Educause Security Discussion mailing list archives
Vendor Assessments & EDUCAUSE Security Sessions
From: "Geib, Jeremy C" <jgeib () IU EDU>
Date: Mon, 4 Apr 2011 07:24:43 +0000
Colleagues, A significant challenge faced by many institutions is evaluating the security posture of third-party providers such as outsourcing agreements, software as a service products, and “cloud computing” services. While these services and agreements can often bring significant time and cost savings to an institution, they may also harbor significant risks, especially when vendors will have access to regulated or otherwise “protected” data. For several months, an EDUCUASE project team has been reviewing and assessing the feasibility of utilizing the Shared Assessments program in higher education. [1] This program, created by the financial industry and managed by the Santa Fe Group, provides a framework comprised of a standardized information gathering (SIG) questionnaire as well as agreed upon procedures (AUP) for evaluating controls against the SIG. Utilizing a standardized questionnaire may provide significant benefits including reducing the time required to perform an assessment, reducing the time devoted to continually updating proprietary questionnaires, and ensuring the questionnaire used covers all control objectives. The SIG questionnaire is distributed in lite and full versions and contains questions from many security domains. The program has also taken the time to map their questions to the control objectives in many standards and regulations, including ISO 27002, PCI DSS, and COBIT. The Shared Assessment tools are free to use in an unmodified format, and licensing and membership options are available for institutions want to incorporate the SIG content into their own tools or influence the content of the Shared Assessment program. If you are attending EDCUAUSE SPC 2011 this week, there are several opportunities to learn more about evaluating vendors, and Shared Assessments as well. Tuesday morning David Escalante, Shirley Payne, Kevin Savoy, and Miguel Soldi will present “Do they measure up? Assessing the security posture of third-party service providers.” [2] The online version of the conference will also stream this session. [3] During Tuesday’s lunch, Michele Edson of the Santa Fe Group will host a roundtable discussion about Shared Assessments. [4] And finally, a Tuesday evening birds-of-a-feather session hosted by Andrew Korty will discuss the Shared Assessments program. [5] The project team reviewing the Shared Assessment program is interested in learning how you currently evaluate third-party vendors. Have you developed your own evaluation criteria and questionnaire, or are you using a standardized questionnaire such as those from Shared Assessments or the Cloud Security Alliance? What business units participate in the review process? Has your assessment process been accepted by both your vendors and business units? Has your assessment process produced positive results for your institution? If you are not comfortable sending this information to the open list, feel free to contact me offline to provide feedback. Additionally, if you are interested in participating in the Shared Assessments project team please feel free to contact me off-list or talk with Andrew Korty during this week’s birds-of-a-feather session at EDUCAUSE SPC 2011. Thanks, Jeremy [1] http://www.sharedassessments.org/ [2] http://www.educause.edu/SEC11/Program/SESS22 [3] http://www.educause.edu/SEC11/PROGRAM/ONLINE [4] http://www.educause.edu/SEC11/Program/BRK18 [5] http://www.educause.edu/SEC11/Program/BRK13 -- Jeremy Geib, Lead Security Engineer University Information Security Office Indiana University 812.856.1599
Current thread:
- Vendor Assessments & EDUCAUSE Security Sessions Geib, Jeremy C (Apr 04)