As an IT auditor, part of my job duties includes vendor risk assessment / conducting security due diligence.
Based on documentation obtained from the vendor, (SOC 2 report, SIG survey ) , I and several members of the team, (I am the lead of the team) have concerns that represent be potential security vulnerabilities. Specific concerns:
Uses SSL encryption - Did not mention whether this refers to the insecure SSL protocol itself, or the broader suite of technology known as SSL that includes TLS. The SSL is used for remote access by the employees of the vendor and to customer facing web - portal. In the SOC 2 report, it was described by the management of the vendor.
Logical access is removed timely upon notification of termination. - Never defined what is the SLA for timely. A specific statement such as logical access is removed within 24 hours or 3 days of termination would have been ideal. This vendor has access to sensitive company data, so no concrete SLA is concerning.
Our team is responsible for advising management on whether to continue to engage with this vendor, and our recommendation will be taken heavily considered. The definition of vulnerability I am using is from NIST as
"Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source."
If engaging the vendor has not been fruitful, how should such potential vulnerabilities, o weaknesses in security controls, be best reported? On one hand, I do not want to mislead by reporting that the vendor is more secure than evidence suggests, but on the other hand, I do not to unnecessarily write off a vendor simply due to an unfortunate choice of words on the part of the vendor.