Posted by: David Schneier
BITS, COBIT, compliance, GLBA, ISACA, ITGI, NCUA, regulatory, Regulatory Compliance, Shared Assessement, SIG, Vendor Management, vendor risk, vendor risk assessment
On Monday the BITS Shared Assessment was free, on Tuesday it cost $5,000 per year (at a minimum).
My first thought was that it was just like what drug dealers do – they give you free product until you’re hopelessly addicted and then start making you pay to feed that addiction. My second thought was that I couldn’t imagine anyone actually wanting to pay for the content. While it’s better than nothing as a framework it’s not that much better. I’m sure there are certain pockets in the GRC industry who think that the Shared Assessment is to vendor management what COBIT is to IT governance but I certainly don’t.
Since first encountering the Shared Assessment a few years back I’ve always thought of it as bloated, difficult to effectively apply and all at once redundant and oddly vague. The very first time I reviewed the content I immediately thought that whoever was behind creating it must be people who get paid by the hour because any attempt at relying on it was going to be major league time consuming. And of course once I started investigating the companies behind developing the questionnaire(s) I realized I was spot on. I once commented to a colleague that the questionnaire looked as if though the purpose of the collective assignment was to think of every possible question you might ever want to ask a vendor, throw it into a spreadsheet and then try and organize it after the fact. If I’ve ever truly liked it in any meaningful way it’s as a reference source when considering questions to include in customized questionnaires and assessment.
The folks running the show have made strides to truly make the questionnaire into a framework with accompanying methodology but in my experiences most companies simply want to leverage the content of the questionnaires and use it how they see fit. Some have made the effort to dig through the massive pile of questions and whittle it down to something more manageable while others pretty much ship it out as is to their vendors including both the lite and full versions. As someone whose practice often has to complete due diligence questionnaires I have to tell you that if we needed to fill out even the lite version it might be a deal breaker due to time constraints.
As I alluded to earlier, I think many practitioners who use the Shared Assessment think of it as being something more like COBIT. I know COBIT and you sir are no COBIT. It’s really intended to be used by large vendors who provide services to multiple clients as something akin to a SAS 70/SSAE 16 report. They pay someone to complete it for them and sign off on it and when their customers look for annual proof that they’re properly controlled they can send along a copy of the completed questionnaire with managements approval stamped on the cover. In theory it’s a good idea but I’d still prefer a proper audit instead.
And it’s heavily geared towards technology vendors and to a lesser extent those who host services. When you try and use the Shared Assessment for non-technology vendors it becomes that much more difficult to apply and sort of forces your hand into coming up with something else. Trying to whittle 900+ questions down to something smaller only to discover you need to write a bunch of new questions on top of that has to be something between depressing and outrageous I would think.
What I really don’t understand is why this was even needed to begin with. My vendor management experience goes back several years and I’ve always been satisfied working with content from existing sources. I think that when you combine content from COBIT and FFIEC you can adequately cover what needs to be covered to assess vendors. I would go so far as to say that most examiners would agree with me based mostly on the fact that there are more than 100 institutions using some version of a vendor management program my practice has designed and they always do well on that front, always.
For those of you who are going to stay the course, cough up the money and continue along with the Shared Assessment I wish you good luck. I hope you’re able to glean something meaningful from the process and I pray you never wind up working for a vendor that needs to complete one of the resulting questionnaires.