BITS Shared Assessments – Useful or Not

Posted: August 7, 2009 in Policy and Compliance, Risk Assessment, Security Governance, Security Program Development
Tags:

What do you think? Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?

I recently went to the 2nd Annual BITs Shared Assessments in Chicago. http://www.sharedassessments.org/

I found the event driven mostly by product vendors, a few assessment firms, and some footprint from the banking industry. During the time of the event and now I was able to deliver an engagement and as a result of the conference and this delivery I have the following comments.

  1. Many assessors are using older versions of the SIG and still have not adopted 4.2.
  2. Product vendors have incorporated many of the features and appear to be pushing the solution the most.
  3. The current AUP and SIG are fairly decent, but the overall solution still needs to mature greatly. I found that several of the AUPs were incorrect or missing. I have yet to consolidate all my comments; however I emailed the main contact number on the site. Currently comments are submitted one by one. I don’t want to enter them one by one, thus, I haven’t submitted as I’m still waiting for a response after several weeks.
  4. The current scoping and process for delivery is underestimated. My experience shows that you will have to set strict guidelines with the number of follow up conversations and have a cut off for evidence. Otherwise the entity that is assessed will continue to try and justify they have the appropriate controls in place.
  5. There are plans for mapping to other compliance regulations. There are many more comments I have about this solution, but mostly I’m seeing customers use only the SIG Light or SIG level 2.

I see this as holding a place in the 3rd party assessment realm for an organization. I’m wondering! Is anyone else using the Shared Assessments? What are your thoughts? Will this solution grow and be used like PCI even though it doesn’t have the formal backing like PCI?

Advertisements
Comments
  1. […] BITS Shared Assessments – Useful or Not – infosecalways.com Is this another useless assessment methodology, great idea, or a platform for vendors to sell products? […]

  2. FirstShawna says:

    I have noticed you don’t monetize your website, don’t waste your traffic, you can earn additional cash
    every month because you’ve got high quality content.
    If you want to know how to make extra money, search for: Boorfe’s tips best adsense alternative

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s