800-810-1885

BITS

BITS Shared Assessment Services

If you outsource services to service providers where personal identifiable information has been entrusted to you to store, process or transmit, you must provide sufficient oversight of the service providers to determine if they are using the proper controls for security, privacy, and business continuity.

If you are a service provider providing services to organizations that involve storing, processing, or transmitting personal identifiable information, you are no doubt being asked to complete a variety of questionnaires to evaluate the controls you have in place for security, privacy and business continuity. And in some instances, you are being asked to have a SAS 70 audit.

The service provider control evaluation process has been inefficient and costly. Outsourcing organizations develop and distribute proprietary questionnaires to service providers. Service providers spend valuable resources responding to multiple client requests that are inconsistent causing delays and often results in costly on-site audits.

The BITS Financial Services Roundtable along with the Big 4 accounting firms and key service providers developed the Shared Assessments formerly known as Financial Institution Shared Assessment Program (FISAP). BITS Shared Assessments offers an approach to evaluating vendor controls for security, privacy and business continuity. By using the Shared Assessments tools, outsourcers, service providers and assessment firms save time, resources and money by reducing redundancies and increasing efficiencies in the vendor control assessment process.

There are five sets of questions. One or more may be required based on level of risk and requirements.

Standardized Information Gathering Questionnaire Outsourcers use the SIG as a default questionnaire to streamline vendor assessments. For vendors, the SIG provides a repeatable response to proprietary questionnaires from clients.
Level 1 Questionnaires Use the SIG Level I Questions for new service providers and other appropriate relationships (typically low to moderate risk) as indicated by your risk model.
Level 2 Questionnaires Use the SIG Level II Questions for appropriate service provider relationships according to your risk model (typically medium to high risk).
Business Continuity Questions Only Use the SIG Business Continuity Questions to assess the adequacy of a vendor’s recovery capabilities.
Privacy Questionnaire Use the SIG Privacy questionnaire for service providers where you need to understand the service provider’s adherence to certain privacy frameworks and controls. Note: this privacy questionnaire does not cover Information Security. This information if needed should be obtained from the full SIG.
Agreed Upon Procedures Assessment firms use the AUP to perform objective and consistent service provider evaluations. Service providers use AUP reports to provide consistent information to a range of clients and reduce or eliminate the need for on-site audits. Service providers may also use the AUP to perform self-assessments on their procedural controls for security, privacy and business continuity.

How Can Sword & Shield Assist Outsourcing Organizations and Service Providers?

Sword & Shield uses the Agreed Upon Procedures (AUP) to perform objective and consistent service provider evaluations

If you are a service provider, who has not satisfactorily completed the Standardized Information Gathering Questionnaire (SIG), we can provide assistance in understanding the gaps and make recommendations for remediation to meet the requirements. For example, if you provide services for financial institutions, we can help you understand compliance regulations such as FFIEC, HIPAA or FTC Red Flags and how they relate to service providers.

If you are an outsourcer and wish to use the SIG as a default questionnaire to streamline vendor assessments, we can help in two ways.

  1. If you have not used a risk based approach to assign risk levels to your service providers, Sword & Shield can provide assist you as part of our Risk & Compliance Shield™ as a standalone service or as part of an overall risk based approach to becoming compliant and secure.
  2. Sword & Shield can provide Compliance Central powered by SecureWorks to provide a portal to track all of your service providers’ progress toward compliance with the SIG. For vendors, the SIG provides a repeatable response to proprietary questionnaires from clients. We can provide services to your service providers to satisfactorily complete the requirements identified in the required questionnaires using the latest AUP.

Find Out More

Sword & Shield has been outsmarting cyber-criminals and improving security for enterprises around the world since 1997. Fill out our Consultation Request form or contact us by phone so we can begin securing your future.

U.S. Toll-free: 800-810-1885

International: 865-244-3500

Request a Consultation

 
State
How can we help you today?
Spam Protection Type this: captcha

Sales answers requests within 1 business day and usually within a few hours.

 

Some of our Certifications

Our Awards

<<< Information Security Policy
Experian EI3PA >>>

  • About Sword & Shield

    Since 1997 Sword & Shield has been the trusted information security partner for 3000 clients in 50 states and 27 countries around the globe.

    Awards Certifications

  • Request Consultation

     
    State *

    Anti-spam captcha

    Sales answers requests within 1 business day and usually within hours.
  • Come See Us at LinkedInFollow Us On TwitterFriend Us On FacebookRSS News FeedOur Network Security Blog
Site Meter