2017 Complete Bundle

Price: $8,000.00
Buy the Complete Bundle, which includes the Tools in both the SIG and AUP bundles, as well as the VRMMM, and save $4,000 off the cost of purchasing the Tools separately. Most companies find that utilizing both the SIG and the AUP maximizes the ability to conduct efficient and cost-effective vendor risk assessments.

The 2017 Complete Bundle includes the 2017 SIG, 2017 SIG Lite, the 2017 SIG and SIG Lite Management Tool, SIG Overview, SIG Lite Overview, SIG How To Guide, Sample SIG Scoping Template, 2017 AUP, 2017 AUP Report Template, AUP Overview, 2017 VRMMM and VRMMM Overview.

Bundle Features

2017 SIG

The Standardized Information Gathering (SIG) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. The robust set of questions within the SIG are reviewed annually with updates and revisions, and are based on referenced industry regulations, guidelines and standards, including NIST, FFIEC, ISO, HIPAA and PCI. New risk areas are added on a regular basis, with End User Devise Security, Threat Management and Server Security, as examples of some of the more recent additions. The SIG is in Excel format, which should be familiar to most users.

Enhancements to the 2017 SIG include:

  • Addition of a Cybersecurity Guidance overview to provide users with instruction on which questionnaire tabs they would complete to have a view of their cybersecurity preparedness, in keeping with FFIEC’s Cybersecurity Assessment Tool (CAT) and the NIST’s Cybersecurity Framework (CSF).
  • Reduction in tool size and enhanced scoring capabilities based on user feedback and findings from Shared Assessment’s briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.
  • Changes related to industry and regulatory guidance that reflect: HIPAA final rules modifications; NIST’s Cybersecurity Framework (CSF) and companion roadmap; FFIEC IT Handbook reference updates; and PCI DSS version 3.2 standards revisions.

In addition to questions about general information on the service provider, the SIG consists of seventeen (17) risk areas to gather detailed information appropriate to the nature of the services being provided.

These risk areas include:

  • Risk assessment and treatment.
  • Security policy.
  • Organizational security.
  • Asset and information management.
  • Human resources security.
  • Physical and environmental security.
  • Operations management.
  • Access control.
  • Application security.
  • Incident event and communications management.
  • Business resiliency.
  • End user device security.
  • Network security.
  • Privacy.
  • Treat management.
  • Server security.

2017 SIG Lite

The SIG Lite is generally used for third party service providers (the “assessees”) who offer lower risk services, but can also be used as a starting point to conduct an initial assessment of all service providers. Because it is a compilation of all of the high level questions from the detail tabs of the full SIG, the SIG Lite allows a user to get an initial assessment of the service provider’s risk controls. Users have the ability to follow up with the full SIG if additional details about risk controls are required. The Standardized Information Gathering (SIG) questionnaire is developed using top-level questions followed by additional detailed sub-questions that can be used when appropriate. This allows the user of the SIG to obtain detailed information about certain risk control areas. However, there are many occasions where a “high level” assessment of a particular risk control area is sufficient.

2017 SIG AND SIG LITE Management Tools

A SIG Management Tool (SMT), included with both the SIG and SIG Lite, has been updated to be compatible with version 2017. The SMT is “backward compatible” and will work with any earlier version of the SIG.

The real power behind the SIG and SIG Lite is unleashed when they are used with the SIG Management Tool. The SMT is a Microsoft Excel, macro-based spreadsheet that leverages the power of the SIG. The tool serves two primary functions:

  • COMPARISON FUNCTION: The SMT will compare a Master SIG, prepared by the issuer/outsourcer, to a SIG provided by the assessee. When executed, the SMT will perform a comparison and provide a report of all responses that did not match. In addition to identifying responses that did not match, the report also includes the value in the Optional Scoring column on the Master, to assist in the prioritization of any responses that require remediation. The report is in Excel format.
  • TRANSFER FUNCTION: The SMT allows either an issuer/outsourcer or an assessee to transfer responses between SIG versions. Older versions may be transferred to newer versions and newer versions may be transferred to older versions. This function allows the issuer/outsourcer to transfer responses from a Master SIG when a new version is released, and allows assessees to transfer responses from a previously completed SIG when a new version is released. In addition, if an issuer/outsourcer receives a SIG that is a different version than that of the Master, the SMT transfer function allows the issuer/outsourcer to transfer the responses from their Master to match the version received from the assessee.

Using the SIG Management Tool to compare responses

Using the SIG Management Tool to transfer responses

2017 SIG How To Guides

Included with the SIG is a How To Guide, which provides a comprehensive overview of how to get the most out of the SIG and the SIG companion documents, providing best practices on how to approach third party risk assessments. The How To Guide provides useful information on all of the different program components and instructions on navigating the SIG, as well as detailed instructions on how to use the SIG Management Tool (SMT). Familiarizing yourself with the How to Guide and following the steps outlined within the Guide will pay substantial benefits when you begin the task of scoping the SIG and preparing your Master SIG(s).

Sample SIG Scoping Template

Because the SIG represents questions for a wide variety of products and services, it is necessary to refine the scope of the SIG based upon the services provided by a specific service provider (or under a specific contract). Prior to using the SIG, it’s important to perform a scoping exercise to determine the services provided by the third party and the risk control areas that pertain to those services. Depending on the outcome of your scoping exercise and your risk appetite, your third party may perform either a subset of the SIG or complete the entire tool.

The Sample SIG Scoping Template provides a methodology to map third party risk factors to specific tabs of the SIG, and the company’s risk tolerance and corporate requirements. An example of the scoping exercise is included. Users may utilize the sample provided by inserting into the document their company’s own risk tolerances.

2017 AUP

The Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool facilitates onsite verification of SIG responses. The content aligns to the Shared Assessments Standardized Information Gathering (SIG) questionnaire. The AUP is customizable to an individual organization’s needs and defines 17 critical risk control areas, procedures and an onsite assessment reporting template, all of which enhance the efficiency of the assessment process.

The AUP uses a substantiation-based, standardized, efficient methodology for onsite assessments that companies can use to evaluate their own controls, as well as those of their third party service providers. Continuous re-evaluation of content and updates ensure that the AUP and other Program Tools cover all of the necessary components of robust third party risk management, so that the AUP remains up-to-date and relevant in terms of best practice and emerging items that are trending towards becoming new best practices.

The AUP evaluates key controls in the following domains of risk management:

  • Risk assessment and treatment.
  • Security policy.
  • Organizational security.
  • Asset and information management.
  • Human resources security.
  • Physical and environmental security.
  • Operations management.
  • Access control.
  • Application security.
  • Incident event and communications management.
  • Business resiliency.
  • Compliance.
  • Network security.
  • Privacy.
  • Threat management.
  • Server security.
  • Cloud security.

Some of the enhancements to the 2017 AUP include:

  • The Tool allows for execution of a Collaborative Onsite Assessments (COA), a unique and pilot-tested capability, with benefits that include consistency, rigor and efficiency.
  • All sections of the AUP have been amended with language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.
  • Industry updates, including: HIPAA final ruling modifications and PCI DSS version 3.2 updates.

2017 AUP Report Template

The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results. The template is a mechanism to track “compensating items” and can be used by organizations that do not have a proprietary enterprise risk platform in place to manage onsite assessments results and reporting. Alongside testing for the specific controls identified in the AUP, the AUP Report Template allows an assessor to include any additional mitigating controls (and accompanying documentation) believed to be relevant to providing a sound control environment.

2017 Vendor Risk Management Maturity Model (VRMMM)

The Vendor Risk Management Maturity Model (VRMMM) is a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The focus of the VRMMM is to provide third party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices. Because of the VRMMM’s ability to identify specific areas for improvement, this Program Tool allows companies to make well-informed decisions that drive efficient resource allocation and use, and help manage vendor-related risks effectively. Using governance as the foundational element, the model identifies the framework elements critical to a successful program. High-level categories are broken down into components in a manner that makes the model adaptable across a wide spectrum of industry groups.

Enhancements to the 2017 VRMMM include:

  • Modifications to Maturity Level definitions and improved guidance that simplify and clarify Maturity ranking.
  • Addition of an Accountability Tab to assist organizations in assigning responsibility for completion of sections of the VRMMM, allowing users to identify the resources responsible by risk area category.

Become a Shared Assessments Program Member

Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.

They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.

Member benefits include:
  • Free access to the Shared Assessments Program Tools.
  • Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
  • Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
  • Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
  • Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
  • Access to third party risk management training and education, white papers, project documents, and case studies.
  • Discounts on registration for Shared Assessments events and educational workshops.

Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.

Learn more »

Shared Assessments Logo dtcc
Shared Assessments Licensee Bank of the West
Viewpoint Logo
Shared Assessments Licensee ControlCase
Shared Assessments Logo Bank Of New York Mellon
Shared Assessments Logo Deloitte
Shared Assessments Licensee Lockpath
Shared Assessments Logo sei
Shared Assessments Logo pwc
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Licensee Protiviti
Shared Assessments Licensee TD Ameritrade
Shared Assessments Licensee Pivot Point Security
Shared Assessments Logo Deluxe Corp
Shared Assessments Logo first data
Shared Assessments Licensee Rsam
Shared Assessments Licensee ZS logo
Shared Assessments Logo radian
MetricStream logo
Shared Assessments Logo Ernst & Young
Shared Assessments Logo usbank
Shared Assessments Logo Iron Mountain
Shared Assessments Licensee Power Advocate