I received an email from a colleague last week in regards to my recent post about the BITS Shared Assessments Program. In the entry I offered my high opinion of the framework but went out of my way to point out that by itself the assessment is not a vendor management program. The subject line for the email was “Why not?”.
Semantics aside, there’s an important distinction between assessing and managing. Assessing how a vendor conducts business within their own infrastructure is not the same as monitoring contractual obligations and service-level agreements that govern your relationship with that vendor. That the vendor has an information security program is a good thing, that the vendors information security program supports what regulations require you to do is a better thing.
The Shared Assessments Program does a great job of providing a consistent set of measurements by which every vendor can be assessed. But it does not offer a determination as to whether or not what the vendor does is sufficient for your own needs or purposes. It’s still incumbent upon your institution to form that opinion and act accordingly. And even so, that’s still just one piece of the vendor management puzzle.
FFIEC guidance breaks out vendor management into several separate and distinct parts with the assessment piece only being one element of the ongoing monitoring phase. Assuming you’ve conducted the necessary and expected steps to enter into a contract with a vendor you still need to review their performance against specific contractual obligations and measure them against the various elements of the service level agreement. And this needs to occur annually with a determination formed as to whether or not the contract is being adhered to and if not, what remedial steps are required to continue forward with the vendor. The Shared Assessments Program doesn’t do that for you.
One of my reasons for beating this drum is because of the popular misconceptions circulating out in the market place as to what’s needed to address vendor management. There are people I’ve worked with who offer themselves as industry experts pushing the Shared Assessments approach on even the smallest financial institutions trying to convince them that they need to have one completed for all of their high risk vendors in order to appease the examiners. This is simply not true and is really, in my opinion, just a ploy to try and generate revenue within an industry that’s hyper-sensitive to regulatory scrutiny. Basically what’s required is that the vendor, where applicable, provides its customers with something akin to a SAS70 report in which they demonstrate that their infrastructure is properly secured and managed. And that’s the point where I’m predicting that the Shared Assessments framework will become the standard, that it will replace SAS70’s and generic audit/assessment programs as the truest way to measure a technology service provider. And again, this represents only a portion of the work required to address vendor management. But rest assured, if all you have to show your examiner/regulator/auditor next time they ask to see your vendor management program is a few recently completed shared assessment reports you’re asking for trouble.
Which leads to another reason for my beating this drum. There are only a small percentage of vendors for whom the Shared Assessments Program even applies. When reviewing my clients’ vendor management programs I’m often confronted with the “high risk vendor” logic in which some arbitrary algorithm is applied to determine which vendors are included and which are excluded from the program. There’s almost no evidence of this assessment having been conducted and it never holds up under scrutiny. But with regards to which vendor would/should be required to provide an external and independent assessment of their infrastructure I could easily make the case for limiting it to only “high risk vendors.” As a matter of fact I can even offer a viable rule by which to make that determination. Does the vendor process, store or transmit non-public, personal information (NPPI) within their infrastructure? If the answer is “yes,” demand a SAS70 or equivalent. Otherwise you’re free to decide your threshold for pain and make the rules accordingly. But rest assured, if you have recently completed shared assessment reports for your high risk vendors to show your examiner/regulator/auditor as part of your vendor management program the next time they ask, you’re in for a lot less trouble.