cc9.1-5-001

CC9.1 · D5 · f1

Difficulty

Gaps

Red Herrings

24%

Avg Score

Task

You are a SOC 2 auditor evaluating Onyx Data's vendor risk management controls for the Q4 2025 observation period (October 1 — December 31, 2025). Review the vendor management policy, vendor inventory, vendor security incident documentation, and SOC 2 review notes. Assess whether CC9.1 requirements for vendor risk mitigation are met. Identify any gaps, considering the adequacy of vendor oversight, incident response, and whether the vendor management program effectively mitigates third-party risk.

Evidence

evidence/vendor-policy.md — Onyx Data vendor risk management policy defining vendor tiers, assessment requirements, SOC 2 review procedures, and incident response expectations
evidence/vendor-inventory-q4.csv — Q4 2025 vendor inventory with 16 vendors, tier classifications, SOC 2 review status, and business review dates
evidence/vendor-incident-response.md — Detailed incident report for the PrestoServe Analytics security incident in November 2025 including timeline, impact assessment, and customer notification decision
evidence/soc2-review-notes.csv — SOC 2 report review tracker with reviewer notes, CUECs, and follow-up actions for each reviewed vendor
evidence/insurance-coverage-summary.md — Cyber insurance coverage summary — risk transfer mechanism but not directly relevant to vendor management control effectiveness [noise]

Findings

ID	Type	Severity	Finding
F-001	gap	high	Cloudmatic Systems qualified SOC 2 opinion without required risk assessment Cloudmatic Systems (OD-V-004), a Critical-tier vendor providing customer identity and access management (CIAM), received a qualified SOC 2 opinion on CC6.1 — user access reviews were not performed at ...
F-002	gap	medium	PrestoServe incident — 3-week uncertainty period without customer notification PrestoServe Analytics (OD-V-016), a Critical vendor processing customer PII and behavioral data, experienced a security incident on November 8, 2025. For 20 days (November 8-28), PrestoServe could not...
F-003	gap	medium	PrestoServe incident root cause reveals vendor credential management weakness The PrestoServe security incident root cause was a long-lived API key (not rotated since March 2025 — 8 months) accidentally committed to a developer's public GitHub repository. This reveals fundament...
F-004	gap	low	PrestoServe quarterly business review overdue at end of Q4 The vendor inventory shows PrestoServe Analytics (OD-V-016, Critical tier) had its Q4 business review due December 28, 2025, but it was rescheduled to January 7, 2026 due to 'holiday freeze.' The vend...
F-005	gap	medium	Vendor incident response adequacy — PrestoServe containment versus systemic control weakness PrestoServe detected the breach within 48 minutes and contained it within 2 hours and 23 minutes, which the incident report characterizes as demonstrating 'effective monitoring' and 'effective inciden...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	36%	40%	33%	36%	2/5	6
Opus 4.7	Anthropic	40%	60%	30%	40%	3/5	10
GPT-5.5	OpenAI	15%	20%	12%	15%	1/5	8
GPT-4.1	OpenAI	20%	20%	20%	20%	1/5	5
Haiku 4.5	Anthropic	14%	40%	9%	14%	2/5	23
GPT-4o	OpenAI	20%	20%	20%	20%	1/5	5