Shared Assessments

SIG 7.0 Bundle

The SIG 7.0 Bundle includes the full SIG, SIG Lite, the SIG Management Tool, the How To Guide

The Standard Information Gathering (“SIG”) Questionnaire contains a robust yet easy to use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment. The SIG questions are based on referenced industry standards (including, but not limited to, FFIEC, ISO, COBIT and PCI), and in addition to assessing a third-party’s environment, can be used by a company to self-assess its own control environment. The SIG is in an Excel format which should be familiar to most users.

In addition to questions which gather more general information about the vendor, the SIG consists of fifteen (15) detailed sections which gather detailed information as appropriate to the nature of the services being provided. These sections include:

• Risk Management
• Security Policy
• Organizational Security
• Asset Management
• HR Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Incident Event and Communications Management
• Business Continuity and Disaster Recovery
• Compliance
• Privacy
• Cloud Computing
• Documentation
• Additional Questions

Version 7.0 of the SIG has been improved to include a tab for assessing Cloud Computing risk and an enhanced Privacy Tab. The inclusion of the Cloud tab makes the SIG the first assessment tool to provide a comprehensive assessment of all current IT service provider risks. An important element of the Cloud tab is the fact that questions are cross referenced to the Shared Assessments Cloud Computing White Paper to enhance the user’s ability to understand how the questions were derived, and how they fit into the evaluation of overall cloud risk. Enhancements were also made to the Privacy Tab in V 7.0 to provide a closer focus on the vendor’s privacy responsibilities relative to their contractual obligations. Privacy questions have also been expanded to include HIPAA/HITECH and cross-border issues.

SIG Lite

The SIG Lite consists of a subset of questions duplicated from all of the detail tabs found in the full SIG. This questionnaire is generally used for vendors who offer lower risk services, but can also be use as a starting point to conduct an initial assessment of all vendors. These questions are that when answered provide a high-level view of the controls at the Responders site(s).

The SIG Lite also exists as a tab in the full SIG. So, if you think that you may need to use both the Lite and the full SIG due to the breadth of your vendor types, then you should obtain the full SIG. When used as part of the full SIG (as an initial means of gathering information) responses provided on the Lite tab are then transferred to the corresponding question on the detail tab. This avoids the necessity of copying answers from the Lite tab to the detail tabs if it is determined that greater detail (a full SIG response) is required.

SIG Management Tool (“SMT”)

The real power behind the SIG is unleashed when it is used with the SIG Management Tool (“SMT”). The SMT is a Microsoft Excel, macro based spreadsheet that leverages the power of the SIG. The tool serves several functions. It allows a user to prioritize risk and control areas for more detailed risk ranked assessments. Prioritization also aids in the remediation process as unacceptable responses will already be prioritized, allowing the most pressing risks to be addressed first. The SMT lets the user develop a Master SIG which includes the way they believe the questions in the SIG should be answered for maximum risk mitigation. The user can then compare the results of a vendor/service provider completed SIG to a company’s Master SIG to determine if acceptable risk controls are in place. This comparison allows the user to easily and quickly identify any problem areas. An additional benefit of the SMT is its ability to migrate answers from earlier versions of the SIG to the most current. This allows companies to migrate to newer versions of the SIG without having to devote the time and expense to manual data entry, and or worry about incorrectly entered data as part of the migration process. The SMT does it all automatically.

How To Guide

The How To Guide provides a comprehensive overview of the Program’s Tools (both SIG and SIG Lite) and provides best practices on how to approach vendor risk assessments. Importantly, the Guide is written from both the Issuer’s and respondent’s point-of-view insuring that everyone’s perspective on vendor assessments is addressed. The Guide includes a “Quick Start” to serve as a refresher for those already familiar with the SIG or for those needing less assistance scoping their assessments. The Guide also includes a detailed explanation of all of the benefits of the SIG Management Tool; how to interpret error messages/codes, and how to maximize the SMT within your organization.