The most effective solution would be one that accomplishes all seven goals. The solution could be developed in a variety of different environments, say within an existing GRC (governance, risk management, and compliance) tool, or in an Excel document, a Smartsheet, or even simply as a security audit list in Microsoft Word.
It can be accomplished by using a method that would enable IT departments to collaborate on their assessment of vendors with their peers. The solution should include assessment and assessor peer review, assessment question categorization and rate-and-comment capabilities, and a means to protect vendor security practice while making collaborative assessment information available to the public. This information would give auditors much-needed corroborating evidence to help them understand the risk for each functional control area.
This approach (simplified here for brevity) would also give customers the ability to compare their own results against the established community baseline for each functional control area. That would allow them to draw conclusions related to the efficacy of their own auditors and the relative strength of their assessment process. Additionally, making collaborative assessment information public allows small businesses that don't have sophisticated information security departments to make informed risk decisions when purchasing software.
Everyone from SaaS vendors to potential buyers of every stripe can benefit from increased collaboration and vendor transparency. Implementing a collaborative solution would significantly improve the security assessment process and provide benefits for enterprises, small businesses, and SaaS vendors by allowing IT departments to enable their line-of-business leaders to find and purchase business enablement solutions with confidence knowing that their data is protected.
Sign up for MIS Asia eNewsletters.