Group Crafts Standards for Evaluating Outsourcers
Computerworld - Six large U.S. banks, an industry group and four major accounting firms joined forces in early 2004 to create standards for assessing the security practices of outsourcing vendors that work with financial services firms.
The goal was to create consistent standards for use in evaluating the controls that outsourcing vendors use to protect sensitive data, said Faith Boettger, a senior consultant at BITS, the technology arm of the Washington-based Financial Services Roundtable.
The standards are now available to the financial services community, following a trial of the program undertaken by five service providers, including IBM, Acxiom Corp. and First Data Corp.
The standards program, called the Financial Institution Shared Assessments Program, was developed by BITS, Bank of America Corp., The Bank of New York Co., Citigroup Inc., JPMorgan Chase & Co., U.S. Bancorp and Wells Fargo & Co. Accounting firms Deloitte & Touche LLP, KPMG International, PricewaterhouseCoopers and Ernst & Young International serve as technical advisers for the program.
The guidelines can be used to evaluate an outsourcer's controls for access, asset classification, personnel security, physical and environmental security, communications, business continuity and regulatory compliance, Boettger said.
The group expects that the standards will result in improved security and risk-management practices, she said. The program will also give auditing firms standard criteria for measuring the security practices of different service providers, she added.
"BITS member companies have for a long time been focused on looking at the management of risk within outsourcing relationships," Boettger said. The new programs should help such companies better meet their regulatory and risk management requirements, she explained.
Joe Duffy, lead managing partner for the performance improvement practice at PricewaterhouseCoopers, said the initiative is an example of the private sector coming together to address information security issues at a time of heightened regulatory oversight.
"What is groundbreaking here is the fact that industry, the accounting profession and the supplier community are coming together and agreeing" on common assessment standards, Duffy said.
Read more about Security in Computerworld's Security Topic Center.
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!