Is This Vendor Management's Silver Bullet?BITS Shared Assessment Program Gains Momentum with Institutions, Banking Groups and Vendors
The Financial Institution Shared Assessments Program, launched in 2006, has more than 4,000 individuals representing 2,500 institutions downloading its questionnaire and procedure documents. It was developed for financial institutions to offer a one-stop evaluation of the security controls of their IT service providers.
The shared assessment program was championed by BITS, Bank of America, Bank of New York, Citigroup, JPMorgan Chase, U.S. Bancorp and Wells Fargo. Accounting firms Deloitte & Touche, KPMG, PricewaterhouseCoopers and Ernst & Young are program technical advisors.
The guidelines can be used to evaluate an outsourcer's controls for access, asset classification, personnel security, physical and environmental security, communications, business continuity and regulatory compliance. The program's goal is to create consistent standards for use in evaluating the controls that outsourcing vendors use to protect sensitive data, says Michele Edson, Senior Vice President of the Santa Fe Group, a strategic partner and preferred provider to BITS. Since May 2005, BITS and their members have contracted with The Santa Fe Group to manage the shared assessments program.
The timing for this program couldn't be better, as both the FDIC and NCUA have announced that vendor management will be a major concern in regulatory exams this year. The issue also emerged loud and clear in the recent State of Information Security survey, in which respondents cited vendor management as one of their top challenges.
The Payoff for Institutions, Vendors
The program's two free documents, the Agreed Upon Procedures (AUP) and the Standardized Information Gathering questionnaire (SIG), are available for download from the BITS website ( http://www.bitsinfo.org/FISAP/index.php).
Edson sees the program being embraced more easily by smaller institutions that might not have a robust vendor management program in place, "It's very easy to take advantage of it," Edson says. She attributes this as one reason why there is so much more interest and activity from the smaller institutions.
The shared assessment program saves institutions from having to perform the initial assessment, and if needed they can then go back and ask the more pointed questions of the vendor, she explains.
For vendors, it is also a time-saver, Edson says, offering the analogy of a mother with many children all who ask the same questions. Vendors often face a multiple number of assessment requests from institutions each year -- a time-consuming, repetitive and costly process on their part.
In a recent BITS working group, members looked at a case study of a financial institution and a service provider. The service provider shared a trend it had seen developing from 2004 to 2008: The marked increase in audit requests. In 2004, the service provider had 25 audit requests; last year it had 350. "None of these audit requests was related to a growth in client base or anything else but the increased pressure of the regulatory landscape," Edson notes. "They found the right solution was taking advantage of the shared assessment program, going through the process and audit once, and then they were able to share it with all of their clients."
This vendor, with a majority of its clients in financial services, also distributed its assessment audit report with its clients in healthcare, pharmaceutical and several other smaller verticals, Edson says.
Institutions Embracing the Approach
Jim Routh, CISO at The Depository Trust & Clearing Corporation (DTCC) in New York, NY, says DTCC completed the BITS Shared Assessment Program as a critical service provider to the financial service industry and has also implemented the program for all of his own third-party service providers.
"DTCC believes the BITS Shared Assessment Program offers a reasonable set of security control assessment artifacts provided by service vendors to complete a security assessment sufficient to meet DTCC's business requirements," Routh says.
In a survey conducted last October, BITS asked all 4,000 individuals representing 2,500 institutions how they were using the downloaded tools. More than 50 percent of the respondents polled said they were using it and were prepared to leverage it in their vendor assessment programs.
The shared assessment program currently is being piloted by 18 financial institutions and 20 service providers (two of them are Indian outsourcers, Infosys and Wipro).
"BITS' shared assessment program is gaining ground, and we're supportive of it," says Doug Johnson, Vice President of Risk Management and Policy at the American Bankers Association. Johnson is also on the BITS steering committee. Based on what's happened thus far, Johnson says "This program has legs. We will be particularly supportive of it as it becomes something that smaller institutions and smaller vendors can get their arms around and utilize."
BITS wanted to gain "critical mass and get this program out to as many banks as possible," says Johnson. So BITS asked the ABA to help spread the word. "I got a pretty good reception from the bankers on the concept -- the idea that the larger banks were asking for a specific level of detail, and having a uniform, standardized questionnaire that everyone uses makes sense when vetting a vendor," he adds.
One surprise in the survey results is the number of responses from outside of the US, Edson notes. "Responses came from Australia, Germany, Sweden, Hong Kong, Czechoslovakia, and Brazil." Edson said there are three Brazilian financial institutions that are using the FISAP Standardized Information Gathering questionnaire (SIG) as part of their vendor assessments.
Last May, Edson met several of the largest BPO service providers in India to introduce them to the program. The outsourcers included HCO, Wipro, Tata, Cognizant and Infosys, who provide services to large US-based financial services industry leaders such as Citi, JP MorganChase, and Goldman Sachs. "We're also talking with the banking association in Singapore. They're looking for a standardized solution to help rein in the escalating costs and regulations facing their member institutions," Edson says. "I told them 'Why recreate the wheel?' With our latest version, the program is fine-tuned even further."
While BITS has yet to formally market the program through traditional means, the word-of-mouth advertising is catching fire, Edson says. "Even before the survey went out, we had another 40 additional vendors respond that they have completed the Standard Information Gathering questionnaire (SIG)." Vendors are spreading the word about it and its collective approach among their customers, she adds.
Program's Benefits, Challenges
The major benefit to using this program is the consistency and ease of delivery. It is critically important to send the exact same message to all vendors when performing assessments. "Management of the assessment data is another strong point of the shared assessment program," says Lorne Joseph, Senior Risk Management and Governance consultant for Corporate Advisory Group International. "Essentially, it scores high on creating a stable environment for the sharing of shared assessment data."
The downside has more to do with the need for consistency when performing internal versus external assessments. "Unless a financial institution adopts the approach both internally and externally, then reconciling the differing sets of questions becomes an arduous task," Joseph says. "Reconciliation also becomes important when presenting a consolidated risk posture to your senior management."
Among the other challenges to widespread adoption of the Shared Assessments Program:
- The sheer volume of questions that the process asks of its participants;
- Aligning the questions to the regulatory drivers that support them and the internal security policies that support those regulatory drivers. "If it were an independent process, it would be awesome, but because it has to be implemented by differing institutions, it creates a challenge when reporting on risk and readiness," Joseph says.
- Adoption by the vendors who are being assessed. "Without the vendors support for the process, it becomes a significant challenge," Joseph says. "Luckily, there are diplomatic and legal ways to assist with this hurdle."
Some vendors don't need to be convinced. Niall Browne, Director of Information Security at Yodlee, an online banking applications service provider, is a shared assessment proponent. "In the recent past financial service providers would respond to inconsistent and costly security risk questionnaires and onsite audit requests, while financial institutions, would exhaust significant resources in an effort to evaluate this often obscure information," Browne says. "Both parties quickly realized that this process was highly inefficient for all involved."
Future of Shared Assessments
BITS has a good process in place with the shared assessment steering committee.(a subset of the larger BITS working group) and "it has a lot of energy from both the institutions' side and the vendors' side," Johnson says. Financial institutions are not looking at this as a competitive issue, "because security is not competitive, it's collaborative."
"I believe that the future of the financial institution shared assessment program is good as long as more effort is expended on using the assessment process both internally and externally," says Joseph. "Adaptive question sets are the next generation of assessment questionnaires, as long as series of questions can be expanded or contracted based on relevance, then the program's process will benefit greatly."