security-awareness-training.com

FISAP

FISAP (”Financial Institution Shared Assessments Program”) is a standard process being promoted by BITS - a non-profit industry group representing 100 of the largest financial institutions in the United States.

The process has been designed for use by financial services organizations during the evaluation of IT service providers. The standard currently includes two documents - the Agreed Upon Procedures (AUP) and the Supplemental Information Gathering (SIG) - that can be downloaded from the BITS website.

The key provision of the FISAP Agreed Upon Procedures that relates to security awareness and training is in §3.1:

All employees of the service provider’s organization, and where relevant, third-party users, should be made aware of information-security threats and concerns, and should be equipped to support the organizational security policy in the course of their normal work. Users should be trained in information-security procedures and the correct use of information-processing facilities to minimize possible security threats.

The procedures also specify that the service provider should be able to prove that this requirement has been satisfied by producing an attendance document (electronic or paper) for a number of students that confirms “their attendance at the company’s security awareness training.” It also notes that the security awareness training attendance reports could be maintained in the employee’s personnel file or in a compliance tracking tool (database).