Updated for 2015: Tools Designed to Manage Third Party Risk

Shared Assessments Program Tools Empower Vendor Management Confidence

January 22, 2015

5 Min Read


Santa Fe, NM — January 20, 2015 — The recent flood of high-profile data breaches and an avalanche of new regulations are in the spotlight for 2015. Doing business in an outsourced economy requires organizations to implement robust, tested strategies and processes, with tools to evaluate vendor risk and manage the security of sensitive data that is accessed or used by third parties. Newly updated for 2015, the Shared Assessments Program Tools—the Standardized Information Gathering (SIG) questionnaire; Agreed Upon Procedures (AUP), a tool for standardized onsite assessments; and Vendor Risk Management Maturity Model (VRMMM)—help companies ensure their vendors’ data management security controls and practices are rigorously tested and are in line with their data security practices and standards. These Tools allow risk professionals to rigorously assess and manage third party controls to evaluate IT, privacy, and data security risks, including software application security, Cloud, mobile, and fourth parties.

The Shared Assessments Program Tools are designed for risk management leaders to effectively manage the critical elements of the vendor risk management lifecycle. Together, the SIG and AUP offer a “trust, but verify” approach to conducting third party assessments. Built by Shared Assessments members representing financial services, insurance, brokerage, healthcare, retail, and telecommunications, the Shared Assessments Program Tools are based on international, federal, and industry standards in order to ensure sensitive outsourced data—such as personally identifiable information (PII) and protected health information (PHI), intellectual property, and financial information—is protected. The standards include ISO-27001/27002, PCI DSS, HIPAA/HITECH, COBIT, NIST, Federal Reserve, Office of the Comptroller of the Currency OCC-2013-29, and FFIEC guidance.


Collaborative Efficiencies in Today’s High Risk Environment

“Our Tools empower risk professionals to move from risk management to risk assurance,” said Robin Slade, executive vice president and chief operating officer, The Santa Fe Group. “Our members are faced with complex oversight of third parties and look to the Shared Assessments collective community for innovative and tested approaches and best practices to create efficiencies and cost savings in vendor management. With these updates, the Shared Assessments Program Tools now offer greater assessment depth; can be leveraged by competent internal staff or independent assessment firms; and can be used internationally. Top-tier financial services organizations are now using our Program Tools to conduct collaborative onsite assessments with collective third party vendors creating an efficient, and robust methodology to significantly lower the costs for both organizations and their vendors.”


2015 Program Tools Meet the Needs of Risk Managers

The following updates are included in the 2015 release:

The Standardized Information Gathering (SIG) Questionnaire:uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to SIG 2015 include alignment with OCC Guidance 2013-29; updates and consistency with the new ISO-27001/27002, and PCI DSS v.3.0; layering with the NIST Cybersecurity Framework, and updated questions to stay abreast with all current federal and industry regulations, standards, and guidance.

Additionally, for organizations looking to become PCI or ISO compliant, the SIG 2015 provides users with the capability to perform self-assessments to help ensure the necessary requirements to become certified are met.

The Agreed Upon Procedures (AUP), the Standardized Testing: Procedures of the Shared Assessments Program, is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. It provides objective and consistent procedures to evaluate key controls, reducing or eliminating the need for onsite assessments. For 2015, updates to the AUP include extensive sections on Cloud Security implementations and Software Application Security; tighter integration with the SIG, including the addition of Employees Agreements, and Business Insurance.

The Vendor Risk Management Maturity Model (VRMMM): incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the VRMMM include updates to align with the OCC-2013-29 guidance and improved scoring.


Pricing and Availability

The updated Program Tools are available now to all Shared Assessment Members and are included in the annual membership fee. Membership provides opportunities to deepen vendor risk management expertise through members-only meetings, events, teleconferences and regular cross-industry working groups that discuss best practices, new standards and guidelines, and the regulatory climate.

Non-members can purchase the Shared Assessment Tools either as a bundle or separately by visiting https://sharedassessments.org/store/.

“Third party risk management is a priority for industry executives and as a result, the Shared Assessments Program will continue to be at the forefront of third party risk trends, helping companies stay on top of emerging risks and regulatory requirements,” said Tom Garrubba, MIS, CISA, CRISC, CIPT, CTPRP, senior director, the Santa Fe Group and Shared Assessments Program. “The education gained through participation in our Program will help foster internal and board-level conversations on the importance of managing third party risk.”


About the Shared Assessments Program

The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at http://www.sharedassessments.org.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights