Protecting your organization from cybersecurity threats is essential in today's business environment. One of your key areas of vulnerability comes from third-party service providers.

Many organizations use third-party service providers to perform information technology (IT) functions, including data hosting and network monitoring. By its nature, these third-party relationships have a degree of risk involved because most services require external access to your organization. The third-party provider may need to be able to get onto your organization's network or have access to your servers in order to perform its function. These additional access points may increase the likelihood of external intrusion into your network.

Internal controls help organizations manage the cybersecurity risks involved with third-party arrangements. The following questions may help outline where improvements could be made to your third-party provider control environment.

Do You Have a Good Understanding of What the Third-Party Provider Has Access To?

Critical to managing third-party relationships is understanding the role third-party providers play in your organization. An inventory list that includes what third-party providers do, what types of systems and data they need and have access to in order to perform their services and who manages their access permissions will help with your risk management. Organizing external access points helps ensure preventative controls exist to cover these risks.

Different types of data will require different types of internal controls. For example, if a provider is housing confidential data or personally identifiable information (PII), the provider will require a more stringent level of internal controls. PII would likely trigger notification to the affected parties should the data be compromised, so organizations will want to ensure that adequate protection is in place prior to prevent such an event from occurring as well as ensuring that the third party providers and the company understands the data breach notification laws for their state.

Are There Usage or Time Restrictions for Third-Party Providers?

Your assessment should identify the level of access that third parties and cloud providers have to your organization as well as the time periods whereby access is granted. Typically, no external third party vendors should have 24/7 access to your system, even in the event that your entire IT function is outsourced. Time restrictions such as only between 8 a.m. to 5 p.m. may be a good solution for those situations. If the third party firm is monitoring your network for intrusions, then it would be wise to work with them whereby they only have access to monitoring (not changing) firewall configurations and restricting access to data, other than monitoring the network traffic.

Another feature to consider is segmentation. Internal or external users should only have access to the information and systems that they need in order to perform their duties. Review permissions at least semi-annually or quarterly to ensure that permissions still align with the services the third party provider and their users provide to your organization's data and systems.

All users should also have unique login credentials, even if they're working for the same third-party providers. Unique log-ins help the members of your organization who monitor permissions keep track of who has access, what each user did, and isolate any comprised incidents to a unique ID.

Do Agreements with Third Parties Cover Relevant Security Requirements?

Third-party arrangements, particularly with service providers that will be working with valuable data, should include specific security requirements that the service provider will be required to undertake. It would be wise to review the contracts with your third-party providers to see what security elements they are contractually obligated to provide to your organization. Risk management strategies between your organization and its third-party providers should be aligned so that both parties are kept aware of new security regulations/requirements, how to report any suspicious activity and how those activities are to be resolved.

One of the ways organizations can obtain an understanding of their service providers' control environment is through a Service Organization Control (SOC) Report. Your audit team may request a SOC 1 report, which details the control environment as it relates to the services provided by the third-party service provider and how those services could impact your financial statements. For instance, if your organization outsources its payroll to a third-party provider, then the services provided by the payroll provider could impact your financial statements as it relates to reporting salary expense, benefits etc. if those are reported to you in error by the third party.

A different type of audit report that can be obtained from a third party is the SOC 2 report, which provides an audit around security, availability, confidentiality, processing integrity and/or privacy controls provided by the third party service provider. A SOC 2 report is more relevant from a hosted data center as your organization is relying on the security and availability of the hosted data center that houses your data.

Findings from SOC reports should be reviewed at least annually so your organization understands its service provider's control environment. It should also review the end user control considerations, which are the controls that your firm needs to have in place as well as the controls at the third-party provider to ensure a complete control environment.

Stay Vigilant

Remember to review contracts with your third party providers, review the SOC 1 and/or SOC 2 reports at least annually and restrict access permissions for your third party providers. For more information about developing effective controls around outsourced service providers or to learn more about SOC 1 or SOC 2 reports, please contact us.


Seven Ways to Strengthen Your Cybersecurity

  1. Monitor the Human Element
  2. Secure the Small Things
  3. What We Can Learn from Other Incidents
  4. Know Your State Notification Laws
  5. Questions to Ask About Third-Party Providers
  6. Logical Security
  7. What Management Should Know About the IT Environment
Published on January 17, 2017