May 8, 2020

Last Updated on January 18, 2024


For organizations of all sizes, one of the top information security challenges from COVID-19 is dealing with escalating third party risk. If vendors handle your critical data, how is remote working, key staff out sick and other recent changes those vendors are facing impacting your information security posture? If you’re a service provider, what do your customers need to know about how you’re handling these issues, and how can you give them peace of mind at a time when your resources are stretched to the limit?
To address these widespread issues, an increasingly popular option for SMEs is the Standardized Control Assessment (SCA) from the Shared Assessments Program. Designed to support a wide range of scopes, the best-practice SCA can be affordable, relatively quick to execute and detailed enough to meet high standards of scrutiny.

“One of the biggest advantages of the SCA for SMEs is how comprehensively it tracks emerging risks and regulations, so that assessments can stay up-to-date with considerably less effort on your part.”


To bring you a full explanation of the SCA, its use cases and its benefits for SMEs, a recent episode of The Virtual CISO Podcast features Tom Garrubba, VP and CISO for the Shared Assessments Program, talking with host John Verry, CISO and Managing Partner at Pivot Point Security, a long-time Shared Assessments Program member.
One of the biggest advantages of the SCA for SMEs is how comprehensively it tracks emerging risks and regulations, so that assessments can stay up-to-date with considerably less effort on your part.
John notes: “One of the things I thought was really good about the SCA is that it’s advanced quite a bit over the past couple of years. You’ve added some really good content to address what I would refer to as emerging risk: privacy, a little bit more on cloud, a little bit more on the software development lifecycle methodology.”
Tom replies: “When we get word of new regulations or consultation papers… or some other regulatory body puts things out for comment, it helps to get us a jump as to what should be included in the latest release of the [SCA] tools.
“It’s our members that drive it. … We’ve had our largest banking members say to us, ‘We need to be aligned or tied into the monetary authority of Singapore.’ So we bake that into the program… And we do that constantly. … We have a SIG committee that gathers this information from members and other folks who say, ‘Hey, here’s something we’d like to see.’”

As a result, the SCA and other Shared Assessments tools are gaining a growing following in the UK and the European community, especially in financial services.

“If you put this in upfront, that’s what helps people,” Tom relates. “Because usually when you get into a regulated environment, they’re coming off right at you and saying, ‘… Is this mapped to this particular regulation? Great. This is what I need, because that’s what the regulators are going to want to see. That’s what my auditors are going to want to see.’”
This careful tracking of the evolving risk and regulatory landscapes is goodness for SMEs, which benefit directly from the up-to-date guidance.
“The beautiful thing about if you’re using a tool like yours as a basis of your vendor risk management program, that all comes along for free,” observes John. “It’s not like you need to keep up on what I should be asking somebody. What are the emerging risks? What are the emerging regulations that I need to be cognizant of? You guys are taking that for them…”
For SMEs and other organizations that need to comprehensively assess information security risk in an efficient and standardized manner without significant dedicated resources, the SCA can offer a lot of value with lower cost and time hurdles compared with alternatives.
To find out everything you ever wanted to know about the SCA, listen to the full episode (and some other equally great podcasts) here. If you don’t use Apple Podcasts, you can access all our episodes from The Virtual CISO Podcast here.