The Financial Institution Shared Assessments Program - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

The Financial Institution Shared Assessments Program

Description:

A forum for industry collaboration. A common sense approach. Evolves to remain relevant ... Wells Fargo & Company. Wilmington Trust Co. 16. Membership Today: ... – PowerPoint PPT presentation

Number of Views:173
Avg rating:3.0/5.0
Slides: 27
Provided by: michel68
Category:

less

Transcript and Presenter's Notes

Title: The Financial Institution Shared Assessments Program


1
The Financial Institution Shared Assessments
Program
2
Program Background
  • Created by BITS Members
  • IT Service Providers Expectations Matrix
  • Six members collaborated
  • Formation of the Program
  • Proof of concept
  • Pilots
  • Operational recommendations

3
Why We Need Shared Assessments
  • Risk Financial institutions must ensure that
    third party providers are meeting the control
    environment specifications outlined in their
    outsourcing agreements
  • Expense Individual financial institutions use
    substantial resources to make these evaluations
  • Inefficiency Service providers must respond to
    inconsistent and costly questionnaires and
    information/audit requests

4
Program Benefits
  • Raises the bar on security
  • Reduces costs
  • Increases efficiency
  • A forum for industry collaboration
  • A common sense approach
  • Evolves to remain relevant

5
Controls
  • Risk Management
  • Information Security Policy
  • Organization of Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, Development and
    Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

6
Standardized Information Gathering Questionnaire
  • Replaces institution questionnaires
  • Complete picture of provider operations and
    controls
  • Once completed by service providers, can be
    distributed to all clients

7
Agreed Upon Procedures
  • Objectively test a control and report results
  • Test and validate service provider information
    security controls
  • Institutions view results in the context of their
    risk management requirements

8
The AUP Assessment Process
Assessment Firm Receives Request to Perform AUP
Assessment Firm Scoping Discussions
Scope and Terms Agreed
Preparation Activities
On-Site Fieldwork
Additional Parties Request and Receive Report
AUP Report Drafting and QA
AUP Report Issued
9
Evolution
  • AUP Version 3 Enhancements
  • Refined procedures to assure consistent execution
  • Added Risk Management section
  • Mapped to ISO 270022005 and PCI DSS v.1.1
  • Added procedures to address wireless security
  • Reporting requirements added/updated to ensure
    consistency
  • SIG version 3.1 Enhancements
  • Added high-level" questions to streamline
    completion
  • SIG Lite module
  • Added Risk Management section
  • Mapped to ISO 270022005 and PCI DSS v.1.1
  • Verified alignment with AUP

10
Keys to Success
  • Effective and ongoing governance
  • Continuous industry input
  • Consistency across financial services industry
  • Broad adoption

11
Adoption Status (as of April 9, 2008)
  • 39 AUPs scheduled, completed, or in progress
  • 75 SIGs scheduled, completed, or in progress
  • 150 firms willing to leverage the completed SIG
    and/or AUP artifacts
  • 38 firms using the SIG or SIG Lite as their
    default questionnaire

12
Governance
  • Executive Advisory and Steering Committees
    oversee Program
  • Technical Advisers ensure Agreed Upon Procedures
    are executable and meet professional accounting
    standards and quality requirements
  • Technical Development Committee reviews feedback
    and updates documents

13
Working Group
  • Open to all stakeholders
  • Participation in ongoing program development
  • Candid discussion with member financial
    institutions, service providers and consulting
    firms
  • Be part of a solution that raises the bar on
    security

14
Industry Feedback
  • Documents are freely available
  • Input encouraged from all who download the
    documents
  • Feedback prioritized by Steering Committee
  • Mid-term changes to allow for significant new
    risks or changes in regulatory requirements

15
Membership Today Financial Institutions
  • Bank of America Corp.
  • The Bank of New York Mellon
  • Citi
  • Goldman Sachs
  • JPMorgan Chase
  • Merrill Lynch
  • Morgan Stanley
  • MT Bank
  • Target Corporation
  • The Depository Trust Clearing
    Corporation
  • US Bancorp
  • Wachovia Corp.
  • Wells Fargo Company
  • Wilmington Trust Co.

16
Membership Today Service Providers
  • Acxiom
  • Convergys
  • Early Warning Services
  • Equifax
  • Experian
  • First Data
  • IBM
  • Infosys Technologies Ltd.
  • Iron Mountain
  • LiveOps
  • Radian Group Inc.
  • SEI
  • SunGard
  • TSYS
  • Usi, an ATT Company
  • VeriSign
  • Wipro
  • Yodlee
  • Zoot Enterprises

17
Membership Today Assessment Firms
  • Accuvant
  • AsTech Consulting
  • BSI Management Systems America, Inc.
  • CDI IT Solutions
  • Churchill Harriman
  • Deloitte Touche
  • Ernst Young
  • FishNet Security
  • KPMG
  • NET2S
  • PricewaterhouseCoopers
  • Trustwave Holdings, Inc.
  • VeriSign
  • Verizon Business
  • Technical Advisers

18
Licensees
  • Archer Technologies
  • Avior Computing
  • Collaborative Software Initiative, Inc.
  • Control Path
  • Evantix LLC
  • Relational Security Corporation
  • Verizon Business

19
FAQs
  • Q Is the Shared Assessments Program a
    certification?
  • A No. The Shared Assessments Program is a set
    of industry standards. Organizations use the
    Program to gather information on service
    provider controls and test those controls.

20
FAQs
  • Q Will financial institutions really rely on
    the reports and questionnaire?
  • A Yes. Financial institutions expect the Shared
    Assessments Program to reduce or even eliminate
    their need for on-site assessments.

21
FAQs
  • Q Who sees the Shared Assessment Reports?
  • A The service provider always controls which
    institutions receive the report.

22
FAQs
  • Q Who may perform a Shared Assessment?
  • A AUP Assessments may be performed by
  • A qualified consulting firm
  • A CPA with the appropriate skills

23
FAQs
  • Q Who benefits from the Shared Assessments
    Program?
  • A All stakeholders benefit from the Shared
    Assessments Program, by design.

24
FAQs
  • Q Is the Shared Assessments Program the same as
    a SAS 70?
  • A No. Important distinctions exist between the
    Shared Assessments Program and the SAS 70.

25
FAQs
  • Q Does the Shared Assessments Program eliminate
    the need for financial institution testing?
  • A No. The Shared Assessments Program is not a
    100 solution. The percent will fluctuate by
    the institutions risk and amount of dedicated
    vs. shared services.

26
For More Information
  • Download Program documents www.bitsinfo.org/fisap
  • Contact
  • Michele Edson
  • michele_at_santa-fe-group.com
  • 505-480-5942
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "The Financial Institution Shared Assessments Program" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!