As the list of alternative vendor cybersecurity assessment methods grows, institutions need to determine what method or methods will provide the best insight into the adequacy of vendor cybersecurity controls. Please join Gary Deutsch, CPA, CIA, CBA, CMA, MBA for this important webinar which is focused on assisting vendor risk managers and auditors with understanding the benefits and pitfalls related to the growing list of cybersecurity risk assessment methods.
As cybersecurity risks grow, so does exposure to customer data breaches through outsourced vendor relationships. To protect against outsourced risks, institutions have relied on CPA prepared SOC 2 reports to provide insight into cybersecurity controls that vendors have in place. As a result, SOC 2 reports have become the most requested document from third-party vendors. CPAs use guidance from the AICPA’s SOC for Cybersecurity examination methods to ensure that SOC 2 reports consider current cyber risks. CPA information systems auditors are independent, objective professionals that attest to the design of information security controls (in a SOC 2 Type I) and the design and operation of information security controls (in a SOC 2 Type II). Vendors must prove to CPAs that they have appropriate controls in place.
That said, there are a growing number of alternatives to SOC 2 reports that address vendor cybersecurity risks. Some say that the alternatives may be more comprehensive than the SOC 2 report. Others claim that the alternative methods rely too much on canned checklists. However, as cybersecurity risk grow, the need for risk assessments has expanded to meet market conditions. Now that institutions are considering some of these alternatives to SOC 2 reports, it’s time to review the potential use cases for some of the more popular assessment methods. For instance, the Shared Assessments Organization has a Standard Information Gathering (SIG) questionnaire that is being used as an alternative to the SOC 2 report. Is the SIG questionnaire a good SOC 2 alternative or is it better used as a supplement to the SOC 2 report? How about engaging a CPA to perform an Agreed Upon Procedures review instead of completing a SOC 2 report? Should institutions consider an ISO 27001 audit instead of a SOC 2 report?
This webinar will cover the following: