April 13, 2020

Last Updated on March 16, 2023

You’re responsible for information security at your SMB, and you need a better, faster and cheaper way to demonstrate your own security (or the security of a key third party).
Is there really a better, faster & cheaper option?
Yes, yes there is…
I had a chance to sit down with Tom Garrubba, VP and CISO at The Shared Assessments Program, about applications for the SCA.
The Shared Assessments Program is a member-driven organization that focuses on bringing assessment firms and licensees and various members from various industries together to address the challenges of third party risk — everything from procurement, business resilience, to information security and compliance, privacy, and all of those other components in between.
Most widely known for the SIG (Standardized Information Gathering questionnaire), they’ve got another tool in their toolbox, originally called the AUP (Agreed Upon Procedures), that was relabeled last year as the SCA (Standardized Control Assessment).

 

SCA application

The Standardized Control Assessment has been developed to assist professionals with performing onsite and virtual assessments. It’s the “verify” portion of a third party risk program, and it mirrors the 18 critical risk domains that are covered already in the SIG.
“These are the test steps, so to speak, and these can be scoped to the individual needs for the organization,” Tom explained.
The SCA report template provides the standardized approach to collecting and reporting your assessment results and includes an implementation guide, a best practices checklist, and summary templates for executives.
“We really try to make it a package that’s quick and easy to use for assessors to be able to perform an onsite [or virtual] assessment,” Tom said.

When to use the SCA

  • If you want to execute certain test steps right off the bat after a SIG
  • If you’re not satisfied with or if you’re suspicious of the answers you’re getting from a SIG
  • If you want to get an internal gut check on how you look for your customers
  • If you want a better tool to work with your security folks

 

Resilience guidance and the SCA

“When we get a word of new regulations, it helps to get us a jump as to what should be included in the latest release of the tools,” Tom said.
Members will advise the team of mappers about what alignments are necessary or desired, and they’ll just bake that into the standards.
SMBs and SMEs know that they’re getting the latest and most desirable in resilience guidance — a term that speaks to business resilience and the overall resilience of the information security program.
The SCA is by nature a set of agreed upon procedures, a very specific audit program. Most people think of SOC 2, but Tom explained that the SCA can actually be more valuable, especially to a smaller enterprise.
“A lot of organizations will go with a SOC 2 report because they’re paying for the big name,” Tom said. “We’re seeing a lot of internal audit and compliance organizations as well as assessment firms use the SCA in lieu of having to do a SOC 2.”
Smaller organizations are doing it because the SOC guidance is, well, not inexpensive.
Quick aside: Part of the rationale behind the rename was to avoid terminology that made people think of certification and caused confusion with the AICPA version of the AUP.
“People thought by using the shared assessments, AUP at the time, they still had to utilize a CPA firm to execute this, but no, anybody can execute the SCA,” Tom said. “Whether it’s a firm such as Pivot Point or whether you want to do it internally, anybody can execute the SCA.”

3 ways to use the SCA

The SCA is an excellent way to assess the appropriateness and maturity of your information security controls from many different perspectives. 
“It’s a great tool, and I’m starting to see actual auditing firms use it more, and more internal audit organizations using it as a basis to execute certain test steps, whether they need to get verification and validation over certain programs or over actual technical components,” Tom said.

1 — Part of your Third Party Risk Management Program

A good program has questionnaires for most vendors and an audit program like SCA for a small subset of “critical” vendors.

2 — A self-assessment tool

The SCA is also a great internal self-assessment tool, especially if you are subject to a lot of vendor risk management.
If you can self-pass the SCA assessment, you’re going to be in good shape to pass an assessment that’s done by one of these third parties. 

3 — A third party audit

You can also use the SCA to have a third party audit you. Then you’d be able to present that SCA as evidence of your security posture, perhaps in addition to or in lieu of a SOC 2 or a ISO 27001 certificate, for example.
“The purpose of the SCA is to have it black and white and for you to present to your management what you have done and the results of your analysis,” Tom said.
Get in touch with Tom to talk about SCA on the Shared Assessments website or by email at [email protected]. (Mention the Virtual CISO Podcast to get bumped to the top of his list.)

This post is based on a portion of an episode of The Virtual CISO Podcast, featuring Tom Garrubba. To hear this episode in its entirety and others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.