Subservice Organization Management— IT Controls for Peace of Mind

When an enterprise selects a subservice organization, it needs to understand how the subservice organization’s operations can or will affect the enterprise and how it processes, stores and maintains any shared sensitive information. A subservice organization is a vendor whose controls and operational health affect the client organization’s operations. All subservice organizations are vendors; however, all vendors are not subservice organizations. An understanding of this relationship is typically gained through an assessment—specifically, a third-party risk analysis.

Enterprises must address the minimum controls an enterprise and subservice organization should consider implementing; these can then be customized to better suit specific operational needs.

SOC 2 Reports

An enterprise that has determined which vendors qualify as subservice organizations and are vital to its operations to the extent that their security or lack thereof could negatively affect its operations, reputation or revenue might seek peace of mind by requesting a system and organization controls (SOC) 2 report.

The American Institute of Certified Public Accountants (AICPA) defines an SOC 2 report as “a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy.”¹

Many organizations simply receive the SOC 2 report and file it away, never looking at it or diving deeper. Organizations may assume that if their subservice organization is SOC 2-compliant, then all is well. But this is not always the case.

Enterprises should understand the controls they want subservice organizations to implement or, better yet, establish a benchmark for evaluation and comparison.

Proper subservice organization management is important for an enterprise’s operations to be successful. What happens if an enterprise shares confidential data with a subservice organization whose information systems are compromised? Further, what if certain enterprise operations depend on a subservice organization to be functional at all times, and any lack of availability or reliability may be costly to the client enterprise? Enterprises should fully review subservice organization SOC 2 reports rather than simply file them away.

SOC 2 reports come in all shapes and sizes. Rarely are any two the same. Enterprises should understand the controls they want subservice organizations to implement or, better yet, establish a benchmark for evaluation and comparison. If an SOC 2 report does not reflect all of those controls, the enterprise should send an information request to relevant subservice organizations asking for assurances and evidence of compliance. When available, enterprises should analyze the SOC 2 report against the set benchmark and ask questions regarding any desired controls that are not presented or accounted for in the report.

Of note, SOC 2 reports can be costly. If a subservice organization does not have the budget to obtain an SOC 2, that is not reason enough for an enterprise to end its relationship with the subservice organization. Instead, the enterprise and the subservice organization should establish a list of minimally accepted controls that both organizations can uphold. An enterprise is only as strong as its weakest subservice organization. The level of subservice organization controls—or the lack thereof—can affect the overall strength of the client enterprise’s operations.

Benchmark of Minimum Controls

Risk assessment and mitigation is a paramount control for any organization. The US National Institute of Standards and Technology (NIST) defines risk assessment as:

[T]he process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.²

There are several types of risk, such as operational, reputational, financial and information security. Every enterprise should either develop and maintain a risk assessment framework that works for its purposes or work from an existing framework such as the NIST Risk Management Framework,³ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27001 Information Security Management Systems⁴ or the Center for Internet Security (CIS) Risk Assessment Method.⁵ The framework should be evaluated at regular intervals and whenever an event affects the enterprise’s risk.

Regardless of the selected or developed risk assessment framework, there is a list of controls that should be considered essential to the success of any enterprise and subservice organization relationship. The subservice organization is an extension of the enterprise and, thus, so are the controls. Without control alignment between the enterprise and its subservice organization, the controls implemented at the enterprise level are only as effective as the maximum controls implemented at the subservice organization. The relevance of the recommended controls is derived from the risk assessment, risk appetite and risk mitigation process.

Physical Security
Physical security typically references building security mechanisms such as locks, alarm systems, cameras and key cards. A control may be as simple as having an office safe for confidential information such as paperwork, storage media and mobile devices. Even something that seems as trivial as having a locking drawer in a desk applies to physical security control. Other basic requirements might include keeping a visitor log in the reception area and having a policy to escort all visitors through secure areas of a building.

Logical Security
Logical security controls typically include firewalls, network segmentation, virtual private network (VPN) connections, multifactor authentication (MFA), data loss prevention (DLP) and software/hardware encryption. Logical security is a critical part of any system security plan.

Access Control
Access control is more complex than other controls, as most information systems are affected by access controls in one way or another. There are two categories of access controls: access to tangible property and access to intangible property. For example, if there is a safe in an executive’s office, who should have access to it? The executive? An assistant? All of the executive’s colleagues? If there is a server room, should all employees be granted access?

With respect to enterprise data, does everybody need access to all of the enterprise and client data to perform their duties? For example, do maintenance personnel need access to client data? Does a manager of one department need access to the data managed in other departments? That is where the principle of least privilege (PoLP), the need-to-know principle and role-based access control (RBAC) come into play. Although it is often left out of the process or so generalized as to be meaningless, data labeling is also a big part of the access control determination process.

Additional access control procedures to consider are new employee access, termination of access, and how change in access is approved by management. Access should be monitored at all times and reviewed periodically. It is a common weakness of modern organizations to lack an access control policy or, even when present, fail to implement and maintain it.

When assessing subservice contractors, enterprises should ask what their access control policies consist of in both general and specific terms. In many cases, enterprises are sharing sensitive data with subservice organizations and it is immensely important to have assurances about their data-handling procedures. A data retention policy derived from the importance and confidentiality of data shared with subservice organizations should be part of a client enterprise’s review and request checklist.

Bring Your Own Device
A bring-your-own-device (BYOD) policy is another commonly missing control. Are subservice organization employees allowed to bring their personal devices to work? Can they connect unauthorized devices to the enterprise’s network? It is hard to think of everything, but having a policy in place makes it easier. Policies can grow and change with time as an enterprise grows. This is an important consideration when an enterprise requests controls from a subservice organization as well.

A data retention policy derived from the importance and confidentiality of data shared with subservice organizations should be part of a client enterprise’s review and request checklist.

Change Management
A change management policy is essential to an enterprise’s operations. It is important to implement both operational and information security change management policies for all changes (big and small) to systems and operations. Having a proper process in place guarantees not only less potential downtime, but also the accuracy and integrity of software and operational procedures.

Questions enterprises should consider asking subservice organizations might include, “Do decision makers review any operational changes prior to implementation?” or “Who is responsible for reviewing and approving operational changes that might affect information security or access?”

Penetration Testing
Penetration testing (pen testing) is quite expensive and not every enterprise manages to include this service in the budget. However, if at all possible, it is advisable to conduct yearly or biannual pen testing to add insight and build trust in relationships with subservice organizations. In short, it never hurts to ask, “Has your organization participated in any pen testing exercises in the last 12 months? If not, is this testing on the horizon in the next 12 months?”

Network Assessments and Vulnerability Scanning
Network assessments and vulnerability scanning are more affordable than pen testing and typically bring a great deal of insight into a subservice organization’s infrastructure, policies and procedures. In the absence of an SOC 2 report and pen testing, a network assessment paired with a vulnerability scan can bridge the gap and shed light on the implemented controls of a subservice organization or lack thereof. Enterprises can ask prospective subservice organizations to share their latest network assessment and vulnerability results for added peace of mind.

Workforce-Related Controls
The biggest vulnerability for enterprises is often their workforce.⁶ Many security issues within an enterprise are actually problem in chair, not in computer (PICNIC) problems. That said, there are many policies, procedures and controls that can raise awareness and secure the workforce and are considered best practices for workforce management.

Client enterprises should ask subservice organizations for a list of policies their employees are required to acknowledge and how often employees are required to review them.

Hiring Policy
A hiring policy is essential, and any subservice organization engaged to recruit personnel should perform background checks, collect references and perform due diligence on potential new employees. New hires, by policy, should be limited to individuals who embrace the enterprise’s fundamental ethical values.

In short, it is not necessary for a client enterprise to obtain a full list of resumes and background checks from all of its subservice organizations, but a single-paragraph explanation of the subservice organization’s hiring practices is helpful and should be an easy request to fulfill.

Acceptable Use Policy
An acceptable use policy (AUP) should be read and accepted by all employees before they are granted access to enterprise devices and data. This policy establishes the requirements for acceptable use of enterprise devices and information.

Subservice organizations should ensure that their employees review the AUP upon hiring and acknowledge it on a yearly basis thereafter. In addition, employees should review codes of conduct, employee handbooks and privacy policies prior to their first day of work and on an annual basis. Client enterprises should ask subservice organizations for a list of policies their employees are required to acknowledge and how often employees are required to review them.

Information Sharing Policy
An information sharing policy describes what, why, when and with whom information may be shared. It sets forth necessary approval levels and establishes approval processes for different data types. It is important to know whether a subservice organization shares any portion of a client’s data with other entities and, if so, how it manages information-sharing procedures.

Cyberawareness Training
Cyberawareness training, or click training, is another important aspect of operations. As everyone who reads the news knows, phishing, ⁷ smishing⁸ and social engineering attacks⁹ are on the rise. Hackers and fraudsters find new ways to compromise organizations on a daily basis. It is important to educate employees about common outside threats and to train them in the proper methods to recognize and report malicious activity.

A simple question to ask subservice organizations might be, “Do your employees participate in occasional cyberawareness training?” Also, “Is data privacy training included in employees’ awareness training?” Awareness training can often be paired with instruction in ethics and competencies and other beneficial training exercises.

Audit Policy
Nonrepudiation is important, and that is where an audit policy comes to the rescue. What actions are logged? What is the log retention period? Where are logs stored? Are they stored separately from log-generating systems? These are all great questions to ask subservice organizations. Their answers are often indicative of their security controls (or lack thereof).

Business Continuity and Disaster Recovery Plans
NIST defines a business continuity plan (BCP) as “the documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.”¹⁰ A disaster recovery plan (DRP) is defined as a “written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.”¹¹ Disaster recovery is a critical part of any business continuity plan, often expanding on and augmenting it. A simple question for an enterprise to ask a subservice organization might be, “How do you plan to continue your operations in the event of a disaster?”

Based on the enterprise operation’s dependency on the subservice organization’s availability, the subservice organization’s BCP and DRP are important to the enterprise as well. Therefore, the enterprise’s own BCP and DRP should consider the BCP and DRP of its vital subservice organizations when implementing policies and controls.

Backup Policy
Business continuity conversations typically revolve around a subservice organization’s data backups, often generalized as its backup policy. Enterprises often hear the words, “Yes, we have backups,” but it is rare that the words, “and they are tested every X number of days,” follow that statement. In fact, a surprisingly large number of organizations simply trust their backup processes without any verification.

Therefore, enterprises should ask their subservice organizations how often they test the viability of their backups. It is even more helpful if the subservice organization shares its recovery time objective (RTO), recovery point objective (RPO) and verification processes. If a subservice organization is truly critical to an enterprise’s business operations, it is important for its RTO and RPO to align with the enterprise’s goals.

Incident Response
When an incident occurs, it is important to determine what procedures are needed to detect, analyze, mitigate and report the incident, along with which personnel are necessary to carry out those procedures. It is also important to establish escalation points for incidents that might take time to resolve. When these policies are not in place prior to an incident, the resultant downtime is significantly increased. Enterprises should ask a prospective subservice organization, “Do you have an incident response policy? If so, what is it? If not, when will you implement one?”

Every organization has a different appetite for potential downtime, and it is important for enterprises to verify that any subservice organization it engages has a system availability policy that aligns with its own.

System Availability Criteria
Backup policy, disaster recovery and incident response are the perfect introduction to the often-neglected system availability criteria, which include controls such as load balancing, redundant power, clustering, high-availability, backup Internet connectivity and other types of redundancies that are important for any organization to consider.

Every organization has a different appetite for potential downtime, and it is important for enterprises to verify that any subservice organization it engages has a system availability policy that aligns with its own.

Data Loss Prevention
It is essential to understand how subservice organizations protect sensitive data from exfiltration, how they ensure the safety and privacy of data, and what systems they may or may not have to monitor to maintain data loss prevention controls. Enterprises should ask their prospective subservice organizations, “What are you doing to prevent unauthorized sharing or exfiltration of sensitive information?” Their answers should illuminate their DLP policies.

Conclusion

These recommended controls should serve as a foundation for due diligence in dealing with subservice organizations, but they are not the be-all and end-all. Every enterprise is different. Depending on the type of data an enterprise handles, it may need to take a deeper dive into specific frameworks to gain the most useful insight into its subservice organizations. In any case, it is essential for enterprises to gain a greater level of comfort when sharing data and business processes with third-party organizations.

Endnotes

¹ American Institute of Certified Public Accountants (AICPA), “SOC for Service Organizations: Information for Service Organizations,” https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement
² US National Institute of Standards and Technology, “Risk Assessment,” https://csrc.nist.gov/glossary/term/risk_assessment
³ US National Institute of Standards and Technology (NIST), “NIST Risk Management Framework,” USA, 2016, https://csrc.nist.gov/projects/risk-management/about-rmf
⁴ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001 Information security management systems, Switzerland, 2022, https://www.iso.org/standard/27001
⁵ Center for Internet Security (CIS), CIS Risk Assessment Method (RAM), https://www.cisecurity.org/insights/white-papers/cis-ram-risk-assessment-method
⁶ Sjouwerman, S.; “Stanford Research: 88 Percent of Data Breaches Are Caused by Human Error,” KnowBe4, 4 March 2023, https://blog.knowbe4.com/88-percent-of-data-breaches-are-caused-by-human-error
⁷ Folk, E.; “Federal Bureau of Investigation, Springfield, Illinois Office, USA, “Internet Crime Complaint Center Releases 2022 Statistics,” 22 March 2023, https://www.fbi.gov/contact-us/field-offices/springfield/news/internet-crime-complaint-center-releases-2022-statistics
⁸ Internal Revenue Service (IRS), “IRS Reports Significant Increase in Texting Scams; Warns Taxpayers to Remain Vigilant,” USA, 28 September 2022, https://www.irs.gov/newsroom/irs-reports-significant-increase-in-texting-scams-warns-taxpayers-to-remain-vigilant
⁹ Sjouwerman, S.; “Social Engineering Is a Core Element of Nearly Every Cyber Attack,” KnowBe4, 18 January 2023, https://blog.knowbe4.com/social-engineering-is-a-core-element-of-nearly-every-cyber-attack
¹⁰ US National Institute of Standards and Technology, “Business Continuity Plan (BCP),” https://csrc.nist.gov/glossary/term/business_continuity_plan
¹¹ US National Institute of Standards and Technology, “Disaster Recovery Plan (DRP),” https://csrc.nist.gov/glossary/term/disaster_recovery_plan

ALINA ARCHIBALD | CISA, CITP, CPA

Is currently the accountability program manager for the US State of Illinois Department of Commerce and Economic Opportunity. She leads a team of unclaimed property examiners as well as third-party audit organizations. She has had a robust career in auditing for multiple state agencies and also recently founded her own enterprise, Expert Insights, Inc. Expert Insights focuses on website development with future plans to expand into offering system and organization controls (SOC) reports, International Organization for Standardization (ISO) 27000 review, and other auditing and compliance services.

JOSH DITTO | CC, CISSP

Is the chief technology officer for CDS Office Technologies, a managed services provider with nine locations in the US Midwest. He started his career in IT in 2008 and has founded several technology enterprises, which were then acquired by CDS. He oversees the managed services program at CDS from a sales and engineering perspective and assists with third-party vendor management for his enterprise and its clients.