I came across a Computer World article this morning about "new standards" for doing security vendor assessment. I got all excited for a few minutes until I got to the part about how it's a BITS initiative, but I decided to keep an open mind and do some research on it anyway. After all, I've said all along that I think the goal of having a common vendor score-card would be good for the industry (not to mention that it's a good way to make money for those of us in the scoring business). Needless to say, I was disappointed by what I found.
Overall, I found the FISAP documents on the BITS site to be lacking in specificity (the FAQ, the program overview, etc.) The real "coup de grace" came, though, when I found out that the FISAP program is really (more or less) the BITS outsourcing workgroup with a new name; they've taken the long, vague, and toothless outsourcing documents we've all grown to love and "presto chango" made them into the core of the FISAP program. Seriously, this is from the program overview:
The Financial Institution Shared Assessments Program was conceived by the BITS IT Service Providers Working Group and leverages two groundbreaking outsourcing guides: the BITS IT Service Provider Expectations Matrix, a risk management tool for financial institutions, and the BITS Framework for Managing
Risk for IT Service Provider Relationships.
Bummer. I know a lot of people worked hard on these documents, so I really hate downplaying their achievements - but sometimes you just have to say what needs to be said. These documents are painful (I can say this without worry of hurting anybody's feelings since these documents are all written by commitee anyway.) They're skillfully worded not to prescribe anything, they state the obvious in the "eat your vegetables" kind of way, and they're incredibly long - they're like the "muzak" of security guidance.
Is that too harsh? Look, time is valuable. A 125 page document that doesn't tell me anything wastes my time. This kind of long valuless document (nicely worded though it may be) is worse than useless to me. Useless would be if it required a small investment in time to read and provided a correspondingly small value - in that case, the energy spent reading it would roughly equal the value I got from it ("net zero".) "Worse than useless" is when a large investment in time is required (like the time it takes ot read 125 pages) and provides minimal value - that's a "net negative" - meaning I would have been better off if I had not read it. If you still think it's too harsh, take a look for yourself - I don't find it valuable, but that's just me...
So how seriously do I think the industry will take FISAP? Maybe about as seriously as they take the BITS certification initiative. As per the BITS site, there are three products certified by BITS in their decade-long history (that's an average of one every 3 years 4 months). Ouch.
Posted by Ed at February 9, 2006 09:18 AM