Transcription

Rules to Receive CPE CreditBy attending ALL of today’s sessions, you are eligible to receive up to 2CPE Credits per the following guidelines.In order to receive this credit, the following items MUST be completed:Each person wishing to receive CPE Credit must log into the session individuallywith their credentialsYou MUST answer ALL of the polling questions throughout the presentationYou MUST be in attendance for the entire live sessionYou MUST complete the follow-up survey regarding the sessions1

Day Two Sessions2OngoingSESSION 3Ongoing: SOC ReportsSESSION 4By: Lisa Mae-Hill, VenminderOngoing: Business ContinuityManagementOngoing: CybersecurityOngoing: Financial HealthBy: Lisa Mae-Hill, VenminderBy: Lisa Mae-Hill, VenminderBy: Ramin Zacharia, Venminder

SESSION 3Ongoing: SOC ReportsAPRIL 20, 2022PRESENTED BYLisa Mae-HillDirector, Information Security [email protected]

Agenda4SOC ReportsOngoing itemsDifferent types of SOC reportsHow vendor SOC reports fit into the processWhen to review them and what to look out foron an ongoing basis

Within the Third-Party Risk Management Lifecycle5

Vendor Ongoing Monitoring, ContractManagement and Due Diligence IsContinued Ongoing oversight is required by mostregulatory guidance Includes: Ensuring that invoices reflect the servicesand the agreed upon price accurately Periodic reviews of vendor due diligence Frequent monitoring of contract SLAs andissue remediation Addressing outstanding risks and/ordeficiencies Track of renewal dates and fixing contractgaps before then6

The 3 Components of Continued Vendor DueDiligence and Ongoing MonitoringContinued DueDiligence/AssessmentAnnualBased on risk ratingand recommended atleast annually forcritical and high-riskvendors; 18-24 monthsfor moderate risk; 2-3years for low riskPerformance & RiskMonitoringFrequentRecommendedquarterly for criticaland elevated riskContract ManagementOngoingAligned to renewal ortermination7

Continued Due Diligence Reviews and AssessmentsVerifying that vendorinsurance types andcoverage amounts arecorrect and currentEnsuring that vendorpolicies and otherdocumentation,including independentthird-party audits arecurrent and anychanges or identifiedissues are addressedReviewing andassessing the financialhealth and long-termoutlook of the vendorReviewing thecybersecurity, SOCreports, businesscontinuity and disasterrecovery plans, testsand results8Confirming thatcompliancerequirements are met,documents are up todate and licensing iscurrent

Different Kinds of SOC Reports SOC 1 (Type I and II) SOC 2 (Type I and II; ) SOC 3 SOC for Cybersecurity9

10SOC 1 vs. SOC 2SOC 1 Intended to be used to validate andverify that Internal Controls overFinancial Reporting are sufficiently inplace at the vendor for yourcontracted use. Review this SOC when you areprimarily concerned with the impactto financial reporting. Generally meant for auditor use andcompliance purposes.SOC 2 Help you measure how the vendorprovides their product or serviceunder the umbrella of specific trustservice criteria. The trust service criteria include:security, availability, confidentiality,privacy and processing integrity. A SOC 2 may not cover all TrustServices Criteria as vendors canchoose which criteria to be auditedon.

11Type 1 vs. Type 2 vs. SOC 2 Type 1Type 2 POINT IN TIME: As of apoint in time (a ‘snapshot’ ofthe controls) – covers thedesign of controls placed inoperation COVERS A PERIOD OFTIME: Typically, January 1stthrough a date in the 4thquarter – tests operatingeffectiveness Generally, you’re not able todetermine the operatingeffectiveness of controls,only the design andimplementation of them Type II will always give youboth – operatingeffectiveness of controls andthe design andimplementationSOC 2 Is combined with othercontrol frameworks, such asthe Cloud Security Alliance’sCloud Controls Matrix or theHITRUST Common SecurityControls. A way to combine the TrustServices Criteria with anotheraudit framework

SOC 3Request and assess a SOC 3 report when: You’re doing initial early upfront due diligence of a vendor until yourorganization has determined if they are a serious prospect Vetting a vendor but should never be used in place of a SOC 1 or SOC 2Keep in mind: A summary of the SOC 2 that comes with seal of approval Vendors can publicly share the report SOC 3 reports DO NOT include the actual control activities or testingperformed SOC 3 is not as comprehensive as it’s designed to be made availablepublicly without an NDA12

SOC for CybersecurityRequest a SOC for Cybersecurity report when:You want to know how mature and effective the vendor’scybersecurity risk management program is to the creations ordelivery of the vendor’s product or serviceThe SOC for Cybersecurity overlaps with the SOC 2 in ways,but it should not replace the SOC 2 ReportIf you request the SOC for Cybersecurity, assess thefollowing: Management’s Description Management’s Assertion Practitioner’s Report13

Summary of the Different Kinds of SOC ReportsSOC 1Designed to review an organization’sinternal controls as they relate to financialreportingSOC 3Summary of the SOC 2 audit which comeswith a seal and the organization canpublicly share the reportSOC 2Examination of the organization’s controlsover one or more of the 5 Trust ServiceCriteriaSOC for CybersecurityDescribes the organization’s cybersecurityrisk management program in detailSOC 2 Pairs the trust services criteria of the SOC 2with another well-known framework14

15Anatomy of a SOC ReportKey ComponentsSOC 1 ReportSOC 2 Report

Anatomy of a SOC ReportSection 1 is the auditor’s report. Here you’ll find key information such as who the auditfirm is, whether it’s a carve-out or inclusive report, the scope, and the auditor’s opinion.Section 2 is the organization’s management assertion. This section essentially says thatthe organization will work with the auditors in good faith.Section 3 is the description of the system. Here you’ll find the organization’srepresentation of the in-scope system in a narrative format. It will address many topicsincluding risk management activities, an overview of the organization’s operations, andinformation about each control objective. Sometimes audit firms will put thecomplementary user entity controls here as well.16

Anatomy of a SOC ReportSection 4 is the actual layout of the control objectives and activities along with thetesting and results of testing.Section 5, which is not on either example, is an optional section where anorganization can provide unaudited information that may assist in theunderstanding of the control environment. Common contents of this section includebusiness continuity and disaster recovery information.17

18Poll QuestionHow valuable are SOC reports to yourthird-party risk management program?a.Key componentb.Nice to havec.Indifferentd.We don’t ask for SOC reportse.Not sure

System DescriptionKey Components Has the vendor provided the correct report? The system description section of the report will detail the services &products provided Multiple vendor services may have separate reports19

Subservice OrganizationsKey Components Service providers used by your vendor (your fourth parties) Report should clarify exactly how fourth-party and subservice organizationsare used Inclusive vs Carve-Out Method20

21OpinionUnqualified – When the auditors feel thatDisclaimer – Is used when there isn’tQualified – A qualified opinion is whereAdverse – An Adverse opinion is justthe vendor’s description fairly represents thesystem, controls were suitably designed,and, in the case of Type II reports, thecontrols operated effectively, the report isconsidered unqualified. It means everythingis as it should be.the vendor had at least one control objectivethat was not implemented or operatingeffectively. In other words, A qualified reportindicates that issues identified in the reportwere significant enough to deem one ormore control ineffective. You want to makespecial note of a qualified opinion.any evidence to prove or disprove that acontrol wasn’t being performed or wasin place. This happens often on controlsthat surround what are hopefully rareoccurrences, such as communicatingincidents or breaches to clients.bad. This means that the vendor heldback, or modified information, neededto verify controls were either in place oroperating effectively. This is a definitered flag.

Test of Controls & Evaluating Results22Control ObjectivesExceptionsSignificant Deficiency Occur when not everysample tested passed Look at those and risk ratethem, review management’sresponse, if one wasn’tgiven, ask the vendor forone Look for mitigations in placeor that the vendor has sincecorrected the exception SOC reports are built aroundthe vendor’s controlobjectivesControl activities supportthe control objectivesControl & Tests Auditors create tests for those activities where they mayreview, observe or interview all to determine whether thecontrol is in place and for Type II’s, whether they are operatingeffectivelyWhen a control orcombination of controls areshown not to be working asdesigned or if the control isbeing performed bysomeone unqualified to dosoMaterial Weakness Come from testing showingthat controls are notfunctioning, resulting inclients not being able to relyon that function of thevendor

23The ImpactDoes this directlyimpact the serviceprovided?Clean?Key ComponentsIs management’sresponse sufficient?OpinionIf not, how is theorganizationaddressing theissue(s)?ExceptionsAre othercontrols/proceduresin place that giveme comfort?

Control Design Vendors write the control activitiesthat they are audited against SOC 2s are better about this due tofollowing the trust services criteria Control complexity can vary greatlybetween vendors SOC reports are not created equally24

Complementary User Entity ControlsKey Components Controls that you (the user, A.K.A. “User Entity”) must have inplace as a part of the service provider’s control environment You must review annually and document that you are incompliance (especially if you are subject to SOX 404 or FDICIA) To review CUECs, do the following: Look at associated control objectives Determine which CUECs apply Assign each CUEC Determine which CUECs are addressed Address each applicable CUEC Record how each CUEC is addressed Assess CUECs25

Vendor SOC Report Assessment Best Practices Read and understand it Look for gaps or areas of ambiguity Document and address those areas of ambiguity Look for the complementary controls Have an expert review the report26

SESSION 3Ongoing: CybersecurityAPRIL 20, 2022PRESENTED BYLisa Mae-HillDirector, Information Security [email protected]

AgendaCybersecurityWhat is vendor cybersecurity posture and why it’s importantWhat vendors should be reviewed and whenTop 4 areas of vendor cybersecurity to reviewWhat to do if notified your vendor had a breach28

Within the Third-Party Risk Management Lifecycle29

Vendor Cybersecurity PostureIs your vendor prepared to prevent, detect and respond to a cybersecurity issue? Identify the cyber threats your vendor could present andtake proactive steps to mitigate potential areas ofweakness Ensure you determine if your vendor (and yourcustomers’ data) will be secure Review if your vendor is prepared to prevent, detect andrespond to a cybersecurity issue30

31Why It’s ImportantEnables your risk mitigation by allowingyou to: Influence the vendor to strengthen their controls Supplement their controls with controls of your own Make a decision on whether you should stay with thevendorA vendor breach canhave a big impact onyou – reputation riskIt’s a hot button issue for all regulators! It’s required that you demonstrate you are taking proactive steps toidentify and mitigate potential areas of weakness with your vendors Expected to cover the CIA Information Security Triadis huge!

Notable 2021-2022 Vendor Data Breaches U.S. based Colonial Pipeline was the victim of a ransomware attack. The companyoperates a large pipeline that ships gasoline and other petroleum products from Texasto New Jersey and throughout the Midwest. A Facebook data breach exposed over 533 million individuals’ personalinformation to hackers. This included the user’s name, date of birth, current city, andposts made on their wall. The vulnerability was discovered in 2021 by a white hatsecurity group and has existed since 2019. On March 20, 2022, the hacker group LAPSUS posted a screenshot to theirTelegram channel indicating that they had breached Microsoft. The screenshot wastaken within Azure DevOps, a collaboration software created by Microsoft, and indicatedthat Bing, Cortana and other major Microsoft projects had been compromised in thebreach. This is still under investigation and still unclear if any personal or accountinformation has been exposed or leaked.32

Privacy Laws3 States have comprehensive privacy laws (Only CA currently in effect) California: 2 of them California Consumer Protection Act (CCPA) Went into effect: Jan 2020 California Privacy Rights Act (CPRA) Going into effect: Jan 2023 Virginia: Virginia Consumer Data Protection Act (CDPA) Going in effect: Jan 2023 Colorado: Colorado Privacy Act (CPA) Going in effect: July 2023Helpful legislation tracker: y-legislation-tracker/33

The Domino Effect Is RealA chain is only as strong as its weakest linkIndustry best practice and regulatory guidance wants you to consider all of the potentialramifications posed by a third party, whether in the form of a data breach or a businessdisruption.From a planning standpoint, you need to consider all of the possible problems that couldoccur, what steps you need to be prepared to take and how long until normal operationscan resume in order to minimize the impact to your organization and your customers.Example: The need for strong work from home capabilities – this requires an abundance ofsecurity and it’s important that you ensure that your vendors have the appropriatecybersecurity controls in place if they shift to a remote workforce.34

The CIA Information SecurityTriadCybersecurity is based on the CIA InformationSecurity Triad that encompasses:Confidentiality – seeks to prevent unauthorizeddisclosure of informationIntegrity – seeks to ensure that data is not modifiedby unauthorized meansAVAILABILITYAvailability – ensure that information is availablewhen needed and only to authorized personnel35

What Vendor’s Cybersecurity Should Be Assessed & By WhomWhat type of vendors should be assessed? All moderate, high and critical-risk vendors Any vendors that process, store or transmityour dataWho at your organization should assessthe results? Third-party risk manager with the internalstakeholder and internal/external audit teamWhat type of qualifications should thatperson have? Broad background in information security andrisk management – a Certified InformationSecurity Systems Professional (CISSP) is themost qualified to generally do the review36

37Poll QuestionWhen do you perform a cybersecurityassessment on a vendor with access toconsumer data or your systems?a.b.c.d.e.Pre-contract signing and annuallythereafter as a part of vendormanagementPost-contract signing as a part of vendormanagementWhen resources are availableCybersecurity is not included as a part ofour due diligence or vendor managementprocessNot sure

What to Review: 4 Critical Elements1. Security Testing2. Sensitive Data Security3. Employee, Contractor and Vendor Management4. Incident Detection and Response (and Cybersecurity Insurance Coverage)38

Security TestingTesting is one of the best ways to identify weaknesses. Request your vendorperform the following at least annually:Internal and External Vulnerability TestingPenetration TestingSocial Engineering39

Sensitive Data Security40If information needs to be protected against unintended disclosure, then youshould be aware of how the vendor is protecting the data from destructiveforces and from unwanted actions of unauthorized users (e.g., data breaches,theft).Verify the vendor is taking precautions, such as the following to secureyour data: EncryptionData Retention and Destruction PoliciesData Classification and Privacy Policies

Employee, Contractor & Vendor ManagementUnderstand the vendor’s ability to ensure theiremployees, contractors and vendors (your fourthparties) are prepared to protect data that is crucial totheir overall cybersecurity.Review the following and confirm they’re adequate: Confidentiality Agreements Security Training Access Management Policies41

Incident Detection & ResponseAn incident is anything that affects the confidentiality, integrity or availability of informationor an information system. A vendor should have a plan to address an incident quickly andeffectively when (not if) one happens.Understand how a vendor handles incident detection and response by: Including incident notification clauses within your contract Reviewing the incident management plan to ensure it’s comprehensive Verifying the vendor has cybersecurity insurance coverage42

43Poll QuestionHow many of your third-party contractsrequire incident notificationparameters?a.Allb.Somec.Only critical or high-risk vendorsd.Nonee.Not sure

Your Vendor Has Been Breached What’s Next?(IT’S NOT IF, IT’S WHEN) Ensure data breach notification requirements aredocumented in your contract language Set expectations with your vendors Define the impact of the breach Be transparent Adopt a customer notification processIn-house: Assess your own overall information security processes Implement more robust user authentication procedures Restore customer faith44

Remember the following:Security TestingSensitive Data SecurityEmployee, Contractor & Vendor ManagementIncident Detection & Response (alsoCybersecurity Insurance Coverage)45

Thank You

47BreakSee you back here in 5 minutes

SESSION 4Ongoing: Vendor Business Continuity andDisaster RecoveryAPRIL 20, 2022PRESENTED BYLisa Mae-HillDirector, Information Security [email protected]

Agenda49Ongoing: Vendor Business Continuity andDisaster RecoveryAn overview of business continuity managementHow business continuity, disaster recovery and pandemicplanning come into playWhat procedures your vendor needs to have to handle abusiness impacting eventHow to ensure that they’ve taken precaution andtested those plans

Within the Third-Party Risk Management Lifecycle50

Business Continuity Management (BCM)RelevanceCOVID-19 is still making an impact today. Here are some things to consider: Update your plans based on lessons learned from COVID-19 Develop a BCM program and crisis management team that includesrepresentatives from all business units from all geographic regions Conduct a business impact analysis (BIA) for the organization and updateit regularly for changes to business and IT operations Assess the importance of third parties to the organization and developrecovery strategies for those deemed mission-critical Plan for multiple business disruptions occurring at the same time Leverage pandemic management as a catalyst for integrated business andcrisis management operations51

52What Is Business Continuity, Disaster Recovery andPandemic Planning Business continuity (BC) allows you to ensure that key operations, products andservices continue to be delivered either in full or at a predetermined, and accepted,level of availability. Disaster recovery (DR) is a subset of business continuity and outlines theprocess and procedures to follow at the immediate onset of an incident up toand including the resumption of normal operations. Pandemic planning is another subset of business continuity and is preparingfor a pandemic event by planning, exercising, revising and translating actions aspart of a response. A pandemic plan is an active document which lists thestrategies, procedures, preventative measures as well as any correspondingimplementation guidelines an organization will take should a global healthcrisis occur. You do all this for your own organization, but you should also be aware of what yourvendor does.

53Real-life Scenarios Will HappenIt’s Just A Matter of TimeFlood destroyschecks and paperproducts in thevendor’s storagefacilityElectrical firedestroys thevendor’s serverroomOnline bankingproviderexperiencescyberattackA pandemiccauses thevendor’semployees towork from home

54Poll QuestionDo you ask where your vendor’s BCMprogram reports to in their organization?a.b.c.d.YesNoNot sureNot applicable

55Reviewing a Vendor’s BC/DR/PandemicSo, WHO should be reviewing a vendor’s BC/DR/Pandemic?Someone that understands the business requirements for the availabilityof that vendor and the impacts of that vendor not being available.

Reviewing a Vendor’s BC/DR/Pandemic:The BIA, RTO, RPO and MTD Business Impact Analysis (BIA) Be aware of possible downtimes and what could affectyour operations or reputation Plan accordingly with your own BC/DR plans and ensureyour organization can still operate effectively while they’reunavailable Recovery Time Objective (RTO) The amount of time it’s expected to take to recover backto normal operations, or at a pre-defined, acceptable state Recovery Point Objective (RPO) The point in time, before a disruption, to which data canbe recovered (given the most recent backup copy of thedata) after an outage Maximum Tolerable Downtime (MTD) The total amount of time the system owner or authorizingofficial is willing to accept for a business process disruptionand includes all impact considerations56Remember: RTO and MTDverify vendor’s timelinesmeet your timelines andexpectations

Reviewing a Vendor’s BC/DR/Pandemic:Recovery Time ObjectiveExample scenario:An organization has service level agreements(SLAs) that requires 99.9% uptime each month. Inthis case, with no other issues during the month,the maximum amount of downtime before theSLA is trigged each month is just under 44minutes. If the organization has high SLArequirements for credits and ability for clients tovoid their contract, the organization will likely optfor an RTO of under 45 minutes. If the penaltiesare not as harsh, such as if the vendor is notcritical, often the RTO will be much higher.57

Reviewing a Vendor’s BC/DR/Pandemic:Recovery Point ObjectiveExample scenario:An organization stores loan closing documents. If theywere to experience a data loss incident, all data sincethe last backup or replication occurrence would be lost.If data were backed up nightly, as is typical for manyorganizations, they could lose up to 24 hours of data,so their best case RPO would be 24 hours. If instead theorganization had replication in place where filesimmediately were transferred to another location, theRPO could be much lower, to potentially just seconds.Having replication in place is much more expensivethan nightly backups, so it’s a trade off which must beevaluated by the organization and their clients.58

Reviewing a Vendor’s BC/DR/Pandemic:Maximum Tolerable DowntimeExample scenario:Using the RTO scenario, if the service inscope of the SLA is down for an extendedperiod, SLA penalties could build to apoint where it is no longer financiallyfeasible to recover and continue businessoperations, so the organization maydecide to file bankruptcy and not recover.59

Reviewing a Vendor’s BC/DR/Pandemic:Determining ResiliencyDetermine your vendor’s resiliency by asking for the following: Evidence of physical resilienceSOC Type II reports and independent audits todetermine cyber resilienceData backup and replication strategies being usedA pandemic plan covering the loss of personnelYour vendor’s change management policy andprogramEvent management plansFacilities and infrastructureData center recovery alternativesBranch relocationElectrical power redundancyTelecommunications redundancy plans60

Reviewing a Vendor’s BC/DR/Pandemic:Assessing the BC PlanReview these key areas of those plans to provide assurance that your vendor isprepared for a disruption: Testing proceduresCopies of the plan are held off-site in secure locations and availablePlan is reviewed, tested and updated regularlyResults of any recent tests, and if the test didn’t go well, the vendor’sremediation plansSenior management and board approvalSLAs and contractual obligationsFailover and backup locationsYour vendor’s businessPersonnel loss and planningcontinuity plans and theirRelocations planspreparedness should meetRemote access availabilityor exceed your own plans.Facility loss contingenciesPandemic contingenciesBreach/disruption notification procedures61

Reviewing a Vendor’s BC/DR/Pandemic:Assessing the DR PlanLook at these key areas when reviewing the vendor’s disaster recoveryplans: Dedicated team and individualsTesting, results of recent tests and updatesNotification processPandemic planBackup proceduresPersonnel recovery to normal operationsBusiness impact analysisSenior management/board approval andinvolvement62

Reviewing a Vendor’s BC/DR/Pandemic:Assessing the Pandemic PlanLook at these key areas when reviewing the vendor’s pandemic plans: Preventative programs Document strategies Communicate with critical vendors,monitor outbreaks, educateemployeesConsistent with the CDCFramework of facilities, systems andprocedures How to sustain operations Test programs Confirm the plan is effectiveOversight programs Reviews and updates63

Ongoing Monitoring of a Vendor’s BCM Review the vendor’s RTO and RPO againstyour organization’s and your customers’expected and contracted requirements Re-assessing the BC, DR and pandemic plansat least annually Refer to and stay updated on regulatoryguidance Communicate your plans and expectations toyour vendors and ensure your vendors aretesting their plans frequently Test your plan and your vendor’s planfrequently64

65Ensure Vendors Exercise and TestLimited-ScaleExerciseFull-ScaleExercise Transfer of liveproductionenvironment toanother data center Mirroring productionenvironment to anotherdata center and testingfunctionality but nottransferring trafficTabletopExercises Walk through the stepsto recover from animpacting event with keypersonnel withouttesting systemsTests Industry exercises and resilienceThird-party service providertestingPost exercise and post testactions

66Poll QuestionDo you review your critical third parties’business continuity, disaster recovery andpandemic plans on a regular recurringbasis?a.b.c.d.YesNoNot sureNot applicable

67Best Practices to Takeaway Continuously request your high-risk and criticalvendor’s plans and be thorough in your assessment Ensure plans include contingencies or massabsenteeism following disease control guidelines Prioritize reviewing your BIA Confirm that you have a redundancy plan Communicate with your vendors – have clearguidelines on what must be done throughout therelationship and notification requirements (and besure pandemic plans are being considered) Stay on top of SLAs Watch for signs of a stressed vendor Refer to regulatory guidance Check that relocation plans are clear – review yourcritical vendors’ remote operations Record anticipated results, assess anyvulnerabilities and thoroughly document

SESSION 4Ongoing: Financial HealthAPRIL 20, 2022PRESENTED BYRamin ZachariaChief Financial [email protected]

69AgendaOngoing: Financial HealthVendor’s financial healthWhat you need to look at on an ongoing basisMaking sure your vendor has a strong financial healthand what to do if they don’t

Within the Third-Party Risk Management Lifecycle70

The Domino Effect ofDeclining FinancialPerformance isCrippling:Declining income means cost cutsCost cuts mean cutting staffCutting staff means declining service levelsDeclining service levelsDeclining response timeDeclining maintenance of security and systemsWhich means findings on SOCreports and Sunset of products

To Avoid the Domino Effect, Where Should YouStart Today? Important to prioritize conducting financial reviews for key vendors (i.e., critical vendorsas defined by your TPRM program) Define a regular cadence (at a minimum, annually, but can be as frequent as quarterlyor monthly) of collecting financial documentation and performing reviews Creating questionnaires/due diligence request lists to compile the necessary financialdocumentation If desired, crafting a methodology on how to conduct financial reviews, definingkey information needed and a risk rating scale (i.e., audited financial statements) Involving different parts of your organization where neededDo not wait for regulatory guidance or for the “perfect” time to startyour financial reviews; it’s better to be proactive and start with smallsteps to properly identify and address financial red flags72

Taking a Holistic Approach Across theOrganization for Vendor Financial Health ReviewsManagementSubject Matter ExpertsAccounting Define risk appetite fororganization and overallrating scale to align withdesired management view Certified publicaccountants (CPAS) orfinancial risk analysts thatlead theexecution/conduct theassessments Review the CPA/riskanalysts’ work to ensure itis accurate, thorough andaligns with info providedOperationsVendor Management Works to definecontractual obligationsrelated to financialperformance or documents Works with the vendor tocollect documentationdiligence items andfollow up as neededRisk Management /Compliance Reviews the risksidentified and assessesimpact on overall TPRMprogram & organization73

Importance of Centralizing and Documenting YourFinancial Health Proce

SOC 1 vs. SOC 2 . 11 Type 1 . Assign each CUEC Determine which CUECs are addressed Address each applicable CUEC Record how each CUEC is addressed Assess CUECs . 26 Vendor SOC Report Assessment Best Practices Read and understand it Look for gaps or areas of ambiguity