top of page

Brian Lane

Senior Director | RSM

Brian is a part of the leadership group working to reengineer RSM’s TPRM service offering. He also leads Internal Audit’s assessment of vendor oversight practices for a large northeastern payments organization. Previously, Brian built the cybersecurity portion of BNY Mellon’s overall, revamped Third Party Governance (TPG) program, developing their risk scoring/third party characterization approach, due diligence procedures, issue management process, report format, and contract requirements.

The TPRM Community Should Adopt OSCAL

Day 2 | Track 2 | 2 - 2:50 PM

The Open Security Control Assessment Language (OSCAL) could significantly change how we assess third party security controls.


OSCAL takes current human readable control information and uses newer quasi-English programming languages (XML, JSON and YAML) to create standard formats that are both human and machine readable.

Developed by the groups behind the federal government’s FEDRamp program (Control requirements, testing and approval for cloud service providers selling services to federal agencies) automates the process of assessing internal controls.

While aimed at the government space for cloud services, OSCAL is following the pattern of other government created standards that have been embraced by commercial companies such as the CVE software vulnerability database, NIST standards such as 800-53 and the AES encryption standard.

OSCAL could have a profound impact on TPRM and those in this space need to identify means of leveraging its potential.


bottom of page