Compass IT Compliance Blog / Vendor Management

Subservice Organizations in SOC Reports: Carve-Out vs. Inclusive Method

Subservice Organizations in SOC Reports: Carve-Out vs. Inclusive Method

When a service organization relies on another vendor to perform part of its service, that vendor relationship doesn’t disappear from the SOC audit. Think of a payroll processor using a third-party data center, for example, or a SaaS company built on a major cloud infrastructure provid …

Read Story

Does SOC 2 Reduce Security Questionnaires, or Just Change Them?

Does SOC 2 Reduce Security Questionnaires, or Just Change Them?

Every B2B vendor chasing enterprise deals eventually asks the same thing. We are pouring real money and real calendar time into a SOC 2 Type 2 report, so will it actually reduce the security questionnaires we get buried under, or will buyers just keep sending them anyway?

Read Story

Third Party Administrator (TPA) Risks: IT Security & Compliance Guide

Third Party Administrator (TPA) Risks IT Security & Compliance Guide

If your organization handles sensitive data and outsources any operational work, there is a good chance a Third Party Administrator (TPA) is somewhere in your environment. Maybe they process claims for your self-funded health plan. Maybe they handle 401(k) recordkeeping. Maybe they ar …

Read Story

When Vendors Get Hacked: Your Guide to Third-Party Data Breaches

When Vendors Get Hacked Your Guide to Third-Party Data Breaches

In today's interconnected business ecosystem, organizations rely heavily on third-party vendors for everything from payroll and marketing to cloud hosting, customer support, and specialized financial-services processing. While these partnerships unlock efficiency and innovation, they …

Read Story

Why Holiday Peak Readiness Depends on Strong SOC 2 Compliance

Black Friday SOC 2 Reports

Black Friday is no longer a single day of crowded stores and doorbuster sales. It has become a long digital stretch that can determine the financial outcome of an entire year for many retailers. For some online merchants, the holiday shopping season represents up to a third of their a …

Read Story

Managing Vendor Risk Without a Dedicated Team

Managing Third-Party Vendor Risk without a Dedicated Team

High-profile breaches have shown that attackers often take the path of least resistance—and that path is frequently through a third party. The 2013 Target breach is the textbook example: attackers used a compromised HVAC vendor to access Target’s network, leading to a massive payment …

Read Story

Subscribe by email