Everyone is familiar with the utility of the famous Swiss army knife; a penknife housing several blades and other tools such as files, scissors, and screwdrivers. The Shared Assessments’ Standardized Controls Assessment (previously known as the Shared Assessments’ Agreed Upon Procedure – or “AUP”) is acquiring a similar reputation in assurance circles as it’s been reported to being used not just in countless third party risk assessments to assist in verifying that a particular control exists, but for attesting to an outsourcer’s “in-house” controls as well.
Pivot Point Security’s CISO and Managing partner John Very asked me recently via the Virtual CISO Podcast about ways to use the SCA beyond third party risk assessments. In the same manner that Coca-Cola is used by do-it-yourself handymen as an agent to clean chrome and other metals, many organizations are beginning to see the value of using the SCA in the self-assessment process to reviewing their own internal controls and processes.
The reason for this is simple: your organization is very likely a vendor to someone else and therefore the SCA is incredibly useful in helping to identify and test the effectiveness of key internal controls. The value proposition lies in the fact that as many organizations labor to adopt frameworks or to ensure adherence to certain regulations or guidance, they are finding the SCA’s controls already are mapped or aligned to the most readily referenced frameworks, regulations and guidance including ISO, NIST, and COBIT – regulations and laws from around the globe such as FFIEC, EBA, HIPAA, GDPR, and the CCPA; and industry standards such as PCI-DSS.
Additionally, knowing that the SCA provides not only these test steps but additional features such as reporting templates add to the value of the tool. Lastly, an organization can have their respective internal teams such as auditors, IT security, Human Resources, etc., execute the provided test steps. If the organization would prefer an outside entity to perform this on their behalf, then an external assessment or security firm experienced in adhering to SCA Standards must perform the engagement.
The results of following the SCA unequivocal as it reports control gaps and allows management to make risk-based decisions to mitigating gaps. With that design, no “opinion” is offered.