12:00 PM
Connect Directly

BITS Program Streamlines Vendor Security Audits

The Shared Assessments Program, which standardizes IT security audits of vendors, is slowly catching on in the financial services industry.

A program aimed at making the vendor-assessment process easier is quietly making its way through the financial services community. BITS, the Washington, D.C.-based financial services technology organization, launched the Financial Institution Shared Assessments Program, which creates a standardized approach for banks and service providers to use in their information security audits.

The Shared Assessments Program "provides a common framework and a standard set of questions to help gauge the security controls of [bank technology] service providers," asserts Michele Edson, SVP with The Santa Fe Group (Santa Fe, N.M.), which oversees the program for BITS. "Eighty percent of the work done by financial institutions here is redundant, so we wanted to create a way to streamline the process."

There are two key elements to the program. The first is the Standardized Information Gathering Questionnaire (SIG), which is used in place of banks' existing proprietary questionnaires, Edson says. The second element is the testing portion of the program, known as Agreed Upon Procedures (AUP), which leverages independent assessors rather than bank-provided auditors, Edson notes. "The AUP seriously reduces the length of time [banks] spend on-site conducting routine audits," he says.

The Shared Assessments Program was developed three years ago by the BITS IT Service Providers Working Group. The six original bank members -- Bank of America (Charlotte, N.C.), The Bank of New York (New York), Citi (New York), JPMorgan Chase (New York), Wells Fargo (San Francisco) and US Bank (Minneapolis) -- collaborated with several service providers to create the standards for the program, which was launched in February 2006.

Published in October, the latest release, version 3.0, refines the procedures in the AUP for more-consistent execution, adds a risk management section, and more closely maps with the ISO 27002 information security standard, Payment Card Industry (PCI) security standard and Control Objectives for Information and related Technology (COBIT) protocol. The SIG now contains enhanced business continuity questions.

Solving a Common Problem

According to Bob Wilkinson, IT risk coordinator for Latin America for Citi ($1.5 trillion in assets), the initiative addresses a common industry problem. "The program gives us a high level of assurance that we're protecting our data and our customers' data," he explains.

Wilkinson notes that there is a 95 percent overlap between the SIG and Citi's proprietary assessment questionnaire. Despite the familiarity, however, it is important to educate the assessors on interpreting the results from the Shared Assessments Program to make certain the controls are validated, he adds.

When Citi performs a service provider assessment, it first asks the company if it participates in the Shared Assessments Program. "If they do, the next and most important step in the process is to determine the scope of the assessment done by the service provider," Wilkinson relates. "If that scope covers the services provided to Citi, then we accept the SIG and AUP in place of our proprietary process."

Wilkinson adds that there is a degree of customization and follow-up on certain questions specific to the services the bank receives from a provider. Still, he stresses, the amount of work is "greatly diminished with the Shared Assessments Program."

Sidebar: BITS Shared Assets Program Basics

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.