In the past, I’ve written about the Shared Assessment group’s on-site third-party vendor assessment tool called the Agreed Upon Procedures, or AUP. This has been a very useful and cost-effective tool for performing an in-depth, independently validated security assessment of a supplier or other third-party’s internal controls, before (or while) sharing sensitive information with them.
AUP to SCA – New Name, Even Better Tool
Starting in 2018, the Shared Assessments group has changed the name of this tool to the Standardized Control Assessment, or SCA. In the process, they have made it even better! Since I am a member of the Shared Assessments Committee that oversees the SCA, I might be a little biased. But I really think this well-established tool has become an even better vehicle, especially for two vital purposes:
1. It can be used to assess your vendors or business partners to ensure their controls are sufficient to protect any data you share with them.
2. It can be used to assess your own business, either to perform a gap assessment of your information security, or as a means to prove to your clients and business partners that your controls are sufficient for them to trust you with their data.
SCA Improves on the AUP
Why is the new SCA better than the previous editions of the AUP? A major factor is closer alignment with the other tools produced by the Shared Assessments group: The Standardized Information gathering tool (SIG) and the smaller, “lite” version (SIG Lite). The SCA allows a more streamlined process for asking for a self-assessment of a vendor using the SIG or SIG Lite. It encompasses the “trust” component in the Shared Assessments, “Trust -> Verify -> Benchmark” model. The “verify” component, is where an independent, qualified third party (Pivot Point Security, for example) would validate the policies and controls that exist.
I’m a big fan of the SCA, and of Shared Assessment tools in general. Why? Because I think they can be leveraged to help build a third-party risk management (TPRM) program much more effectively and efficiently than “rolling your own” from scratch.
In particular, the SCA can be an extremely valuable option because:
- In many cases, you can substitute it for a SOC 2 report, to give your clients an independently-assessed, industry-standard review of critical controls. Usually, the SCA can perform this same function at a fraction of the cost of a SOC 2.
- It functions very well as part of a gap assessment or self-assessment of your own controls. The SCA defines 18 specific, widely-accepted critical risk control areas, which map very well to most information security implementations. Because this tool is highly structured and clearly defined, it can allow you to see your year-over-year improvements in your information security program, as well as help identify areas that might need attention.
- The SCA is highly flexible. Unlike some other types of assessments, almost any control area can be scoped into or out of an assessment. So you can tailor it very precisely to your specific environment’s needs. In audit-speak, it is an “attestation;” that is, the auditor looks at your controls and determines whether they exist or whether they don’t. This provides flexibility in that a qualified professional auditor can be engaged to attest to specific controls as you deem appropriate.
- It is applicable to a broad range of frameworks and requirements. The controls specified in the SCA are expressly mapped to controls and requirements for the following:
- ISO 27001: 2013
- NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53)
- NIST Cybersecurity Framework
- HIPAA (Health Insurance Portability and Accountability Act)
- PCI DSS (Payment Card Industry Data Security Standard)It also maps well (although this is not expressly noted in the document) to:
- OCC 2013-29 (Office of the Comptroller of the Currency Bulletin 2013-29 (Risk Management Guidance on Third Party Relationships)
- Cloud Security Alliance – Cloud Controls Matrix
The Best Ways to Use the Standardized Control Assessment
I have used these tools for years, and one of the most useful approaches I have seen is to leverage an SCA for several of these purposes at once:
- Want to show your clients that they can trust your controls? Check!
- Want to cut down on the number of client audits you have to prepare for every year? Check!
- Want to get an independent, objective assessment of your organization’s strengths and weaknesses? Check!
- Want an independent, objective way of seeing how your information security program is maturing, year over year? Check!
- Want to be able to demonstrate that you have controls that address specific contractual and regulatory requirements? Check!
Moreover, all of this can often be accomplished in an extremely cost-effective manner. Interested in knowing more? Please contact us at Pivot Point Security for a no-pressure call where we can answer any of your questions regarding third-party risk, and the SCA in particular.