|
By Tom Groenfeldt
Whether you are using an outsourcing firm in India or running services remotely or in a cloud, unless you are doing pure science or quantitative analysis, you probably need to meet some regulations on privacy and data protection.
Banking, which was an early user of foreign outsourcing firms and is a heavily regulated industry with strict standards on protecting consumer information, figured out pretty early that it didn’t make sense for every bank using Infosys or Wipro to write its own checklist of compliance rules.
A few years ago, six major US banks, working with the big four accounting firms and the Banking Industry Technology Secretariat (BITS), concluded there is a lot of cost for both banks and vendors if each bank developed its own list, and there definitely was no competitive advantage. They created the Financial Institution Shared Assessment Program and SIG – the Standardized Information Gathering questionnaire. Now, Infosys can fill out a single form to meet the demands of multiple banks, while the banks along with accounting and law firms, can develop a single comprehensive form which users can share.
With version 5.0, the shared assessment program has expanded to cover information security, privacy and business continuity. It has also added an emphasis on the cloud, with 22 new procedures in its assessment tool. The program has also attracted more participants -- something of a no-brainer since the forms are free to download. It now has users in the U.S., Canada, the EU, Australia, India and Brazil.
The new version was designed for companies in financial services, healthcare, telecommunications, retail, manufacturing and other sectors that outsource IT services either domestically or overseas. The Santa Fe Group in New Mexico, founded by a former BITS executive, oversees the project.
According to a statement from the group, “The voluntary standards correspond to a host of new laws and other relevant guidance, including new Payment Card Industry (PCI) standards for financial institutions and requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA). Information security updates correspond with National Institute for Standards in Technology (NIST) SP 800-53 standards (Recommended Security Controls for Federal Information Systems and Organizations) and current Federal Financial Institutions Examination Council (FFIEC) guidelines.”
It continues: “Significant additions were also made to address evolving privacy regulations, including procedures and questions that correspond with the American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) privacy framework, HIPAA, and the Gramm-Leach-Bliley Act.”
About 60 companies participate in the program; the vendor assessments can be downloaded for free once you register.
“The Shared Assessments Program offers a foundation for measuring key aspects of an organization's privacy program,” said Brian Tretick, executive director of advisory services with Ernst & Young. “With Version 5, the Shared Assessments tools offer an industry standard and agreed upon procedures for assessing security, privacy and business continuity programs.” Ernst & Young serves as a technical adviser to the Shared Assessments Program
Dan Burks, director of vendor risk management at U.S. Bank, said the new version will help control methodology in areas such as privacy.
“Also important to us is the mapping of the tools, which helps us demonstrate compliance with the many financial services industry standards, including ISO 27002, PCI, COBIT and FFIEC,” he said. U.S. Bank, along with five other major financial institutions, is a founding member of the Shared Assessments Program.
Catherine Allen, chairman and CEO of the Santa Fe Group, said the shared assessment program will continue to evolve to keep pace with the demands in privacy, security and business continuity.
“One of the main areas of focus in Version 5.0 is giving companies much-needed tools evaluate security and data controls in cloud and SaaS environments,” she said.
Only registered users can write comments.
Please login or register. |
