February 1, 2018
THE NEW WATCHWORDS - SUBSERVICE ORGANIZATION
By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations in reports generated after May 1, 2017. It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to. We have also seen the emergence of a new section, Subservice Complementary Controls. This is where the report must detail where controls passed through to your organization are actually the controls from the fourth party. Very interesting to know and understand with whom you are interacting.
But some vendors make it difficult to for you to access information that you have a regulatory mandate to know. For instance, what are the fourth parties supporting your vendors? Where is the datacenter hosting generically identified in reports as a "subservice provider" physically located or backed up? Is this datacenter via provision of a cloud-based virtual provider? How do you know where your sensitive client and organizational data resides or is being accessed? Is there potential for this storage or access to transcend the United States and U.S. Laws and Regulations? It would seem that the more you learn, the more questions you'll need to ask.
Did vendor management just get even tougher? How do you manage fourth parties today? Do you map fourth party locations and location types? It might be time to seek automation or assistance with the evaluation of these updated control audit reports.