With the rapid growth of in-the-cloud services, more organizations will find cost savings in outsourcing various business functions to third party cloud providers. If your customers have entrusted you to protect personal identifiable information (PII), you must provide sufficient oversight of your service providers to insure that they are using the proper controls for security, privacy and business continuity.
If you are a service provider providing services to organizations that store, process, or transmit personal identifiable information, you are no doubt being asked to complete a variety of questionnaires to evaluate the controls you have in place for security, privacy, and business continuity.
The process for evaluating service provider controls has been inefficient and costly. Outsourcing organizations develop and distribute proprietary questionnaires to service providers. Service providers spend valuable resources responding to multiple client requests that are inconsistent, causing delays that often result in costly on-site audits.
In some instances, you are being asked to have a SAS 70 audit or the newly revised SAS 70 called, “Statements on Standards for Attestation Engagements No. 16″ (SSAE 16). These assessments were developed by the American Institute of Certified Public Accountants (AICPA) and, as such, can only be performed by public accounting firms, including trust services, WebTrust and SysTrust.
Shared Assessment Services
The BITS Financial Services Roundtable along with the Big 4 accounting firms and key service providers, developed the Shared Assessments Program formerly known as Financial Institution Shared Assessment Program (FISAP) which evolved into the BITS Shared Assessments Program. Recently “BITS” was dropped from the name and it is now referred to as Shared Assessments. The Shared Assessment program offers an approach to evaluating vendor controls for security, privacy, and business continuity. By using the Shared Assessments tools outsourcers, service providers, and assessment firms save time, resources, and money by reducing redundancies and increasing efficiencies in the vendor control assessment process. For a summary of sets of questions in the Shared Assessment program click here.
How Can Sword & Shield Assist Outsourcing Organizations and Service Providers?
Sword & Shield can assist organizations by:
- conducting a gap analysis of the existing service provider/business associate management program against those prescribed by the applicable regulations,
- creating a road-map to implement an effective vendor management program using the Agreed Upon Procedures (AUP) to perform objective and consistent service provider evaluations, and
- providing the services of a solutions architect to assist in implementing the program.
If you are a service provider who has not satisfactorily completed the Standardized Information Gathering Questionnaire (SIG), we can provide assistance in understanding the gaps and make recommendations for remediation to meet the requirements. For example, if you provide services for financial institutions, we can help you understand compliance regulations such as FFIEC, HIPAA or FTC Red Flags and how they relate to service providers.
Find Out More
Sword & Shield has been outsmarting cyber-criminals and improving security for enterprises around the world since 1997. Fill out our Consultation Request form or call us so we can begin securing your future.
U.S. Toll-free: 800-810-1885