A program aimed at making the vendor-assessment process easier is quietly making its way through the financial services community. BITS, the Washington, D.C.-based financial services technology organization, launched the Financial Institution Shared Assessments Program, which creates a standardized approach for banks and service providers to use in their information security audits.
The Shared Assessments Program "provides a common framework and a standard set of questions to help gauge the security controls of [bank technology] service providers," asserts Michele Edson, SVP with The Santa Fe Group (Santa Fe, N.M.), which oversees the program for BITS. "Eighty percent of the work done by financial institutions here is redundant, so we wanted to create a way to streamline the process."
There are two key elements to the program. The first is the Standardized Information Gathering Questionnaire (SIG), which is used in place of banks' existing proprietary questionnaires, Edson says. The second element is the testing portion of the program, known as Agreed Upon Procedures (AUP), which leverages independent assessors rather than bank-provided auditors, Edson notes. "The AUP seriously reduces the length of time [banks] spend on-site conducting routine audits," he says.
The Shared Assessments Program was developed three years ago by the BITS IT Service Providers Working Group. The six original bank members -- Bank of America (Charlotte, N.C.), The Bank of New York (New York), Citi (New York), JPMorgan Chase (New York), Wells Fargo (San Francisco) and US Bank (Minneapolis) -- collaborated with several service providers to create the standards for the program, which was launched in February 2006.
Published in October, the latest release, version 3.0, refines the procedures in the AUP for more-consistent execution, adds a risk management section, and more closely maps with the ISO 27002 information security standard, Payment Card Industry (PCI) security standard and Control Objectives for Information and related Technology (COBIT) protocol. The SIG now contains enhanced business continuity questions.
Solving a Common Problem
According to Bob Wilkinson, IT risk coordinator for Latin America for Citi ($1.5 trillion in assets), the initiative addresses a common industry problem. "The program gives us a high level of assurance that we're protecting our data and our customers' data," he explains.
Wilkinson notes that there is a 95 percent overlap between the SIG and Citi's proprietary assessment questionnaire. Despite the familiarity, however, it is important to educate the assessors on interpreting the results from the Shared Assessments Program to make certain the controls are validated, he adds.
When Citi performs a service provider assessment, it first asks the company if it participates in the Shared Assessments Program. "If they do, the next and most important step in the process is to determine the scope of the assessment done by the service provider," Wilkinson relates. "If that scope covers the services provided to Citi, then we accept the SIG and AUP in place of our proprietary process."
Wilkinson adds that there is a degree of customization and follow-up on certain questions specific to the services the bank receives from a provider. Still, he stresses, the amount of work is "greatly diminished with the Shared Assessments Program."
Sidebar: BITS Shared Assets Program Basics