Member Projects

Shared Assessments’ primary mission is to build reliable, comprehensive and easy-to-use tools to rationalize the vendor assessment process. As a consortium of national and international organizations, Shared Assessments members understand the importance of comprehensive standards for managing risk.

Shared Assessments also offers opportunities for members to address global risk management challenges through its working groups and committees. In some cases, nonmember participation is allowed. Read more about these groups in this section, or contact Joyce Crawshaw to learn more about how your organization can get involved.

ANSI PHI Project

Organizations are struggling with two key concerns today: how to protect patient health information and how to better understand the financial harm caused when protected health information (PHI) data is breached, lost or stolen. Led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA), this project was created to promote greater clarity on these issues so that the healthcare industry can:

  • Make better investment decisions to protect PHI
  • Improve its responsiveness when patient information is compromised

Authored by more than 100 experts from data security companies, identity theft protection providers and research organizations, legal experts on privacy and security, standards developers, and others, these individuals worked to develop a formula that healthcare organizations can use to determine the economic impact of any disclosure or breach of protected patient data.

This free report includes PHIve—a 5-step method to assess specific security risks and build a business case for the appropriate level of investment needed to safeguard PHI.

A free download is available at http://webstore.ansi.org/phi

Rick Kam, president and co-founder of ID Experts, chaired the PHI Project. The initiative was made possible through the generous support of these organizations:

Cloud & Mobile Data Security Working Group

The Shared Assessments Program began addressing cloud computing in 2009 when members added six new procedures to its on-site assessment tool (the AUP) and inserted cloud-relevant questions into several sections of the Shared Assessments questionnaire (the SIG). In 2010, the Shared Assessments Cloud Computing Working Group published Evaluating Cloud Risk for the Enterprise: A Shared Assessments Guide.  In 2012 questions related to these controls were added to Version 7.0 of the SIG.

The Group will continue to expand on last year’s Cloud controls by further examination of Cloud Service models such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).  In addition there will be a new focus on mobile end-user access models. This will include evaluating the growing trend of workers accessing business data from personal devices, and will include Mobile Device Management (MDM) and Bring Your Own Device (BYOD).  Participation in this Working Group is an excellent opportunity to help create enterprise security standards in an ever changing distributed security landscape, as well as an opportunity to network with your peers and share practical experiences.

The Cloud & Data Security Working Group is led by Niall Browne, CISO with LiveOps. Contact us for more information about participating in this group.

Communications Committee

The role of the Communications Committee is to promote industry awareness of the Shared Assessments Program.  It’s efforts will include a focus on:

  • Identification and development of industry alliances
  • Effective use of social media to promote Program awareness
  • Identification and development of speaking opportunities for members to address Program issues
  • Increasing the awareness of the Program with regulatory agencies

The Communications Committee reports to the Shared Assessments Steering Committee and is led by Linnea Solem, Chief Privacy Officer and Director of Business Risk and Privacy Management with Deluxe Corp. Contact us for more information about  participating in this group.

Development Committee

Mission

The Development Committee (“DC”) of the Shared Assessments Program mission is to ensure that the Shared Assessments Program standards are relevant and thorough, responding to a range of new and emerging US and international guidelines for privacy, information security and business continuity. DC members meet regularly throughout the year, working together to carefully review and update the Shared Assessments Tools: the SIG and the AUP, and to work on special projects.

Who Serves on the DC?

DC members are risk management leaders from a range of industries. They are information security officers, privacy officers, and other subject matter experts who are motivated to help build and sustain Shared Assessments’ rigorous standards. DC participants include experts from the Big 4 accounting firms (Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers), which serve as Technical Advisers to the Shared Assessments Program.

DC members play an important leadership role in the Shared Assessments Program. DC membership offers:

  • Participation in a global community of risk management and information technology professionals
  • Professional development opportunities
  • Collaboration with industry peers on challenging issues in information security, privacy and business continuity

Current DC Initiatives

SIG Working group

  • Expand mapping of SIG questions to a broader range of industry regulations and guidelines
  • Evaluate the need for enhanced questions related to subcontractors
  • Consider the development of a mid-level SIG or “beefed up” SIG Lite
  • General question review and evaluation

AUP Working Group

  • Add SIG Cloud Computing content to AUP
  • Consider the development of a “Baseline” AUP
  • Develop business value proposition and strategy for AUP
  • Consider the ongoing development needs of the AUP and AUP Report Template

Special Projects – The DC is pursuing a number of special projects.  These include:

  • Development of a Vendor Maturity Model
  • Development of a White Paper on best practices for Corporate Social Responsibility as it relates to vendor selection and vendor risk management

The Development Committee is led by Brad Keller, Shared Assessments Program Director.  Contact us to learn more or to ask to participate in one of the  Development Committee’s Working Groups or Special Projects.

Education Committee

The focus of this Committee is to expand both the scope and type of education and training for the Program Tools; and, on their use in an effective vendor risk management program. Work areas include:

  • Development and delivery of workshops and events
  • Online training and educational materials
  • Program Tool guides and instructional materials

The Education Committee reports to the Shared Assessments Steering Committee and is led by Tom Garrubba,  Technical Assessments Group Manager with CVS Caremark. Contact us for more information about participating in this group.

radian
www.csinitiative
electriccompany
dtcc
pwc
bnym
zywave
www.modulo
TD Ameritrade
www.compliance360
yodlee
lsr
mercedsystems
ironmountain
liveops
gosaas
www.rsa
sei
goldnamsachs
Bank of the West
deluxe
kpmg
tsys
firstdata
target
www.controlcase
bsi
www.prevalent
www.ctg
nyupoly
drivesavers
protivity
ernstyoung
Brainshark
bofa
redtail
recall
white-hat
sungard
att
power-advocate
jbr
churchillharriman
www.lockpath
acxiom
cvs
ezshield
idexperts
pivot-point
earlywarning
usbank
ltd-financial
jpmorgan
www.rsam
deutsche
pge
cit
proteck
aon
wilmingtontrust
fishnet
deloitte