Shared Assessments is a program of BITS, a division of The Financial Services Roundtable industry advocacy group. It provides tools to streamline the process of evaluating third-party security controls for internal and external audit requirements, ultimately seeking to establish best practices for evaluating and reporting risk involving vendors and service providers.
The agreement with India's National Association of Software and Services Companies (NASSCOM) and the Data Security Council of India (DSCI) will expand Shared Assessments' reach to NASSCOM's 1,200 members, said Michele Edson, senior vice president and the program's leader at the Santa Fe Group consulting firm.
The Memorandum of Understanding between the Indian organizations, BITS and the Santa Fe Group was unveiled at an event at the 2009 RSA Conference. About 50 people attended the event, including regulators, financial-services firms and service providers.
Edson said the cooperation between the organizations is expected to help foster U.S. companies' trust in the security controls of Indian service providers. It's difficult for U.S. businesses to assess the security of their Indian outsourcers, given the geographic distance.
"This raises the bar and puts more rigor into the processes," she said. "It allows for more transparency for those organizations."
NASSCOM's members include software developers and business process outsourcing (BPO) service providers. DSCI is an independent, self-regulatory organization established by NASSCOM and focuses on promoting data security in outsourcing.
"India is one of the favorite destinations to outsourcing and we want to make sure these outsourcers are secure," said Dr. Kamlesh Bajaj, CEO of DSCI. Bajaj added that many of India's largest outsourcers also want a standard framework in place because they are saddled with repeatedly answering questionnaires from their clients.
Edson said she traveled to Mumbai two years ago to present Shared Assessments to several BPO service providers. "They really got it," she said. "They understood there's a more efficient and cost-effective way" to document their security controls.
What's more, India recently put in place new laws around security to address the growing need for data protection and privacy. The Information Technology Act of 2008 was ratified by the Indian Parliament in February 2009. The law strengthens data protection and puts in place penalties for service providers that are not observing reasonable information security practices, explained Bajaj. DSCI will help by providing certification, ratings on security and privacy best practices.
Program leaders are reaching out to other organizations outside of the U.S. with the goal of further broadening the program's international scope, Edson said.
The tools offered by the Shared Assessments program, Agreed Upon Procedures (AUP) and Standardized Information Gathering (SIG) questionnaire, focus on 12 areas of information security management. The tools are available at the Shared Assessments program website.
Edson said there have been more than 8,000 downloads of the tool and more than 70 organizations are using the SIG as a default questionnaire with service providers. Membership includes such companies as Bank of America Corp., The Goldman Sachs Group Inc. and JPMorgan Chase & Co., among others. Edson also said the tool is being used in other organizations outside of the financial services space, such as healthcare and telecom.
Version 5 will be published in October and will map to PCI DSS 1.2. Other future enhancements include adding a section around privacy that may be pre-released as a component of 4.1.
Editorial Director Kelley Damore contributed to this story.