The Shared Assessments Program really grew out of work the BITS organization started. A working group in the '04 to '05 timeframe was centered around IT service providers and the redundant process we're all doing with the same vendors. Six charter members -- Bank of America, The Bank of New York Mellon, Citi, JP Morgan Chase, Wells Fargo and U.S. Bankcorp -- partnered with members of the Big 4 accounting firms to design what is now the Shared Assessments Program. They focused on two key elements of vendor management. Every institution has a proprietary questionnaire or set of questions they have to ask vendors, on an annual basis, that have access to their sensitive data about the information security controls around their data. The first concept was to provide a Standardized Information Gathering questionnaire, what we refer to as the SIG. That launched in February 2006; we're up to version 4. The second element of vendor management they focused on was this concept of the revolving door at these vendors they all use, meaning based on their regulatory requirements, they have to go on-site and test the controls that are in place. So where the SIG is a self assessment or information questionnaire the vendor fills out, this is the on-site audit conducted by the financial institution that has the relationship with the vendor to look at their physical security and a number of control areas…What would happen is JP Morgan Chase would come in front door to conduct their audit while Wells Fargo was going out the back .... They realized they needed to put some standardized framework around the testing piece of it, so what they created and which piloted around 2005, is what we call Agreed Upon Procedures (AUP). It's a standardized set of procedures that an independent assessment firm can come in and execute on that vendor.
The benefit with the SIG is that it replaces all these propriety questionnaires. If I'm a vendor with 200 clients, chances are I get 200 different questionnaires pretty much all asking the same questions on an annual basis. Now I can use the SIG and have it on the shelf ready to go when I get those requests from clients. When it comes time for the onsite audit, then I've had an assessment firm come on-site, execute testing based on the Agreed Upon Procedures, and prepare a report that I can then leverage across multiple clients, same as the SIG, to eliminate or greatly reduce the scope of an on-site audit. This year in this economy, where we're doing even more with even less, it's really important. The cost savings are really resonating with the industry.
Charlie Miller: One of the big issues everyone faced, especially on the service provider side was the inconsistency in the level of questions and controls clients looked at. This sets the standard and a baseline so everyone is looking at the pretty much the same types of controls…You remove inconsistency and raise the overall bar of information security.Who is involved in the program?
The program is openly available. That means anyone can go to our website and download the SIG and AUP and leverage them with their vendor management program. We have a formal working group; membership in that is what sustains and evolves the program. We have 60 participating firms; 20 of those are financial institutions, 18 are service providers, 14 are assessment firms, and eight are software licensees -- GRC solution providers who have licensed the tools to incorporate them into their software. There are many more institutions that are leveraging the tools. Because the program is openly available it's difficult to police the level of adoption. We conduct surveys… We know there are more than 130 firms that have completed the SIG and/or AUP or are in process of doing it. We have another 50 that said they'd have it available during 2009.
In addition to the actual execution of the SIG and AUP, we have just under 300 organizations that are willing to leverage the SIG and AUP reports, meaning if they receive a completed SIG that they will accept it in lieu of their own, or they'll consider the output from the AUP before they come on site and do the testing. Seventy-two organizations are using the SIG as their default questionnaire. We had a good response from version 4 that was released in October, around the adaptability of the SIG. We've designed three levels of questions; it's not one size fits all….Every October we launch a new version of the tools unless there is a new threat or regulation that comes out; we have the ability to quickly adapt or enhance the tools as needed. How does the program differ from a SAS 70?
A SAS 70 is really an auditor to auditor report. Most companies would typically perform a SAS 70 Type II. That information is shared with other audit firms to give you a sense of the controls that are present in the environment….The difference here is it's an agreed upon procedure. The recommendation of the Big 4 is we could basically perform agreed upon procedures where both the client and the assessment firm agree on the procedures that will be looked at and anyone else who wants to understand what procedures were looked at agrees to the procedures… There is no opinion given on those procedures; it's just a matter of stating that they are existing and operational…One doesn't replace the other. You might continue to do a SAS 70 review and find that the sensitivity of the service and risk associated with the service from a third party are such that you'd want to do Agreed Upon Procedures as well. How have regulators responded to the program?
One of the things that the regulators like about the program is that it's not a pass fail or a checkbox. It requires the outsourcer to review the output from the artifacts, both the SIG and the AUP, and they have to make the determination based on their regulatory requirements and their risk criteria whether it meets their needs or not….Of course you won't get the regulators to endorse it, but we maintain a relationship with them. We have them speak at our various events. Now that we're more mature in the program since the launch in '06, we're seeing more experiences in the field where banks are being examined and the artifacts are present. We've heard favorable reports from the regulators with regards as to how the financial institutions are using these programs in their overall risk management program.
Miller: One of the other things we're looking to do this year is to expand the program to international regulators, not just U.S. regulators. We established a relationship with NASSCOM last year… We have a number of other companies in India in the outsourcing arena who are participating and a number of international banks that have joined are beginning this year to get more familiar with the program and understand how they can leverage it not just in the U.S. but outside the U.S. as well. Can you expand on how the program can help companies in the current economy?
On the service provider side, there's an enormous benefit to a company that has multiple clients needing to understand what their control environment looks like. It does take time to complete this but once completed -- the standard questionnaire set and the AUP -- that information is easily shared with whoever is coming in. … Similarly, on the financial institution side, the integration of the standard procedures into the institution's vendor management program does take some time -- change on the institution side is quite challenging -- but once having done that, you have an opportunity to leverage a similar set of questions and similar set of answers. You may not be able to let resources go, but you may be able to reassign them to more strategic things and not have them participate in the assessment side. There's re-alignment of resources on the institution's side to more strategic types of issues and on the third party side, there's considerable opportunity to save time and effort.
Edson: One organization saved nearly $300,000 from one year to the next by leveraging a repeatable process like this.
Miller: We tried to structure the SIG so it's based on the risk associated with the services being provided to the client. In many instances, you have to be careful with the number of assessments you're actually performing. Regulators would like you do every one of these things every year; the reality is given resource constraints and the energy these take, you really have to prioritize who it is you're going to look at, and how and what it is you're going to look for, so it helps to focus specifically on what activities you really want to dive deep on. The way it's structured, you could dive deep into a background check process or your network connectivity or access management requirements... and it supports that risk-based approach that regulators like to see.