Last Updated on May 4, 2020
In our recent blog and podcast coverage of top information security challenges from COVID-19, third party risk management (TPRM) made the short list. The pandemic is disrupting many aspects of outsourcing relationships, including escalating risks to sensitive data handled by third parties.
If you outsource critical services, how do you find out how your organization’s risk exposure has changed due to recent vendor impacts? If you’re a service provider, how do you give clients peace of mind and address their InfoSec questions?
“The Standardized Control Assessment really has been developed to assist risk professionals in performing onsite and critical assessments. This is the ‘verify’ portion of a third party risk program.”
The answer could be the same for both: the Standardized Control Assessment (SCA) Procedure Tools from the Shared Assessments Program. If you need to verify an entity’s information security posture (including your own), the SCA can offer a better, faster and cheaper approach that costs less, takes less time and offers more supportive detail than alternatives… we said better, faster and cheaper, right?
To give you a comprehensive view of the SCA and its use cases and business value, a recent episode of The Virtual CISO Podcast features Tom Garrubba, VP and CISO for the Shared Assessments Program, speaking with host John Verry, CISO and Managing Partner at Pivot Point Security, a longstanding Shared Assessments Program member.
So what is the SCA (formerly called Agreed Upon Procedures or AUP) and how can it be better, faster and cheaper for SMBs?
Tom Garrubba explains: “The Standardized Control Assessment really has been developed to assist risk professionals in performing onsite and critical assessments. This is the ‘verify’ portion of a third party risk program.”
The SCA mirrors the 18 critical risk domains covered in the Shared Assessments Program’s Standardized Information Gathering (SIG) Questionnaire. These “test steps,” as Tom calls them, can be scoped to an organization’s specific needs—making it faster and easier to perform an onsite assessment, get self-report data or even proactively assess your own environment.
Tom explains, “There’s actually an SCA package… and it includes the SCA report template. It provides the standardized approach to collecting and reporting your assessment results. The features include the implementation guide. It helps to provide standards, such as an assessment form. There are reporting templates and a best-practices checklist for planning and execution of an actual SCA engagements. There are summary templates for executives who only need to see the executive summary from those reports.”
With such a complete and flexible package, it’s easy to see why businesses are increasingly using the SCA as a form of attestation in its own right—especially when time and cost are critical factors.
“If you think about it, an SCA report is an awful lot like a SOC 2 report in the sense of the intensity of the actual audit program itself,” Tom clarifies. “We’re seeing a lot of internal audit and compliance organizations use this, as well as assessment firms going in and executing this for their clients in lieu of a SOC 2.”
In short, you can use the SCA to self-report to other entities about your security posture, or to evaluate your security posture for internal purposes. Further, you can use it as the foundation of a robust, trusted third-party attestation of your security posture at “a significant reduction of cost” versus SOC 2.
Is the SCA right for your organization?
Check out the full episode for more information, and stay tuned for more blog posts on this topic.