You have legal obligations to secure customer and enterprise data which includes your suppliers. What assurances do you have that they are secure?
Businesses entrust their data to an ever-expanding number of suppliers, including technology and Software as a Service (SaaS) providers. The days when most companies strongly favored self-hosted solutions are gone, with the average company SaaS portfolio at 342 applications in 2023, according to Productiv. SaaS providers often handle the most critical and sensitive data: CRM records, HR files, accounting/ledgers, source code, product plans, go-to-market strategies and more.
Companies strive to control their own security, but cannot directly control the security practices of their suppliers, creating significant risk as their data is hosted by a third party while cyberattacks and data breaches proliferate. Each company and CISO has an obligation to take steps to ensure their SaaS providers are trustworthy and implement SCRM (Supply Chain Risk Management) practices. But how can they efficiently and effectively assess whether they can trust a supplier? This is where standards and third-party audits become important.
Trust but Verify
Companies performing third-party security assessments frequently use standard or customized versions of questionnaires like the SIG or SIG Lite, or review a cloud vendor’s CAIQ. They may ask the vendor to respond in an online portal like Archer, ProcessUnity, ServiceNow, Whistic, etc. (there are too many competitors to name them all here) or they can use a custom spreadsheet or document. Questionnaires can provide valuable details and you can tailor exactly what you want to ask. However, there’s no verification of the information suppliers provide in their responses.
A third-party audit offers a reasonable approach to verification. It is simply not scalable for a SaaS vendor to complete an individual security audit process, with evidence gathering, for every customer. And it’s not really scalable for most companies to perform their own audit on each SaaS vendor. The SOC 2 enables a trusted third-party auditor to perform a standard review of the target SaaS vendor’s security practices and issue a report with their audit findings.
The SOC 2 security report adds a layer of independent validation to the third-party security assessment process.
What’s in a SOC 2 Audit & Report?
As you may know, SOC 2 reports can cover more than security. The trust services criteria available for audit are Security, Privacy, Confidentiality, Availability and Processing Integrity. But any SOC 2 audit must include the Security criteria because it’s foundational to providing any of the others. (See this article from the Cloud Security Alliance for additional information on the content of each TSC.)
A SOC 2 audit reviews the security controls in place at the subject company for the scope of the audit. Typically the scope is one SaaS service (e.g. NowSecure Platform) or a set of related services in one platform. For a SOC 2 Type 1 audit, the auditor reviews the design of the controls, and whether it is appropriate and sufficient to meet reasonable security standards. In a SOC 2 Type 2 audit, the auditor goes further to include the operation of the security controls over a defined period, usually one year. A SOC 2 Type 2 is therefore more comprehensive because the auditor reviews evidence of actual security procedures being followed.
In a SOC 2 report, the auditor issues an opinion, found near the beginning of the report, summarizing what they found. For a SOC 2 Type 2, the opinion will generally state that the controls were suitably designed to provide reasonable assurance that the company would meet its service commitments, and that the controls operated effectively during the control period. It’s good to know the conclusion the auditor reached, but the opinion is not as useful as the detailed sections that follow.
A SOC 2 audit report includes a system description provided by the company under audit, wherein it provides useful detailed information about how their system is designed and secured. You will normally find information here about where the system is hosted, and technologies used to build and run it. This description also should address some important aspects of organizational structure and control. This is all written by the company —just like a survey response, this part is their self-attestation to you.
After the system description you will find a section with the auditor’s review of the company’s security controls, presented as a matrix (table) of control activities, auditor tests, and findings. These details help anyone looking to evaluate the specific controls and how they were tested. The auditor’s results can state that the control was operated effectively without exceptions, or state if some exceptions were found. Ultimately an auditor will not issue a report with a positive (aka “unqualified”) opinion if significant exceptions are found during the audit.
All of this information is available in the SOC 2 report to help a customer understand the specific security representations made by the SaaS vendor, and what the independent auditor found when they checked evidence of the security program.
The SOC 2 security report adds a layer of independent validation to the third-party security assessment process.
Security Providers & SOC 2 Assurance
Security service providers host and process data for customers, like other SaaS providers, and are reviewed by their customers as part of their SCRM procedures. NowSecure provides a security compliance portal with our SOC 2 Type 2 Report, Platform Security Overview and other assurance materials for download. Our goal is to enable prospects and customers to complete their security reviews efficiently and onboard NowSecure as a trusted supplier.
We completed our first SOC 2 Type 2 audit in 2020. This year’s audit process has resulted in our fifth annual SOC 2 Type 2 report without any deficiencies. We’re proud of our track record of providing this assurance to our customers.
Security providers are not all equal in the level of assurance, transparency and independent verification they provide. NowSecure is the only enterprise-grade mobile application security testing (MAST) provider with a SOC 2 audited cloud platform. For enterprise security customers, we believe this is an important distinction when considering who you can trust with your business. (We also have the best OWASP MASVS standards-based testing, but that’s a separate topic.)
Independent Audits Instill Trust
The modern technology supply chain is a complicated web of trust, where every new supplier adds connections, dependencies and risk. It would be a gross overstatement to say SOC 2 reports alone solve the problem of SCRM and supplier security vetting. But at the same time, every day companies have to onboard new suppliers, SaaS vendors have to onboard new customers, and everyone needs ways to build trust on reasonably sound footings. The SOC 2 audit report is one way NowSecure strives to build that trust.