Re: Systems Acquisition and Development standard

[David Escalante <david.escalante () BC EDU>]

We have a document several pages long filled with security questions
that we co-developed with our Internal Audit department a number of
years ago.  It's not something we've shared widely, though.

We are looking at moving to the Shared Assessments tool.  See
http://www.sharedassessments.org/ . I believe it's still free, and is,
to quote the web page,

   /"Shared Assessments is a member-driven, industry-standard body that
   injects speed, efficiency and cost savings into the service provider
   control assessment process. Shared Assessments Program members
   <http://sharedassessments.org/members/> work together to eliminate
   redundancies and create efficiencies, giving all parties a
   standardized, consistent, faster, more rigorous, more efficient and
   less costly means of conducting security, privacy and business
   continuity assessments."/


Why re-invent the wheel when the financial industry already has a tool?
If we all use the same questionnaire, it also makes it easier on vendors
and suppliers, who don't have to deal with a different set of security
questions from every customer.  While the questions are intended for
service providers, they tend to be OK for internal security as well.
--
David Escalante
Boston College

Attachment: david_escalante.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature