OUR THOUGHTS ON:

Should Companies Providing Managed Technology Services Require a SOC (Service Organization Control) Report?

SSAE 16/SOC

By Frank Dezort

If we consider that the majority of services or IT processes that are outsourced to a managed services vendor would include key security responsibilities and controls, then the outsourcing organization would need to factor these key components into their assessment of the potential risk embodied in the outsourced relationship.  The results of the risk assessment in the majority of outsourced situations are going to indicate that the potential risks are at a level that would require the outsourcing organization to evaluate and gain an understanding of the operating effectiveness of the security and controls associated with the third party providing the managed services.  To obtain an understanding of the operating effectiveness of controls performed by third parties, an organization would have to perform an audit of the third party organization or obtain a SOC report.  The information presented below will provide a further understanding of the services provided by managed service vendors, the data being utilized, the risk to the user organization and the expected level of security that is required to minimize the identified risk that will further demonstrate why obtaining a SOC report for an existing managed service provided or requiring that a potential managed service provider being considered is so critical.

Services

The technology services provided by managed service companies vary greatly.  Some of the most common services are security and intrusion detection monitoring of devices exposed to the Internet (firewalls, web servers, and network devices), monitoring of critical databases, network infrastructure connectivity to other locations and carrier issues, network traffic performance and health, patch management, monitoring for anti-virus, service/process monitoring, server event log and uptime, critical application to hardware layer monitoring, email spam and virus scanning and help desk support.  Due to the willingness and cost effectiveness of outsourcing technical information processes, the list of manage services continues to grow.  The more complex the service and the more technical services outsourced to a third party, the more dependency an organization has on the third party and their security and controls.

Risk and Data

In the majority of situations, the managed service provided by the third party is going to require two very high risk components.  The first is going to be remote access will need to be provided to the third party.  This pokes a hole in your organization’s security and increases the potential risk that damage could be caused to your technology environment via the third party.  This can be the result of a rough employee at the third party or in the highly publicized Target case, it could be the situation that the third party employee is unknowingly compromised which leads directly to the compromise of your environment.  In either situation the risk of potential compromise is significantly increased by the outsourced vendor.  The second component is typically privileged access will need to be granted to the third party for them to perform their contracted services.  Elevated privilege along with remote connectivity to your network adds significant risk to your organization.  Evaluating the security and controls implemented by the third party and their effectiveness would be critical component of the management of the risk to the organization.

Services that involve monitoring of applications and databases will expose an organizations most confidential and sensitive information to the third party providing the service.  The data can span from name and address to social security numbers, bank account numbers, passwords, financial data or payroll information or credit card numbers.  Some of this data is highly sensitive and could be used to commit identity theft resulting in material impact to individuals which could be considered a required reportable event under most state information breach laws and result in substantial cost to the user organization.

Should an organization providing managed technology services have a SOC report?  Clearly there is considerable risk associated with many of the services provided by these third party organizations that would warrant a SOC report.  While A SOC report is not a requirement of the industry the report would demonstrate to the user organizations that the level of security providing protection of data and merchandise is a major objective and is taken serious by the senior management of the organization.  A SOC report would also provide a distinct competitive and marketing advantage to the managed services company providing an authoritative and respected method to communicate and demonstrate to the market place that protection of client information is as valuable as the quality of the service that they provide.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments