How to complete your vulnerabilities and vendors controls
OVERVIEW
Vulnerabilities: includes your vulnerability management program/policy, penetration testing, vulnerability scans, tracking and resolution of vulnerabilities identified. If the penetration test related to the current audit period has not been completed yet, we'll circle back to it in September. In any case, it's a good time to check there's an effective process for logging and resolving vulnerabilities identified from the tests and scans.
Vendors: this includes your governance and reviews for third-party vendor services. It's an area we can cover completely, once in the audit period. That means, if we do it well the first time around it will be complete and give us time back when it rolls around for the second time in the audit period (September). It includes your vendor register, vendors' terms of service, risk assessments, and review of the third-party attestation reports for high risk vendors.
CONTROLS AND EVIDENCE
Vulnerabilities: We'll look at your vulnerability management program/policy (DCF-24). We'll also review your latest annual penetration test report (DCF-19) and the latest vulnerability scan that should be within the last quarter (DCF-18). From those, we expect to see material vulnerabilities, eg. Medium or above, are logged and tracked through to resolution. If this register of vulnerabilities is not in Drata, please upload it as manual evidence to the (DCF-23) control.
Vendors: We'll look at your vendor management policy (DCF-168), and the vendor register to see you've logged your list of material third-party vendors (DCF-56). At a minimum this should include the providers of your cloud infrastructure (i.e. front-end, back-end and database providers), source code repository, identity management and authentication software, and any sub-processors that hold sensitive customer data on your behalf. We expect to see the risk assessments in Drata for each vendor have been conducted (DCF-56), and for those with a High or Critical rating, that you have obtained, reviewed and documented the review of their third-party attestation reports like SOC 2 (DCF-57).
Other resources
- Vulnerability management program
- Vulnerability scanning
- Vendor management in Drata
- Vendor attestation reports