The Shared Assessments Program Tools

For the Effective Management of the Vendor Risk Management Lifecycle

The Shared Assessments Program Tools provide rigorous standards for building and enhancing risk management capabilities.

Managing Third Party Risk

The service provider control evaluation process has long been inefficient and costly. Each outsourcing organization produces and distributes its own proprietary questionnaire to each of its service providers. Service providers strain their resources to respond to diverse client information requests. Inconsistencies from questionnaire-to-questionnaire cause delays for all parties. Time and resource intensive onsite visits further burden both the outsourcer and the service provider.

Using industry established best practices, Shared Assessments follows a “trust, but verify” approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk.

Which Tool Is Right For You?

Standardized Information Gathering Questionnaire (SIG)

The trust component of the Program is the Standardized Information Gathering (SIG) questionnaire. By using the SIG an outsourcer can obtain all of the information necessary to conduct an initial assessment of a service provider’s IT, privacy and data security controls. Questions within the SIG are filtered by the user to apply to the specific type of service outsourced to the third party. Assistance in developing a service type specific SIG is facilitated by a How To Guide provided with each SIG.

If the primary focus of your program (or your role in the organization) is obtaining information from your service providers through the use of questionnaires, then the SIG (the trust component of Shared Assessments) is right for you. You may want to start with the SIG Lite to conduct an initial evaluation of your vendors and use the full SIG for more complex services. Or, you can use the full SIG and simply filter the questions presented to the vendor based on the services they provide. While each component may be used independently, the use of both tools in tandem provides maximum protection from third party risks.

Agreed Upon Procedures (AUP)

The verify portion of the Program is facilitated by the Shared Assessments Agreed Upon Procedures (AUP): A tool for standardized onsite assessments. The AUP provides several vital functions. First it allows an outsourcer to validate the answers provided by a third party using the SIG questionnaire. Secondly, it sets forth the risk control areas to be assessed as part of an onsite assessment as well as the procedures to be followed while conducting the assessment and the sampling procedures to be used. The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results further enhancing the efficiency of the onsite assessment process. While each component may be used independently, the use of both tools in tandem provides maximum protection from third party risks.

If the driving force of your third party risk program is the evaluation of service providers through onsite assessments, then the AUP is the tool for you. The AUP was created for use by a company’s IT/audit departments, and accounting and assessment firms that conduct independent onsite audits of service provider controls. The AUP includes a comprehensive list of the controls a service provider should have in place to properly protect your data and systems. In addition, the AUP specifies the procedures to be used to conduct controls testing and recommends sampling parameters to obtain consistent and cost effective results. If this sounds like your approach to managing third party risk, then check out all of the details on the AUP on the AUP Learn More page. If you are uncertain which approach is right for you, or you believe that executing both components of the trust, but verify model is the way to go, we offer special pricing for a Complete Bundle for companies that want to use all of the Shared Assessments Program Tools.

Vendor Risk Management Maturity Model (VRMMM)

Perhaps your focus at this time is on the development or refinement of your third party risk management program. If that’s the case, the Vendor Risk Management Maturity Model (VRMMM) was designed with your needs in mind. The VRMMM incorporates vendor risk management best practices into a usable model, to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. With a scoring dashboard for reporting, the VRMMM will help you assess the current status of your program and plan for the future. This Tool is included when you purchase the SIG Bundle, AUP Bundle or our Complete Bundle.

Bundle Features

INCLUDED FEATURES SIG 2016 BUNDLE SIG LITE 2016 BUNDLE AUP 2016 BUNDLE VENDOR RISK MANAGEMENT MATURITY MODEL 2016 COMPLETE 2016 BUNDLE
SIG 2016 X X
SIG 2016 LITE X X X
SIG 2016 MANAGEMENT TOOL X X
SIG LITE 2016 MANAGEMENT TOOL X X X
SIG OVERVIEW X X X
SIG ISSUER’S GUIDE X X
SIG RESPONDENT’S GUIDE X X
SIG ISSUER’S QUICK START GUIDE X X
SIG RESPONDENT’S QUICK START GUIDE X X
SIG SCOPING COMPANION SAMPLE (NEW) X X
AUP 2016 X X
AUP 2016 REPORT TEMPLATE X X
AUP 2016 OVERVIEW X X
VENDOR RISK MANAGEMENT MATURITY MODEL 2016 X X
Vendor Risk Management Maturity Model Overview 2016 X X

Select Your Assessment Tools

Complete 2016 Bundle

Buy the Complete Bundle, which includes the Tools in both the SIG and AUP bundles, as well as the VRMMM, and save $7,500 off the cost of purchasing the Tools separately.

SIG 2016 Bundle

The Standardized Information Gathering (“SIG”) questionnaire contains a robust yet easy to use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment.

SIG Lite 2016 Bundle

The SIG Lite consists of a subset of questions duplicated from all of the detail tabs found in the full SIG.

AUP 2016 Bundle

The Shared Assessments Agreed Upon Procedures (AUP): a tool for standardized onsite assessments, is used by outsourcers as well as independent assessment firms who conduct onsite audits of an organization’s controls.

Vendor Risk Management Maturity Model (“VRMMM”) 2016

Using governance as the foundational element, the Vendor Risk Management Maturity Model (VRMMM) identifies the framework elements critical to a successful program.

"The Shared Assessments Program's rigorous standards are better than all other standards. We are very satisfied with the acceptance by our clients."
— Timothy O’Brien, Senior Vice President, Operations & Security, Yodlee Inc., Shared Assessments Member

Become a Shared Assessments Program Member

Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.

They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.

Member benefits include:
  • Free access to the Shared Assessments Program Tools.
  • Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
  • Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
  • Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
  • Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
  • Access to third party risk management training and education, white papers, project documents, and case studies.
  • Discounts on registration for Shared Assessments events and educational workshops.

Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.

Learn more »

intralinks-logo
Shared Assessments Licensee LTD Financial Services
Ellie Mae Logo
Shared Assessments Licensee ZS logo
Shared Assessments Licensee Pro Teck
Shared Assessments Licensee Bank of the West
Shared Assessments Logo Ernst & Young
Shared Assessments Licensee ControlCase
Shared Assessments Licensee Protiviti
veracode-logo-web
Shared Assessments Logo usbank
Shared Assessments Logo pwc
MetricStream logo
ce_logo_bw
el paso electric logo
165x100x72-web
Shared Assessments Logo sei
Shared Assessments Logo jpmorgan
CRIF Logo
PCV-logo-web
Shared Assessments Licensee Power Advocate
advance-america-logo-web-2
Shared Assessments Logo Deloitte
Shared Assessments Logo radian
Shared Assessments Licensee-Copytalk
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee Lockpath
Logo-Nasdaq_BWise-JPGbw2
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Logo first data
sti-logo-web
Shared Assessments Licensee White Hat
NationalStudentClearinghouse
TreliantSolutions_logo_84hbwweb
SecureState165x100x72-web
Shared Assessments Logo Iron Mountain
ez-shield-logo-web-2
Online Business Systems logo
Early Warning Logo
Shared Assessments Logo Bank Of New York Mellon
logo-rsabw
enode-logobw
fis-logo-web
riskvision_logo_largebw-web
crowdstrikebw
Shared Assessments Licensee Caanes
waynecounty_logo_165x100x72_web
Shared Assessments Licensee ctg
HNE_logobw
prevalent-logo-web-2
BSI Logo CMYK png bwRS
kpmg-logo-web-2
Shared Assessments Licensee Rsam
Genpact-logo-web
ProcessUnitybanner
Shared Assessments Licensee Identity Theft 911
GT_logo_165x100x72_web
BWSecurityScorecard165x100x72-web
Shared Assessments Licensee TD Ameritrade
Shared Assessments Logo yodlee
Fidelity_Logobw
OPTIV_rgb-bw-web
Shared Assessments Logo dtcc
Shared Assessments Licensee Pivot Point Security
Viewpoint Logo
dealogic-20logo-high-20res_165x100x72_web