A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?
Trap 1: Request the provider to sign a contractual service-level agreement…
An SLA is a legal commitment, not evidence that controls are actually in place or effective. It does not replace verifying the provider’s actual implementation. While an SLA can be part of a contract, it should not be the sole basis for due diligence when audit reports are available.
Trap 2: Accept the SOC 2 Type II report as sufficient and proceed without…
Simply accepting the existence of a SOC 2 report without examining its details does not confirm that specific encryption requirements (TLS 1.2+ and AES-256) are covered. A SOC 2 report may cover many controls, but the company must verify that the exact control objectives and testing results match its own requirements.
Trap 3: Conduct an independent penetration test on the provider’s…
While a penetration test can identify vulnerabilities, it is an additional cost and may not cover all encryption implementations. More importantly, a SOC 2 Type II report already provides audited evidence of control effectiveness; a penetration test would be redundant or complementary but is not the primary method for verifying encryption compliance during due diligence.
- A
Request the provider to sign a contractual service-level agreement (SLA) that guarantees encryption compliance.
Why wrong: An SLA is a legal commitment, not evidence that controls are actually in place or effective. It does not replace verifying the provider’s actual implementation. While an SLA can be part of a contract, it should not be the sole basis for due diligence when audit reports are available.
- B
Accept the SOC 2 Type II report as sufficient and proceed without further review.
Why wrong: Simply accepting the existence of a SOC 2 report without examining its details does not confirm that specific encryption requirements (TLS 1.2+ and AES-256) are covered. A SOC 2 report may cover many controls, but the company must verify that the exact control objectives and testing results match its own requirements.
- C
Review the detailed control descriptions and auditor test results within the SOC 2 Type II report that address encryption of data in transit and at rest.
A SOC 2 Type II report includes a detailed description of controls, the control objectives, and the results of the auditor’s testing over a period of time. Reviewing these specific sections allows the company to verify that encryption controls are designed and operating effectively, which satisfies due diligence requirements for third-party risk management.
- D
Conduct an independent penetration test on the provider’s infrastructure before signing the contract.
Why wrong: While a penetration test can identify vulnerabilities, it is an additional cost and may not cover all encryption implementations. More importantly, a SOC 2 Type II report already provides audited evidence of control effectiveness; a penetration test would be redundant or complementary but is not the primary method for verifying encryption compliance during due diligence.