Risk management: Common assessments criteria

Conducting security assessments of critical service providers is an essential part of an enterprise risk management program. Highlighting exposures external to your organization will assist in appropriate vendor selection, acceptable risk practices, and reduce the likelihood that your data will suffer a breach due to means outside your direct control.

I have seen assessments that do little more than check off a box for a thoughtful, but poorly executed security program. I have also seen assessments that are so detailed that in order to satisfy one area of the assessment I would be required to provide documentation that is clearly restricted for distribution and, hence, would result in failure of a different section of the assessment. Somehow, the folks conducting the reviews cannot seem to find the irony in this.

It is clear that the level of depth required for an assessment will be based on the criticality of the supplier and the sensitivity of the data in question. A review of an outsourced back office data supplier who only has access to publicly available records would take considerably less time and resources than a review of a payroll processor. Since the value of varying the depth is apparent, I suggest we offer a consistent approach on breadth and leverage a common assessment template to facilitate these reviews.

The problem with the current process of seemingly random assessments formats is the resource requirement and increased time to respond. Having to field different questionnaires in different formats results in significant time wasted in rewriting answers. This in turn delays the response time and limits the number of concurrent reviews the average organization can maintain. By using a standard assessment format we can leverage a common structure, which will allow for faster turnaround and reduce wasted personnel power.

When I discuss this with other security practitioners, there is normally an agreement on the need for simplifying the process and understanding the value this will offer. When I ask the same group if they would participate in creating such a standard, they almost unanimously say “no,” but they would be happy if it eventfully appears. In fact, there are some vendor-neutral associations that have made strides in creating a common assessment criteria. Perhaps the adoption levels will increase over time and the value will be further emphasized by everyone wanting to copy their neighbor. In the meantime, I will go back to filling out hundreds of dissimilar spreadsheets asking questions about firewalls and business continuity planning.


For more information
Absent a shared assessments standardized information gathering questionnaire, the outsourcer must answer detailed questions from each financial institution for which it performs key functions.

Consortium guidance
BITS is a nonprofit, CEO-driven financial service industry group made up of 100 of the largest financial institutions in the U.S. It provides intellectual capital and fosters collaboration to address emerging issues.

Instilling trust
BITS is a division of The Financial Services Roundtable, a public policy group that promotes the interests of member companies in legislative, regulatory and judicial forums to sustain consumer confidence and trust.

Help for finance sector
BITS will be holding a summit to be held March 3-5 at the
Hyatt Regency Sarasota, Fla. to discuss the demands for enhanced operational efficiency, higher security and increased customer service.

Photo by Max Dolberg

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.