The Shared Assessments program on Tuesday launched updated versions of its vendor risk assessment tools, which includes additions that can help companies assess the security of cloud computing services providers.
Shared Assessments is a program of BITS, a division of the Financial Services Roundtable, that aims to give organizations a way to streamline the process of evaluating service provider security and privacy controls. The program updates its free tools, the Standardized Information Gathering questionnaire (SIG) and Agreed-Upon Procedures (AUP), every year.
Version 5.0 of the vendor risk assessment tool set includes an enhanced AUP with additional procedures that address application security relative to cloud computing and Software as a Service (SaaS) environments, said Robert Jones, senior consultant at the Santa Fe Group, a consulting firm based in Santa Fe, N.M. that manages the program. Questions relevant to cloud computing and SaaS also have been added to the SIG.
In addition, version 5.0 includes a new tool called Target Data Tracker, which is designed to be used before an audit or assessment to help a company understand where a service provider keeps data. Jones said the tool can help address cloud computing security issues.
"Essentially, the idea of cloud computing is the ability to share systems and capabilities. One of the issues is where that capability is physically [located]," Jones said. "How does a client get assurance that its data and its customers' data is being treated with the care that it needs to be treated with?"
Theconcern over cloud computing security has grown as enterprises' primary service providers are using more downstream service providers and third parties, he said. "As that chain gets longer, the accountability can become more tenuous."
Jim Reavis, executive director and co-founder of the Cloud Security Alliance, a nonprofit that promotes best practices for security assurance within cloud computing, said Target Data Tracker appears to be a promising step, but he added that data location can be complicated in the cloud.
"Many of the data location issues that are fundamental to risk management and compliance can be learned by asking the right questions, so from that perspective the data tracking tool seems to be a step in the right direction. Oftentimes cloud providers lack the transparency in their business and operations needed to answer data location questions, but at the very least we need to agree that transparency is needed," he said. "In some cases, the cloud architectures are so complex that the cloud provider could not tell you where your data is, even if they wanted to."
Reavis stressed that data tracking isn't merely identifying if the cloud provider has a data center in the appropriate geography to serve an organization's needs, but rather the starting point to understanding the provider's information lifecycle management processes.
"For example, does the provider leverage other data center locations, which may be taboo from a compliance perspective, in order to accomplish archiving, disaster recovery and business continuity objectives?" he asked. "We need to be data detectives who 'follow the trail' left by the information as it is managed by the cloud provider."
In addition to the cloud computing security enhancements, version 5.0 updated the Shared Assessment tools to correspond with the National Institute of Standards and Technology (NIST) SP 800-53 standards, PCI Data Security Standard version 1.2, and the latest FFIEC guidelines. The NIST mapping was important to address increased interest from companies that do business with the federal government, said Michele Edson, senior vice president at the Santa Fe Group. Other additions address a host of privacy regulations, including HIPAA and GLBA.
Actual adoption of the tools is difficult to quantify because they are freely available online, Edson said. The program is aware of 300 organizations that are willing to leverage the tools, including outsourcers that use them with their vendors and vendors that provide completed SIGs and AUPs to their clients, she said.
Version 5.0 features a modular approach that is designed to make the SIG easier to use and overcome resistance to its size, Jones said. For example, there are separate, stand-alone modules that address privacy and business continuity, which a company can use on an individual basis instead of the full SIG. Last year, Shared Assessments launched "SIG Lite," a 54-question tool that is now called Level 1.
Matthew Todd, CSO and vice president of risk and technical operations at Financial Engines Inc., a Palo Alto, Calif.-based independent investment advisor, said Shared Assessments "shows significant promise as a means to provide appropriate and sufficient information to clients about a vendor's policies, procedures and controls."
But while the program provides clear value to both vendors and clients -- for example, by providing a consistent methodology for describing control functions -- it may not fulfill vendors' obligations under all regulatory scenarios, he added."For example, the fact that a vendor has had an independent assessment firm use the AUP to perform an evaluation does not mean that it is necessarily meeting all of its regulatory obligations," he said.
"Additionally, those who rely on the results of an independent evaluation would also be well advised to ensure that the controls under review (the scope of the engagement) include all applicable systems, processes or business units that are relevant to the client, similar to the case of a SAS 70, where the recipient should review the control objectives to ensure that they are appropriate and comprehensive," Todd said.
The Shared Assessments vendor assessment tools are available for download on the program's website.