Does that mean you need to redo everything? No. I wrote this book with the idea that technology, compliance, and threats will evolve over time. The advice is designed to be timeless not timely.
There are some changes in how the auditors will conduct and write their opinion, but really one thing that affects the audited organization: increased scrutiny of the performance sub service organizations. This is another way of talking about third party security. I have an entire chapter covering that subject in the book.
So what about third party security? Well, looking at the data from the past three months at the California Attorney General Breach records and I get the following:
Out of the 51 incidents examined, 6 were directly attributable to a third party's security. Is 12% significant? Sure, maybe not a top risk but it's something to worry about.
So, what is going on with third party security? Protiviti did a Vendor Risk Management Benchmark Study in 2015 and concluded that"Third party risk management is immature."
Furthermore, they went on to comment that out of all the third party risk management programs going on, the most mature ones are within the financial services organizations. Good to know, which leads us to ask: how well are financial services organizations managing third party risk?
Well, the New York State Department of Financial Services issued a "Update on Cyber Security in the Banking Sector: Third Party Service Providers." In this report, they noted that fewer than half of examined financial service companies do on-site assessments and within the programs themselves there is a lot of variation.
Having been on the pointy end of these assessments for nearly a decade, I concur with these findings. I've seen banks assess vendor security by a large variety of methods including:
- Questionnaires with simple yes/no questions
- Open-ended questionnaires requiring narrative answers
- Questionnaires in word docs, spreadsheets, PDFs of varying lengths (1 to 30 pages)
- Shared assessment forms
- Online questionnaire/GRC tools hosted as by SaaS
- On-site interviews (with auditors of varying expertise or lack thereof)
- Software scans of varying types
- Internet vulnerability scanning
- Third-party auditors (hiring a consulting or audit firm to do assessment)
- Subscription-based risk reputation scoring
Whatever third party security assessment you use, doing something is better than doing nothing. And if you're going to pursue meeting the SSAE 18 certification, you should invest in a good method.