Posted by: David Schneier
Audit, GLBA, Regulatory Compliance, SOX, Vendor Management
About thirty seconds after I posted my last blog an item on the SearchFinancialSecurity.com homepage caught my eye. It was an interview conducted by Marcia Savage with Michelle Edson and Charlie Miller from the Sante Fe Group about the Shared Assessment Program.
For those of you who aren’t already familiar with the Shared Assessment Program it’s a framework to assess third-party service providers that has been gaining in popularity over the past few years. Created by BITS, “ a non-profit industry consortium whose members are 100 of the largest financial institutions in the United States”, it’s fast becoming synonymous with vendor management. I’m hard pressed to recall a recent conversation with someone in the industry where, when the subject of vendor management was brought up, didn’t make reference to Shared Assessment somehow.
I’ve grown fond of saying that what CobIT became to SOX, the Shared Assessment Program is becoming to vendor management. Now, I’m an experienced hand with vendor management and some might even consider me an expert (though not for me to say about myself) and I’m hard-pressed to think of a better framework or approach to use when actually trying to determine what controls are in place and functioning at someone else’s company. Conceptually it presents itself as a SAS 70 process but unlike a SAS 70 this has clear, concise and repeatable steps that remove any ambiguity from the process. While it’s certainly true that the results are only as good as the people using it, the Shared Assessment approach at least serves as a relevant and comprehensive baseline.
I’m not going to offer a deep dive into the components of the program, feel free to check it out yourself. What I will tell you is why you should be at least familiar with it and likely be using it for your own purposes.
First, it covers everything you’d want or need to within the virtual four walls of any company. Take a look at what’s covered via the FFIEC guidance and related handbooks, take a look at any reasonable IT general controls audit program, read any SAS 70 report done for a technology service provider and map it back to the related Shared Assessment Program elements; it’s all in there.
Second, the language is clear and concise with almost no room for misinterpretation (I say “almost” only because I’ve learned never to underestimate or overestimate peoples ability to complicate the simple things). Anyone can pick up the templates and start using them immediately with no direction or instruction.
Third, it’s great to use as a self-assessment guideline. If you work for any organization in any business vertical and want to quickly get a snapshot of where your infrastructure is in terms of controls and their related activities open up the Standard Information Gathering questionnaire (SIG spreadsheet) and use the Lite version. As a matter of fact, pass out copies to stakeholders in other areas of your infrastructure and ask them to fill it out and see what things look like from multiple perspectives.
Fourth, if you’re in an industry with strict regulatory oversight, particularly within the banking sector, this will help you standardize on not only what information you’ll need from your vendors but also what you want to be able to share with those external to your own organization. When the examiners or external auditors show up to conduct their work and find that you’re using the Shared Assessment Program to measure and test yourselves it should engender confidence and reduce the amount of time necessary for them to conduct their own fieldwork. That’s sort of what CobIT did during the early and insane days of SOX. When the auditors showed up and discovered that you documented your controls so that they aligned with CobIT they tended to ease up a bit and place a greater dependency on management testing thus reducing time and (billable) expenses. This is a similar opportunity and in this economy who can easily ignore the chance to potentially lower costs.
To be clear, Shared Assessments is not a vendor management program, it’s part of one. You still have to conduct all of the other related activities involved (e.g. due diligence, contract compliance, etc.). But for that all-important element where you need to obtain proof that the necessary controls are in place and functioning effectively at your third-party service providers (HEY BANKING COMMUNITY, PAY ATTENTION ‘CAUSE THIS IS IMPORTANT FOR GLBA) this is what you should require the vendor to be using.
Oh, and did I mention it’s free?