Standardized Control Assessment (SCA) Services
Simplify proving you are secure to your customers, vendors and partners.
The demand to prove you can manage information securely is growing rapidly. Like many of our clients, you may be facing the loss of key customers or opportunities if you can’t demonstrate you are secure.
With a completed Standardized Control Assessment (SCA) from Pivot Point Security you have a simple and effective way to demonstrate you are secure. Our clients enjoy the confidence they can prove they are secure, which ultimately means they can close more business.
Why choose the SCA?
The SCA can be an extremely valuable option because:
- A standardized offering of the Shared Assessments Program, the SCA is proven and widely accepted.
- In many cases, you can substitute it for a SOC 2 report, to give your clients an independently-assessed, industry-standard review of critical controls. Usually, the SCA can perform this same function at a fraction of the cost of a SOC 2.
- It functions very well as part of a gap assessment or self-assessment of your own controls. The SCA defines 18 specific, widely-accepted critical risk control areas, which map very well to most information security implementations. Because this tool is highly structured and clearly defined, it can allow you to see your year-over-year improvements in your information security program, as well as help identify areas that might need attention.
- The SCA is highly flexible. Unlike some other types of assessments, almost any control area can be scoped into or out of the assessment. So, you can tailor it very precisely to your specific needs. In audit-speak, the SCA is an “attestation;” that is, the auditor looks at your controls and determines whether they exist or whether they don’t. This provides flexibility in that a qualified professional auditor can be engaged to attest to specific controls as you deem appropriate.
- It is applicable to a broad range of frameworks and requirements. The controls specified in the SCA are expressly mapped to controls and requirements for the following:
- ISO 27001: 2013
- NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53)
- NIST Cybersecurity Framework
- HIPAA (Health Insurance Portability and Accountability Act)
- PCI DSS (Payment Card Industry Data Security Standard)
- It also maps well (although this is not expressly noted in the SCA documentation) to:
- OCC 2013-29 (Office of the Comptroller of the Currency Bulletin 2013-29 (Risk Management Guidance on Third Party Relationships)
- Cloud Security Alliance – Cloud Controls Matrix
Why Choose PPS to conduct your SCA?
- We have completed dozens of SCAs with a proven track record of success. Our NPS is world-class… ask us for references, PLEASE!
- Our team is 100% full-time employees; this gives you a level of service and security a one-and-done contractor cannot provide.
- Our information security expertise extends far beyond vendor risk management. Our team is made up of experts from a wide range of information security fields, who we can leverage to ensure your SCA is completed to the highest possible standard.
How our SCA Services Work
- Meet with our team to establish the scope of your SCA. No need to waste time reviewing irrelevant control areas.
- An SCA expert will perform an independent, third-party assessment of your environment. Our experts hold certifications such as the CTPRP and CTPRA.
- Receive your SCA report and share it with your clients (and upper management) to show off how awesome you are… I mean, how awesome your security posture is (nailed it).
Standardized Control Assessments (SCA) FAQs
What is a Shared Assessments SCA?
As its name suggests, the SCA is a standardized assessment designed to understand the maturity of an organization’s security controls. It has several uses and is widely accepted as way to assess an organization’s security posture. In short, it’s an assessment to help an organization understand if it’s safe to do business with another organization.
How is does the Shared Assessments SCA relate to the SIG?
The trust component of the Shared Assessments Program is the Standardized Information Gathering (SIG) Questionnaire. The SIG is the “trust” portion of the program. By using the SIG, an organization can gain all the information necessary to conduct an initial assessment of an organization’s control posture relative to the products and services they receive.
The “verify” component of the Shared Assessments Program is carried out by the use of the Shared Assessments Standardized Control Assessment (SCA. An SCA allows an organization to validate the answers provided on the SIG questionnaire. The SCA can also be utilized as a standalone set of procedures for performing an onsite control assessment.
How can the SCA be used?
The most common uses for the SCA are:
- To assess your vendors or business partners to ensure their controls are sufficient to protect any data you share with them.
- To assess your own business—either to perform a gap assessment of your information security, or as a means to prove to your clients and business partners that your controls are sufficient for them to trust you with their data.