adds a layer of corroboration that neither you nor vendors can achieve on your own. Keeping a tight perimeter and protecting your company is your job and SOC 2 is an important resource to help you do that. Vetting vendor security is an important consideration for every cybersecurity officer.

Scroll to Top