Information Security Policies and BITS Assessment

The events of 2007 and 2008 have led to an increased focus on governance, security and privacy within the financial services market. One increasingly common scenario is when a third-party service provider must have their security program validated by the financial institution that it serves.

Historically, these audits were based on the BITS framework and have been somewhat painful for both the service providers and the financial organizations due to a lack of standardization. While BITS provided an overall framework, the specific assessment methods and questionnaires varied widely between organizations and projects.

An initiative called the “The Financial Institution Shared Assessments Program” aims to bring some order and consistency to these audits. The program was created by BITS and member financial institutions to fix the cumbersome and expensive service provider assessment process. The shared assessments are managed and promoted by the BITS consortium and the Sante Fe Group.

Many organizations that are subject to these assessments discover weaknesses in written security policies. For example, one of the major BITS/Shared Assessment control areas is “Asset Classification and Control.” Within the guidance for this section, one of the documents that may be requested for verification is a written Asset Control Policy.

For these organizations, Information Security Policies Made Easy and the PolicyShield Security Policy Subscription can help fill in the gaps with high-quality, pre-written security policies. Using Data Classification as an example, ISPME provides over 100 pre-written policy statements relating to the classification, labeling, and management of assets. It also includes a sample, pre-written “Data Classification Policy” that can easily be customized with a minimum of effort.

ISPME and PolicyShield provide pre-written policy-level controls for each section of the BITS/Shared Asssessment framework. Organizations can save hundreds of man-hours by customizing ISPME policies versus creating them from scratch. Since ISPME is organized around ISO 17799, there is an easy mapping between the BITS requirements and the security policies with ISPME.