This is a great question. If you are looking to perform your assessments on your vendors in house, I would suggest the following resources to get a baseline knowledge. There is training out there at every price point and every experience level. Here are some that I would recommend depending on what you are looking to learn. Generally speaking, you want to be a SME in the areas you are assessing, not necessarily a SME of assessments.
- Cybrary - This is an online training tool that has training courses spanning a large amount of topics. They have some free trainings as well as paid. The cost of membership is pretty low in comparison to many others, so it's a solid choice to get on-demand trainings in multiple areas that pertain to Information Security, including general IT and BC/DR.
- For more advanced Business Continuity training - DRI International is the go to for DR and BC training. Their training is geared towards BC/DR Professionals but in reality, in order to truly assess a Vendor's BC/DR plan you need a pretty solid understanding of what it should entail and what orgs should be doing so its recommended for a BC/DR professional or someone with solid experience be the one to perform those types of assessments.
- For SOC assessments - Venminder has a comprehensive How to Read and Review a Vendor SOC Report: A Report Walkthrough webinar here and a CUECs webinar here that I strongly recommend to all my clients or prospects. I present this webinar annually and it's also offered on demand. It really does lay out the most important things to look for in a soc report and why they are important. We also have the same for Cybersecurity which is coming up live on October 24. You can register here.
- For controls, I also recommend the FFIEC Cybersecurity Assessment Tool (FFIEC CAT). This has not been maintained in the last few years and will be sunset by the FFIEC in 2025, but it is a great tool to help you determine WHAT to assess based on your vendors maturity/risk. It's a solid starting point. The FFIEC is a great resource even if you are not in the financial industry. You can also utilize the NIST website, Referencing the NIST Cybersecurity framework, common controls etc is a good place to start if you are familiar with that level of technical reading. Venminder also has a good article on implementing NIST TPVM standards which can be found here.
You can also peruse Venminder's education library. There are so many great webinars and publications to walk you through this process, they are all free and most are available on demand. I hope this helps and would love to hear from other members if there are more resources you recommend.
Original Message:
Sent: 09-16-2024 04:13 PM
From: Matthew Audette
Subject: Training for SOC, IT, BC Assessments
Hello,
My financial institution is looking to complete SOC, IT and BC assessments in house and I wanted to see if anyone knew of any good trainings to perform these?
I'd appreciate any information
Kind regards,
Matt
Matthew Audette | BSA Officer
Pioneer Valley Credit Union