Shared Assessments and 57 cross industry firms drive uniform cybersecurity alert definitions

The Shared Assessments Program, the member-driven leader in third party risk assurance, announced that the organization’s Continuous Monitoring Taxonomy subgroup has released “Creating a Unified Continuous Monitoring Cybersecurity Taxonomy: Gaining Ground by Saying What’s What.”

An unprecedented community of Continuous Monitoring (CM) service providers and third party risk experts have been brought together by the Shared Assessments Program for this endeavor. It is understood to be the first such effort to establish standardized commonalities and terms to benefit the global risk management and cyber security communities.

The “Gaining Ground” briefing paper is phase one of the two-phase cooperative project led by the Shared Assessments’ Continuous Monitoring working group.

This group has galvanized practitioners from 57 member organizations in the Continuous Monitoring Working Group, as well as non-member CM solution providers in the Taxonomy Subgroup, to establish a common set of terms and standards for identifying, alerting and reporting potential risks.

The unified taxonomy is critical for setting expectations in this field, and lays the groundwork for developing organizational risk frameworks that use continuous monitoring practices in a more flexible and effective manner.

The taxonomy categorizes the types of alert information organizations can choose for monitoring to better understand the risk factor terminology.

In this way, the initiative allows CM providers to use a single set of terminology to assure that the information that’s collected, gathered, analyzed and presented back to their customers is consistent and clearly and uniformly structured, which will help advance the ability of all organizations to meet due diligence and reporting requirements more effectively and efficiently.

“The challenge we face is that there are many CM firms who are using differing definitions for continuous monitoring alerts, and these alerts can also be very different in the way they are described,” said Charlie Miller, Senior Advisor, Shared Assessments.

“We hope to create consistency across those CM firms to use a similar taxonomy in defining the types of alerts they’re monitoring for cybersecurity vulnerabilities, thereby helping users understand what they’re buying and the risks that are being monitored through those services.

“This effort will assist customers with integrating a CM solution into their own cybersecurity infrastructure and alignment with their risk appetite framework.”

“Continuous monitoring is one of the fastest growing segments of Third Party Risk Management, and a crucial element of both risk management and cybersecurity. Unfortunately, even the best practitioners have struggled against a ‘tower of Babel’ when attempting to ensure consistent practices, policies and reporting structures,” said Bob Maley, Chief Security Officer, NormShield Cybersecurity.

“Between the use of disparate terms to define a factor being monitored, and differing standards for what constitutes monitoring in many cases, the need for a clear and consistent lingua franca has been longstanding. The rapidly evolving threat environment and new regulatory scrutiny make that need newly urgent.”

The unified Continuous Monitoring Taxonomy will improve the effectiveness of continuous monitoring and achieve the following results:

• Streamlined continuous monitoring processes for everyone through better communication and reduced time and costs for risk assessment efforts.
• Outsourcers can better use their existing risk management resources.
• Monitoring solution providers can more consistently report potential threats to their customers.
• Third Parties can better align with Outsourcers’ control requirements.
• Outsourcers can better understand and act upon the information they receive from monitoring providers.