Vendor Assessments & EDUCAUSE Security Sessions

["Geib, Jeremy C" <jgeib () IU EDU>]

Colleagues,

A significant challenge faced by many institutions is evaluating the security posture of third-party providers such as 
outsourcing agreements, software as a service products, and “cloud computing” services. While these services and 
agreements can often bring significant time and cost savings to an institution, they may also harbor significant risks, 
especially when vendors will have access to regulated or otherwise “protected” data.

For several months, an EDUCUASE project team has been reviewing and assessing the feasibility of utilizing the Shared 
Assessments program in higher education. [1] This program, created by the financial industry and managed by the Santa 
Fe Group, provides a framework comprised of a standardized information gathering (SIG) questionnaire as well as agreed 
upon procedures (AUP) for evaluating controls against the SIG. Utilizing a standardized questionnaire may provide 
significant benefits including reducing the time required to perform an assessment, reducing the time devoted to 
continually updating proprietary questionnaires, and ensuring the questionnaire used covers all control objectives.

The SIG questionnaire is distributed in lite and full versions and contains questions from many security domains.  The 
program has also taken the time to map their questions to the control objectives in many standards and regulations, 
including ISO 27002, PCI DSS, and COBIT. The Shared Assessment tools are free to use in an unmodified format, and 
licensing and membership options are available for institutions want to incorporate the SIG content into their own 
tools or influence the content of the Shared Assessment  program.

If you are attending EDCUAUSE SPC 2011 this week, there are several opportunities to learn more about evaluating 
vendors, and Shared Assessments as well. Tuesday morning David Escalante, Shirley Payne, Kevin Savoy, and Miguel Soldi 
will present “Do they measure up? Assessing the security posture of third-party service providers.” [2] The online 
version of the conference will also stream this session. [3] During Tuesday’s lunch, Michele Edson of the Santa Fe 
Group will host a roundtable discussion about Shared Assessments. [4] And finally, a Tuesday evening birds-of-a-feather 
session hosted by Andrew Korty will discuss the Shared Assessments program. [5]

The project team reviewing the Shared Assessment program is interested in learning how you currently evaluate 
third-party vendors. Have you developed your own evaluation criteria and questionnaire, or are you using a standardized 
questionnaire such as those from Shared Assessments or the Cloud Security Alliance? What business units participate in 
the review process? Has your assessment process been accepted by both your vendors and business units? Has your 
assessment process produced positive results for your institution? If you are not comfortable sending this information 
to the open list, feel free to contact me offline to provide feedback.

Additionally, if you are interested in participating in the Shared Assessments project team please feel free to contact 
me off-list or talk with Andrew Korty during this week’s birds-of-a-feather session at EDUCAUSE SPC 2011.

Thanks,
Jeremy

[1] http://www.sharedassessments.org/
[2] http://www.educause.edu/SEC11/Program/SESS22
[3] http://www.educause.edu/SEC11/PROGRAM/ONLINE
[4] http://www.educause.edu/SEC11/Program/BRK18
[5] http://www.educause.edu/SEC11/Program/BRK13
 
-- 
Jeremy Geib, Lead Security Engineer
University Information Security Office
Indiana University
812.856.1599