Part 1 of 3: How Service Providers Can Build Trust with Their Customers
By Zachary Ugol, Risk Management Consultant
Who is responsible for Information Security Controls?
The rise in cloud-based technology and third-party solutions increases both the complexity and uncertainty of security and compliance responsibilities. Service providers and their customers need to understand how responsibilities are shared and split. This includes Software as a Service (SaaS), Infrastructure as a Service (IaaS), as well as operational solutions, such as credit card processing and billing, and IT, such as security monitoring and hosting services.
Does your organization rely on service providers that handle sensitive data, including financial records and Personally Identifiable Information (PII)? Do you have insight into how your service providers are protecting this data?
Or if you are a service provider, do you understand your customer’s compliance requirements as they relate to data security? For instance, are your customers required to comply with HIPAA, HITRUST, NIST, or another state requirement such as SEC501? Are there contractual provisions that require reporting on your security controls?
There is often a disconnect between the services being provided and the level of reliance being placed on service providers. This disconnect can lead to uncertainty around the division of responsibility for information security controls. If service providers and customers are not aligned around data security, there is an increased risk for security breaches.
Recently, Quest Diagnostics and LabCorp disclosed a data breach with one of their billing collections vendors, American Medical Collection Agency (AMCA). According to CNBC, AMCA provides billing collections services to Optum360, which is a Quest contractor. This incident, and many similar, highlight the need for increased transparency between service providers and customers around data security requirements.
What is a SOC report and how can it help?
System and Organization Controls (SOC) reports were developed by the American Institute of Certified Public Accountants (AICPA) with the goal of helping to increase the trust between service providers and their customers.
A SOC report (pronounced “sock”) enables service providers to hire an external third-party auditor to assess their relevant internal controls and produce a report that can be distributed to their customers.
SOC reports can clarify the services being provided and the responsibilities of the user in order to ensure that all parties are aligned around security requirements. The table below shares some of the benefits provided by SOC reports.
SOC Reports: Benefits for Customers and Service Providers
SOC Reports for Compliance, Building Trust, and Reducing Risk
In order to ensure ongoing protection against potential security breaches, it is important for companies and service providers to be on the same page regarding compliance requirements and to ensure that responsibilities have been divided accordingly. For users, it is important to understand how vendors are supporting your compliance requirements. For service providers, it’s important to understand stakeholder compliance requirements and to design the services in such a way to meet those requirements. SOC reports are one of the tools available in order to achieve these objectives.
Stay tuned for our next SOC Reporting blog!
Check back for part two in our series on exploring the kinds and types of SOC reports. We’ll explore SOC 1, SOC 2, SOC 3 and SOC for cyber security reports, as well as Type 1 and Type 2 reports. Follow us on LinkedIn, Facebook, and Twitter for updates.
Learn More: The Impact Makers Solution
Impact Makers’ Risk Management consultants have knowledge of SOC reports and insights to help both service providers and their customers.
For service providers, we help answer the following questions:
- Do I need to provide a SOC report to my customers?
- If so, am I ready for a SOC report?
- What do I need to do in order to prepare for a SOC report?
For customers, we help answer:
- Do I need to request a SOC report from my service provider?
- If I already receive a SOC report, what information is important for me to review?
- What I am I required to do with the results of the SOC report?
- Do control failures impact our compliance requirements?
- And does the existing SOC report meet my compliance requirements?
To learn more, contact us.