The Standardized Control Assessment (SCA) is customizable to an individual organization’s needs and defines 18 critical risk control areas, procedures and an onsite assessment reporting template.
The Shared Assessments Standardized Control Assessment (SCA) formerly the Agreed Upon Procedures (AUP) is a holistic tool for performing standardized verified or onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool validates SIG responses. The content aligns to the Standardized Information Gathering (SIG) questionnaire.
The SCA is a holistic tool for onsite assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.
SCA + SIG + VRMMM
The Complete Bundle includes the SIG and SCA bundles, as well as the VRMMM.
Become an Assessment Firm Member
Assessment Firms work with the Shared Assessments onsite assessment tool, the Standardized Control Assessment (SCA) for organizations that need validation of their vendor risk controls.
The SCA evaluates controls in the following risk domains:
- Risk assessment and treatment
- Security policy
- Organization security
- Asset and information management
- Human resources security
- Physical and environmental security
- Operations management
- Access control
- Application Security
- Incident event and communications management
- Business resiliency
- Network security
- Treatment management
- Server Security
- Cloud Hosting
2018 SCA Bundle Enhancements:
Now called the Standardized Control Assessment (SCA) procedures to better communicate the function of the tool and its alignment with the SIG questionnaire.
Content Reorganization and Updates:
- SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.
- The SCA and the SCA Report Template have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements.
- Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
- Section I. Application Security subsections were added to more closely align with the SIG.
- Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
- Section P. Privacy was updated for current privacy rules, GDPR and domestic regulatory updates.
- Section U. System Hardening Standards were updated to reflect new industry best practices.
- Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
Question sets have been updated to reflect changes to industry and regulatory standards, including:
- New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500. This first-in-the-nation cybersecurity regulation, which went into effect March 1, 2017. Alignment with this regulation is in keeping with the tool’s intent of assisting members in affected industries in identifying their risks and determining their third party program maturity relative to standards and regulations.
- European Union (EU) General Data Protection Regulation (GDPR) 2016/679. These rules go into effect May 25, 2018 and place stringent new requirements on how controllers (i.e., outsourcers) may appoint and monitor processors (i.e. third party providers). Tab P. Privacy, reflects these changes. The Privacy Committee updated both the SIG and the SCA to address multiple privacy jurisdiction rules, including GDPR.
- Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project. The 2017 OWASP release updates are included in Section I. Application Security. The OWASP list identifies leading practices that can used as part of application standards. “Insufficient Attack Protection” was a major addition to this list.