How to Find Consistency Working with Third-Party Security Assessment Firms

Casey Wassom, Senior Manager, IT Compliance Services

A common challenge with professional third-party security assessments is the inconsistency and variation found within the process. The type of assessment an organization might experience can vary greatly between different third-party firms performing these assessments.

Even an organization working with a single third-party firm to perform a recurring annual assessment might have a vastly different experience from one year to the next, solely based on the assessor assigned to the project.

There are three main factors to consider in how your assessment firm helps your organization receive a consistent, quality experience through your assessment:

  • Interpretations of security assessment standards
  • Knowledge and skill of the assessor
  • Use of tools

These factors are common to all types of professional service firms where the product delivered is the expertise of the professionals assigned to the engagement. Inconsistency in the practice ultimately results in a varying range of rigor, accuracy, and overall quality within the service provided.

Consider how each of the following factors affects your own external assessments and how improvement in these areas might bring greater quality and efficiency to your control environment.

Interpretations of Security Assessment Standards

All audit and security standards are issued by a governing body, such as the:

  • National Institute of Standards and Technology (NIST)
  • International Organization for Standardization (ISO)
  • American Institute of Certified Public Accountants (AICPA)
  • Federal Risk and Authorization Management Program Joint Authorization Board (FedRAMP JAB)
  • Payment Card Industry Security Standards Council (PCI SSC)

These governing bodies are responsible for defining the requirements and guidelines that are to be adhered to within a particular standard.

One security assessment firm might interpret any given requirement or control within a standard completely different from another firm. This division of understanding and interpretation can be found even among different assessors within the same firm. Varying interpretations of the standard can lead to confusion, quality issues, and an overall poor experience when working with an assessor.

How Can Assessment Misinterpretations Be Avoided?

Using all available guidance provided by the governing body can help provide clarity when a discrepancy on requirement interpretation arises.

Additionally, an assessment team who frequently collaborates on challenging scenarios can often draw from a larger pool of knowledge and arrive at a more accurate conclusion in line with the intentions of the governing body. Results of these discussions should be documented to promote a consistent approach for all clients when similar scenarios or questions arise.

Additional Resources

Resources that come from these governing standard bodies are typically not limited to just the general audit standard used to perform the assessment.

To use PCI as an example, there are ample resources the PCI Standards Security Council (SSC) provides to aid assessors in performing their work and increase the level of understanding of the defined requirements within the general standard.

These include:

  • Monthly FAQs
  • Guidance documents on relevant topics from within the standard
  • Quarterly assessor webinars
  • Annual conferences

It’s critical for all assessors to be actively monitoring for and familiar with these updates and publications to align their own understanding with the intentions set by the standards bodies.

Organizations being assessed can also do the same to ensure they understand all guidance provided. An organization can challenge their assessor any time a disagreement is present regarding the approach taken on how to address a particular requirement. An organization should also ask for supporting guidance from their assessor on how the approach was determined and is supported by all available guidance provided by the standards body.

Knowledge and Skill of the Assessor

Ultimately, the experience and quality of your assessment will be determined by the firm and individuals you select to work with. The knowledge and skill of an assessor in any field of work is greatly impacted by the environment in which they learn and operate, and the tools they have available to them. As such, consider how an assessment firm supports and promotes quality from its professionals.

Assessors provide a quality product as they guide their clients through a well-established project roadmap constructed by the firm they represent. This roadmap should be built with a standardized methodology, templates, open internal and external collaboration, and sufficient internal training and support so each project is delivered with a consistent, quality experience.

Standardized Methodology

Project execution should start by defining all milestones and tasks to be completed for the duration of the project. These milestones and tasks make up part of a firm’s assessment methodology and should be transparent to all parties involved on the project. Assessors must strictly follow this standardized methodology to deliver a consistent experience for every project they support.

Templates

It’s common for assessors to request evidence to determine the presence of controls in a language abstracted from the applicable requirement. Using a baseline of templated requests and supporting workpapers reinforces completeness and accuracy of all client requests made and reviewed on each engagement.

Internal and External Collaboration

Depending on the size of a project, an engagement might be supported by one or multiple assessors. Collaboration within the project team and the greater team as whole is paramount to the delivery of a project. This is especially true when challenging questions or situations arise.

The same is true for communication between the assessor and the organization. All projects should include quick, free-flowing communication via frequent status meetings, instant messaging tools and individual task notes shared between the assessors and the organization.

Internal Training and Support

All assessments should be performed, or at minimum, actively supported by a qualified individual experienced in the scope of the work being performed. This not only helps improve the quality of the assessment delivered, but also assists additional team members in being properly trained.

Use of Tools

A project can only be as successful as the tools used to support it. Inefficient tools create many challenges. Most notably, they can:

  • Require more time and effort to perform a task
  • Lead to inaccuracies of activities performed or data captured
  • Lack insight into the key details of the project

There are several tools assessors can utilize in collaboration with all stakeholders on the project to provide increased efficiencies. These tools will differ depending on the type and scope of the project being performed. Some examples include the following.

Workflow Platform

A workflow platform is helpful in outlining tasks to be performed and whose responsibility it is to perform them at various stages throughout the project.

This platform can be used by both the assessing firm and the assessed organization to help standardize requests, exchange evidence, communicate on individual tasks, and monitor real-time status of a project.

Instant Messaging Platforms

The ability to have open communication between all parties involved throughout an engagement can help provide easy, free flowing collaboration anytime a question or issue arises.

These communication channels can also be kept open during assessment off-cycles to promote discussions of questions or changes that might occur and affect future assessments.

Wiki

An effectively documented Wiki standardizes engagement processes and testing practices for a team. It helps establish and support consistent approaches to common or uncommon tasks performed among team members. It provides a place to offload institutional knowledge and standardize it across a process or team.

We’re Here to Help

Finding an assessment firm that’s right for you can help maintain accuracy in results and streamline your assessment process. If you have specific questions about PCI compliance and our assessment capabilities, reach out to your Moss Adams professional.

Additional Resources

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

Why Existing Compliance Programs Won’t Always Protect You from IT Risk
Prepare for Third-Party Risk Management Challenges
The Many Benefits of Including IT Control Testing in Audits

Contact Us with Questions

Enter security code:
 Security code