Homeabout CUISPAMember BenefitsChaptersInitiativesEventsAffiliateContact









Initiatives


Vendor Security Assurance Program

Introduction
 The CUISPA Vendor Security Assurance Program (VSAP) is a groundbreaking program developed to help credit unions evaluate and manage the risks associated with their third party service providers.

The mission of the VSAP is to establish a shared resource through industry collaboration, that improves the due diligence process, while reducing the costs and burdens currently required by both credit unions and service providers.

  • Provide a common set of security practices that the credit union industry can reference.
  • Provide a means to evaluate risk metrics more appropriately than current SAS-70 and security assessment reviews.
  • Provide a means to evaluate risk metrics more appropriately than current SAS-70 and security assessment reviews.
  • Reduce the costs associated with third party vendor due diligence.
  • Provide public recognition for credit union service providers that implement best security practices.
  • Leverage stakeholder input (credit unions, service providers, NCUA) to improve security measures.


Vendor Security Assurance Program Details
Over the past few years a need has emerged for evaluating the security practices and risks associated with credit union third party service providers. While global standards such as ISO 17799, NIST, SAS-70, and COBIT exist, these standards are often far beyond the scope of many credit unions, their service providers, and not applicable to the services in question.

The VSAP program provides a set of open, security best practices and procedures based on global standards but tailored to financial institution environments and the real-world risks. The VSAP program has been created and maintained through the input of the industries stakeholders (credit unions, service providers and NCUA). Service Providers are cooperatively assessed against a set of recommended security procedures and best practices to evaluate the risk commensurate with their offerings. All credit union service providers are encouraged to apply these procedures within their environment in an effort to provide assurance to the community that their environments and services do not impose unknown risks on the institution and its members.

CUISPA has partnered with the Shared Assessments Program (www.sharedassessments.org), a member-driven, cross-industry standards body that injects speed, efficiency and cost savings into the service provider control assessment process. As an open standard Shared Assessments is used in a number of industries, and all stakeholders are welcome to provide input on the maintenance and appropriateness of its questions and procedures. A CUISPA VSAP Committee has been assigned to oversee all modifications to the VSAP program and changes to the procedures. The VSAP Procedures are freely available to the industry through the CUISPA website.

The CUISPA VSAP program is not a “certification” process. The common standards are provided to the community as recommended procedures. The program is voluntary and self policing. Vendors commit to upholding the recommended standards. Those that agree to implement the procedures will be recognized by inclusion on the publicly available CUISPA VSAP Program List.

Vendors may additionally choose to undergo a third party audit by a qualified assessment firm. As an addendum to their existing security assessment, this can be accomplished for a minimal cost to the vendor. A VSAP audit will generate reference documentation that provides details on how their environment complies with the VSAP standards. The vendor will retain this documentation for simple discretionary distribution to customers and prospects dramatically improving the efficiency of current due diligence.

A VSAP audit provides additional recognition for leading vendors by notation on the VSAP Program List. If an audit has been performed, the date and assessment firm will appear next to the vendor’s name on the list. This additional notice will remain for one year from the date of the audit. Annual audits are required to maintain status on the list. Vendors that are found to be out of compliance with the standards will be provided a reasonable term to address deficiencies. Vendors that do not comply within this term, will be removed from the list.

Shared Assessments SIGv5.0
The Shared Assessments Standardized Information Gathering questionnaire, or "SIG", can be used to obtain required documentation and establish a profile on operations and controls for each of the control areas to obtain verifiable information for each control area. When used as a standalone document, the SIG provides information the outsourcer needs to evaluate the security controls the service provider has in place.Download

Shared Assessments AUPv5.0
The Shared Assessments Agreed Upon Procedures, or "AUP", provides objective and consistent procedures that will be performed on each of the control areas. Procedures address control objectives in security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and compliance. Procedure outcomes enable organizations to view results in the context of industry risk management and regulatory requirements.

When the SIG and AUP are combined, outsourcers will have both the service provider’s assertions of implemented controls backed by verifiable evidence that the controls exist and will assist the outsourcing organization in better identifying risks, complying with regulatory requirements, and reducing inconsistencies in the evaluation of information received from service providers. Download