Monday, October 17, 2016

Third parties and SSAE 18

My new book talks about building a security program that can pass a number of audits, including the SSAE 16.  Now comes news of a new standard from the AICPA Auditing Standards Board (ASB) called the SSAE 18 that will replace SSAE 16 later in 2017.
Does that mean you need to redo everything? No. I wrote this book with the idea that technology, compliance, and threats will evolve over time.  The advice is designed to be timeless not timely.

There are some changes in how the auditors will conduct and write their opinion, but really one thing that affects the audited organization: increased scrutiny of the performance sub service organizations.  This is another way of talking about third party security.  I have an entire chapter covering that subject in the book.

So what about third party security?   Well, looking at the data from the past three months at the California Attorney General Breach records and I get the following:

Out of the 51 incidents examined, 6 were directly attributable to a third party's security. Is 12% significant?  Sure, maybe not a top risk but it's something to worry about.

So, what is going on with third party security? Protiviti  did a Vendor Risk Management Benchmark Study in 2015 and concluded that"Third party risk management is immature."

Furthermore, they went on to comment that out of all the third party risk management programs going on, the most mature ones are within the financial services organizations.  Good to know, which leads us to ask: how well are financial services organizations managing third party risk? 
Well, the New York State Department of Financial Services issued a "Update on Cyber Security in the Banking Sector: Third Party Service Providers." In this report, they noted that fewer than half of examined financial service companies do on-site assessments and within the programs themselves there is a lot of variation.

Having been on the pointy end of these assessments for nearly a decade, I concur with these findings.  I've seen banks assess vendor security by a large variety of methods including:
They all seem to have varying strengths (accuracy, low cost, speed) and weaknesses (lack of accuracy, difficulty).  For questionnaires, the actual questions always seem to revolve around the standard 27k2 control sets.  Maybe these are sufficient, but does fall victim to best practicism.

Whatever third party security assessment you use, doing something is better than doing nothing.  And if you're going to pursue meeting the SSAE 18 certification, you should invest in a good method.

1 comment:

Adeel said...

Thank you for more detailed information very well written Vendor Risk Management Software. especially about the features or benefits a Vendor Risk Management Software should provide Improve business productivity while mitigating the risk and costs of growing volumes of content.