Trying to predict the privacy weather report for third party risk?
The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal privacy legislation were prompted in the wake of the passage of the California Consumer Privacy Act (CCPA). Record snowfall levels have been reported across the country, even in typically sunny California, creating a February for the record books. This month I had the chance to facilitate a teleconference on CCPA to the Shared Assessments Program Regulatory Awareness and Best Practices working groups. Trying to predict the timeline of the implications of CCPA to third party risk is rather like predicting today’s weather report in an era of unpredictability.

For members who may not have participated in the update, I’ll summarize the sunny and cloudy viewpoints on our discussion with a recap: Background on what CCPA is; CCPA Components and Timelines; CCPA Readiness Challenges, and Implications to Vendor Management.

Background on the California Consumer Privacy Act (CCPA)
Since 1972, “Privacy Rights” are considered inalienable rights under the California Constitution. California has been a leader in putting a spotlight on the sharing of data with third parties. As early as 2003, California’s “Shine the Light” law was an early effort to address the practice of sharing customer’s personal information for marketing purposes. While the initial focus triggered updates to online privacy policies, the CCPA goes even farther in putting more rights on the control of information in the hands of individuals.

A ballot initiative was created in 2017 in to address consumer privacy rights by garnering signatures to put legislation on the ballot in the 2018 election cycle. By spring of 2018, the privacy weather forecast changed swiftly with industry disclosures of the sharing of customer data on social media sites. The activist’s ballot initiative had received over 600K signatures generating a storm of effort to draft a compromise bill that could be modified or amended by the legislative process rather than continuing to put privacy regulations out to voters. So faster than a 10-day weather forecast, CCPA was enacted by the state by the June 30th, 2018 deadline. Amendments were issued at the start of fall 2018 to address discrepancies, clarify exemptions and provide a planned timeline for compliance.

CCPA Components and Timelines
Privacy professionals have focused on the extra-territorial nature of GDPR, and California’s CCPA is creating a similar privacy tidal wave in that the focus is on the collection, use, and retention of personal information of California residents.

Scope: CCPA is targeted at for profit organizations, that do business in the state of California, and collect personal information directly from individuals or on behalf of another entity. CCPA defined trigger thresholds, designed to exempt the bulk of small businesses from needed to address compliance. CCPA applies if any one of these parameters are triggered: Annual gross revenue of $25 million, entities that buy, receive, sell or share data of more than 50K consumers, households, or devices for commercial purposes, or entities that derive 50% of its revenue from the selling of consumer data, regardless of the size of the organization.

Given that the state of California is the 5th largest economy in the world and only 34 countries in the world have greater populations than California, CCPA will have global implications to digital marketing.

Key Requirements:
CCPA defines several rights as the primary objective of the legislation. These rights include:

• To know what personal information is being collected about them
• To know whether their personal information is sold, disclosed and to whom
• The right to say no to the sale of personal information
• The right to access their personal information
• The right of deletion if there are not legitimate needs to retain the data
• The right to equal treatment and price if these rights are exercised.

CCPA defines civil penalties for violations of CCPA within defined parameters. The element of CCPA that is driving much of the heated debate is its right of private action. The potential for class action litigation, or the seeking of damages for violations is triggering a road discussion on the differences between self-regulatory standards for digital marketing and state by state requirements.

CCPA is written from a consumer advocacy point of view. The enforcement will be done by the state attorney general. CCPA comes into effect on January 1st, 2020, with ensuing regulatory guidance to be published no later than July 1st, 2020. The CA AG has indicated they will not enforce the CCPA requirements until six months after the final regulatory guidance is published.

CCPA Readiness Challenges
At first glance, such timelines would indicate CCPA compliance would be on the Privacy Farmer’s Almanac predictions for next winter. However, the consumer’s rights regarding treatment of their personal data have a “Look-Back” period of 12 months. Building the processes to address CCPA will need to be assessed and built out into a roadmap for compliance for data that has been collected in 2019. GDPR provided a 24-month timeline for compliance, and CCPA provides a much shorter timeline given the complexities of data usage in the digital landscape.

Conducting a readiness or preparation phase for CCPA readiness will tend to focus on self-assessment and review of business processes for the collection and sharing of data. Implementing a full readiness plan will be challenging until final guidance is completed. A six-month timeframe for executing a compliance program may be too short a timeline unless preparation activities have occurred to scope and shape the depth and breadth of CCPA compliance needs.

Organizations that were required to build out business processes and infrastructure will likely have a sunnier outlook for CCPA compliance since they are simply extending capabilities to the new CCPA requirements.

Key themes for preparation activities:

• Data Governance: Creating and maintaining adequate data inventories and data flows, including third parties for data with a “marketing/selling” point of view
• Consumer Advocacy: Developing the business process enablement and automation of consumer rights to access and delete data typically in unstructured data stores.
• Digital Marketing Disruption: Assessing the marketing, brand, and customer satisfaction risks for implementing limitations on the “selling” of customer data. Organizations may make business decisions in 2019 to change how or if they share customer data,
• Vendor Management: Identifying contract provisions with third party vendors and then defining sufficient due diligence based on the service they perform.
• Reasonable Security: Conducting reviews or self-assessments for data security safeguards. With the expanded focus on information security controls for marketing data – beyond the traditional “PII” focus, security controls will focus on the digital landscape, mobile and device at a much greater level of detail.

Implications to Vendor Management Functions
The digital marketing landscape has layers of third-party relationships. CCPA will trigger the need to identify the applicable third parties that will require affirmation of their obligations to limit the use of personal data beyond the terms of the contract.

3 Things to Think About

1. A “service provider” for the purposes of the CCPA, is an entity that processes personal information “on behalf” of a business.
   The vendor or “service provider” must be bound by a written contract that prohibits the use of personal information for other purposes
2. CCPA requires that for the in-scope service provider that the contract includes: A “certification” that the entity receiving the personal information understands the restrictions in the contract, and will comply
3. These obligations will require updates to key third party risk governance processes to address the contract terms and limitations, but also the corresponding third-party assessment process for due diligence and testing of the controls.

CCPA Vendor Readiness Focus Areas
The final rulemaking for CCPA will be initiated by the CA Attorney General after a series of workshops, hearings, and outreach to the industry. While final interpretations and the potential for additional amendments make final scope and timeframes a bit cloudy, there are preparation and readiness steps organizations can do this year.

For businesses that use third parties, particularly in the online or digital marketing landscape, a starting point is to assess the current vendor inventory and contracts to create a baseline. For vendors who support their clients in the digital marketing landscape, they can begin to assess their role and what data they process and be prepared for additional scrutiny in the due diligence process.

The privacy landscape will continue to evolve, and CCPA dialog will likely continue thru spring and summer of this year. The bottom line is that CCPA is creating momentum for the U.S. to adopt a different approach to digital privacy practices, and that will impact the third-party providers that enable the digital ecosystem.

The Shared Assessments Program’s Privacy Committee will be monitoring CCPA developments to identify impacts to standardized questionnaires, privacy tools, checklists, and testing procedures for the next 24 months. If you or your organization would like to participate in the Privacy Committee or CCPA sub-committee, please click here to sign up to participate in the committee.

Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

Last August, Governor John Kasich signed the Ohio Data Protection Act into law. 

The law creates a safe harbor that insulates “covered entities” from tort liability under Ohio state law if they “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of the specified cybersecurity frameworks (including several NIST and ISO controls, and other relevant laws that may apply such as HIPAA, GLBA, and FISMA). 

Being the first of its kind, the law is, by definition, a precedent setter.  But how much of an impact will it have on its own?

In short, not much.  The scope of the law is limited to liability under Ohio law – and only tort law at that – in Ohio courts.  In other words, the law only creates a safe harbor against being sued for negligence or some other form of tort malfeasance in Ohio.

Despite all this naysaying, this law should be good news at least for covered companies already operating in Ohio, right?

Unfortunately, not as much as one may think.  In determining whether a company was negligent in a data breach, courts already look at that company’s compliance with industry standards. 

The new law doesn’t cut out any steps to asserting such compliance as a defense to negligence.  It still forces companies to go to court and litigate whether they were compliant with the named industry standards and thus eligible for the safe harbor – which is very likely what they would have done regardless of the new law.

Granted, the law does insure against Ohio courts increasing their expectations, such that compliance with industry standards is no longer enough, but the likelihood of that happening in the foreseeable future is dubious at best.

The law, then, doesn’t make a lot of immediate waves in the cybersecurity legal landscape.  That may change if other states – or more importantly, the federal government – enact similar laws, in which case, Ohio would be the trendsetter for a potential new nationwide standard.

Given that the law only took effect this past November, it remains to be seen how the law will actually play out, or whether it will have any impact whatsoever.

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance of respecting privacy, safeguarding data, and enabling trust. The focus this year is on the value of information. Whether you look at data privacy from an individual point of view, or from the lens of the business that is collecting, using, and storing personal data, remember:

Personal Information is like money. Value it. Protect it.

Last year the focus on Data Privacy was on readiness for the EU General Data Protection Regulation and the implications that emerged following the social media testimony in Congress on data sharing. This year, the spotlight is on the new California Consumer Privacy Act. In each of these areas, there is an impact to vendor management that is driving a new era for third party risk governance.

If personal information is like money – then we need to treat that asset with the same level of value and protection if it is stored in our own privacy piggy bank, or in the locked vault of a vendor or service provider. Let’s put the numbers into perspective:

• 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used
• In a survey by Blue Fountain Media, web users surveyed that they overwhelmingly objected to how their information is being shared with and used by third-party vendors. 90% of those polled were very concerned with internet privacy.
• A PwC survey found that only 52% of U.S. companies that will need to comply with the CCPA expect to be compliant by January 2020.

The Shared Assessments Program Vendor Risk Management Maturity Model was updated for release in 2019 to include the heightened expectations driven by new privacy regulations, high profile data breaches and updated external audit standards. The 2018 Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study used the expanded maturity model. Early highlights of the 2018 were shared with Shared Assessments Program Members this past month. In the latest Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study 55% of organizations surveyed indicated they were likely to “de-risk” or move away from high risk third-party relationships in the next 12 months, up 2% from the previous year. Further, considering all six privacy related measures in the survey, fully 43% of those surveyed had either fully functional or advanced privacy practices in place, the second highest result of any focus area in the survey. 22% of respondents reported they had only ad-hoc privacy practices in place and 9% had no active privacy efforts.

Both GDPR and CCPA drive the need for enhanced data governance strategies, including data flows, data maps and data inventories. Whether the data is stored locally or at a third- party service provider, the data must be protected. International Privacy regulations will continue to advance triggering the need to continually assess the effectiveness of each third party risk governance program for new privacy requirements.

Key steps in building your third-party risk roadmap for privacy protection:

• Update vendor classification, scoping, and inventories for third party relationships
• Enhance contract provisions for the protection and usage of data
• Maintain a data inventory to manage and process data access requests
• Broaden due diligence processes for assessing and identifying corrective actions of third parties
• Deploy effective ongoing monitoring of vendor relationships
• Maintain documentation of processing of the personal data
• Understand data transfers and authorizations at both third and fourth parties

While the numbers seem daunting, given the pace of technology and complexity of third-party relationships, there are action steps service provider organizations can take to mature their internal processes for third party risk governance.

3 Action Steps to take in 2019:

1. Develop a Roadmap for maturing your third-party risk governance program: Benchmark your organization’s third-party risk governance program by downloading and using the 2019 version of the Shared Assessments Program Vendor Risk Management Maturity Model
2. Expand data governance tracking tools to protect personal data: Download the Free privacy templates in the Shared Assessments GDPR tools. The Target Data Tracker template can enable your organization to document the tracking of target data by third and fourth parties to address the broader third party and data transfer obligations driven by privacy regulations.
3. Enhance your Training and Awareness Program: Leverage the free resources for data privacy at https://staysafeonline.org/resources/

In today’s market landscape, all organizations utilize third party relationships to run and operate their business. Ensuring that the right privacy protections are in place in your third-party risk governance program demonstrates your commitment to treat your client’s privacy data as your own.
Protecting data in your Privacy Piggy Bank is important not just on Data Privacy Day, but every day!

Personal Information is like money. Value it. Protect it.

#PrivacyAware

Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

Shared Assessment keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool and PCI 3.2.1. That knowledge is used to update the new Toolkit, which embodies multiple Tools for a comprehensive “trust, but verify” approach for conducting third party risk management assessments, using a substantiation-based, standardized, efficient methodology.

The 2019 Third Party Risk Management Toolkit includes:

• 2019 Standardized Information Gathering (SIG) Questionnaire Tools
• 2019 Standardized Control Assessment (SCA) Procedure Tools
• 2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
• 2019 General Data Protection Regulation (GDPR) Privacy Tools

Changes to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;

• Outsourcers, service providers, licensees, assessment firms and regulators.
• Organizations from start-ups to large, global corporations.
• Industries such as Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
• Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and third party risk.

The updates for 2019 are a response not only to the changing regulatory and risk landscape, but to our hundreds of members and tool purchasers looking to perform vendor risk assessments that provide assurance but are also efficient and fast. The 2019 Toolkit was built to allow that standardize excellence in content but also to make assessments easier to create, customize and manage. The Toolkit is also built to work together to follow the typical process a third party risk practitioner would use to implement their program.

2019 Standardized Information Gathering (SIG) Questionnaire Tools

The 2019 SIG has undergone a major functionality and content reorganization. The SIG now functions as a questionnaire management tool that allows you to build, customize, analyze and store questionnaires.

• Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling questionnaires to be created more quickly. You can now create a SIG with questions all on one tab, or with a tab for each risk domain.
• Content Library – There is no longer a “Full” SIG, but rather a database of member-vetted questions called the Content Library. The Content Library includes the SIG Core and the SIG Lite questions, but also houses industry-specific questions. You can even add custom questions to be treated and scored as any other included question.
• Custom Scoping – Custom Scoping allows you to create the questionnaires you need without losing the benefits of standardizations by drawing from the Content Library. You now have three ways to edit a questionnaire – by control domain, by external requirement or by control category and subcategory.
• Saved Questionnaires – A SIG questionnaire can now be saved as a template to be modified later, making it easy to create questionnaires for new vendors.
• SCA Integration and Scoping – the 2019 SIG is now integrated with the Standardized Control Assessment (SCA) Procedure Tools for onsite and virtual assessments. You can now take a completed SIG and automatically create a SCA.

Content updates to the 2019 SIG Tools include;

•  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
• Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) content.
• Mapping – The following nine mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
  • FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
  • FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
  • FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
  • GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
  • HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
  • ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
  • NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
  • NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
  • PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –

2019 Standardized Control Assessment (SCA) Procedure Tools

The SCA Tools are a standardized set of assessment procedures. When combined with the scoping features of the SIG, the 2019 SCA is a quick and efficient way to assess service providers during onsite or virtual assessments.

Enhancements to the 2019 SCA include;

•  Updated Guidance Documentation – The main SCA document includes new reference material that helps users complete assessments faster and with better understanding about the controls being assessed.
• SCA Report Template – SCA reporting template is now in spreadsheet format, making it easier to document findings while onsite, copy and paste data and use on a mobile device.
• Executive Summary Template – A new Executive Summary Template is included that will assist in creating a lightweight summary report of the SCA findings for management without all the detail of the full report.
• SIG Integration and Automatic SCA Scoping – Using the SIG with its embedded SCA content, automatic customization is available to make SCA assessment procedures match just the SCA questions that were scoped and answered by the Assessee in a SIG.
• SCA Assessment Standards for Distributable Reports – Due to the requirements within the SCA Standards for distributable reports, the outsourcer can be assured that the procedures in an SCA will be performed consistently, regardless of which certified organization performs it.

• Content Updates
  • Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • SIG Alignment- The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.
  • GDPR Privacy Tools Alignment- The GDPR Toolkit aligns completely with the SCA, ensuring SCA-based assessments address the most current privacy considerations.

2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced third party risk management professionals.

 2019 saw significant updates to the VRMMM content, including;

•  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
• Inclusion of recent guidance regarding Third Party Risk Management from:
  • The American Institute of Certified Public Accountants (AICPA) which sets guidelines for public auditing principles.
  • The Office of the Comptroller of Currency (OCC) which audits the safety and soundness of U.S. banks.
  • New York Department of Financial Services Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the state of New York (NYDFS 23 NYCRR 500), which is a cybersecurity regulation mandated for any financial services company doing business in the U.S. state of New York.
  • Privacy requirements including the European Union General Data Protection Regulation (GDPR).

The VRMMM is important to third party risk, and we made it free to members and non-members. It can be download here.

2019 GDPR Privacy Tools

The GDPR Privacy Tools help meet the requirements imposed on how Controllers (i.e., outsourcers) must appoint and monitor Data Processors (i.e., third parties/vendors) as a part of GDPR.

Enhancements to the 2019 GDPR Privacy Tools include;

• The GDPR Tool kit was originally released prior to the GDPR compliance deadline of May 25, 2018. The focus and narrative were on preparation for the upcoming deadline. Now that the deadline has passed, the leading practices incorporated in the tools have been updated based on the experiences of dozens of Shared Assessments member companies.
• The template tools were enhanced to better allow tracking of issues over time.

Download this free tool.

To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;

• View a short demo of the 2019 SIG Questionnaire Tools changes.
• View a short demo of how the Toolkit works together.
• Attend a Live Demo

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.”

While third party risk management (TPRM) leaders would do well to heed that (founding) fatherly wisdom, they should also keep in mind that a number of emerging best practices have proven successful in boosting the means TPRM groups have at their disposal. Shared Assessments is currently analyzing research concerning how organizations are addressing heightened regulatory expectations related to TPRM requirements. The Vendor Risk Management Benchmark Study, in its fifth year, has just wrapped up and the research report expected to release in February 2019. Coupled with this annual research is a special project now underway sponsored by the Best Practices Awareness Group and the Regulatory Compliance Audit Awareness Group. One component of this research, which is being spearheaded by subject matter experts in both groups, examines the successful approaches TPRM leaders have deployed to fortify their case for more resources during annual budgeting activities.

While the research remains in process, it has already identified the importance of tightly linking vendor risk management objectives with an organization’s strategic business goals. That coupling of appropriate risk management capability with an enhanced ability to achieve strategic business goals significantly increases the likelihood of successfully procuring additional TPRM resources.

In many companies, for example, the failure to meet regulatory requirements may result in reputational damage. In a company that considers its brand a strategic asset, third party risk management leaders should show how specific vendor risk management gaps would potentially limit the company’s ability to protect its brand. A business case that supports that business-centered point is more likely to result in a favorable budgeting decision compared to a business case that centers only on the risk of a regulatory compliance failure.

This is just one of a number of other approaches TPRM leaders are marshalling in the ongoing battle for more funding. I’ll keep you posted on when in early 2019 a paper highlighting this research is available.

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take focused time during Q3/Q4 to evaluate their strategic plans; monitor the evolving risk environment; assess cyber-security threats; and identify programs to be enhanced in the coming fiscal year. Lines of business are focused on business cases for new products/services, while risk teams are working to mature governance to address new compliance obligations with limited resources.

✔ What Regulatory Landscape Changes are changing expectations?
✔ What third party risk focus areas are “hot topics?”
✔ Where does third party risk fit into those competing priorities?
✔ How can self-assessment tools be used for peer benchmarking?

And this season the 5th annual Third Party Risk Management Benchmark Survey, based on the expanded 2019 Shared Assessments Vendor Risk Management Maturity Model, is here to help put an early spotlight on additional areas of practice maturity emerging in response to a number of market changes.

Market Changes

• New Regulations: Heightened expectations have been triggered for third party oversight and vendor management. GDPR is now enforceable, extending obligations to data processors and vendors. The OCC’s supplemental examination procedures to its “Third-Party Relationships: Risk Management Guidance” are raising expectations for risk management, due diligence and governance. Covered entities impacted by NY DFS 500, are facing the clock as the countdown to March 2019 is fast approaching. In fact, the complexity of certifying or providing assurance on third party risk program effectiveness is difficult to measure and quantify.
• High-Profile Data Breaches: Recent events have placed a spotlight on the risk of cyber security breaches with vendors and subcontractors, expanding the need to have greater rigor in third party risk management and ongoing risk assessments.
• Updated Standards: NIST standards are expanding to include risk management and privacy. External audit standards for SOC reports have been updated by the AICPA. The updated Trust Services Criteria will now contain 9 Vendor Risk Management common controls for 2019 engagements.

It’s all about taking “Trust, but Verify” to the next level with enhanced controls, validation, testing, and governance. While each new regulation or standard is focused on a particular jurisdiction or market vertical, the themes for third party risk management have more similarities than differences.

Hot Topics for Vendor Risk Management:
✔ Subcontractors/Nth Party Management
✔ Continuous Monitoring Program Activities
✔ Vendor Inventories
✔ Vendor Contract Modernization
✔ Risk Posture/Methodologies/Approvals

Adapting a vendor risk management program impacted by both internal and external drivers can feel daunting without a roadmap to help mature or expand the program components. Organizations of all sizes may need to develop business cases to get resources, either people or investments to expand third party governance programs.

Vendor Risk Management Maturity Model
The Shared Assessments Program Vendor Risk Management Maturity Model (VRMMM) was developed by its members to provide a roadmap for structuring, operating, and measuring each component of an organization’s Vendor Risk Management Program. Combining best practices, thought leadership, and hands-on vendor risk management, the Program Tool provides a framework for each element of an effective vendor risk management program. The VRMMM self-assessment enables an organization to evaluate the maturity of their current third party risk program based on a ranking of core program attributes:

VRMMM Framework

• 1.0 Program Governance

• 2.0 Policies, Standards & Procedures

• 3.0 Contract Development, Adherence & Management

• 4.0 Vendor Risk Assessment Process

• 5.0 Skills & Expertise

• 6.0 Communications & Information Sharing

• 7.0 Tools, Measurements & Analysis

8.0 Monitoring & Review

VRMMM based self-assessments enable a critical focus on third party risk management process maturity, a key input to help prioritize resource allocations in any organization’s annual vendor risk management structuring, enhancement or expansion plans.

The 2019 version of the VRMMM has been expanded to incorporate recent regulatory changes and key topics such as vendor inventories, fourth party management, continuous monitoring, risk posture, and contract modernization. The current Benchmark Survey, open from September 20th until October 16th can give you a significant head start on that self-assessment.

The Power of the 2018 Benchmarking Survey
This year’s Benchmark Study is the first to be based on NEXT year’s Vendor Risk Management Maturity Model (VRMMM), not the current 2018 iteration. The study will release in early 2019 – shortly after the 2019 VRMMM Program Tool becomes available – allowing risk managers to immediately gauge their own practice maturity against industry peers by using survey results compared to the newly expanded 2019 Vendor Risk Management Maturity Model (VRMMM).

The survey results will provide critical data for practitioners to understand where their own program may lag, and to prioritize where additional resources might be utilized most effectively.
Catherine Allen, CEO of The Santa Fe Group and Shared Assessments program stated, “The Vendor Risk Management Benchmark Study is a remarkably powerful tool that risk managers routinely use to understand the relative strengths and weaknesses of their programs. This year’s survey update drills down into continuous monitoring, privacy, data management, and a broad range of additional practices to make the insights even more valuable to third party risk professionals.”

“Paul Kooney, a Managing Director in the Security and Privacy practice at global consulting firm Protiviti, notes “Protiviti is excited to team with the Shared Assessments Program to provide one of the most comprehensive benchmark reports providing insights about the overall state of third party risk management practice maturity. Data from this year’s study will be considerably more useful, not just because of the survey’s significantly expanded scope, but because it will provide a current perspective on almost eighty new criteria added to the 2019 VRMMM.”

As always, it’s very important that your organization take the time to thoughtfully complete the Benchmark Survey. Your participation benefits the third party risk management community as a whole by enabling an accurate and updated understanding of the true state of vendor risk management practice maturity. Please join your peers and complete the 2018 questionnaire, open from September 20thth through October 16th at: https://www.research.net/r/B7LCCTV?rnid=[rnid_value]&study=[study_value]

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “early” Van Halen, I snickered to myself recalling the legend of the “Brown M&M’s” in their contract that was often joked about amongst musicians and DJ’s. Later that evening as I returned to my hotel room I did some research into the background of the “Brown M&M’s” story and quickly realized the importance of it with regards to contracts and dealing with third parties.

As many of you will surely know, Van Halen has been one of rock’s premier acts since the 1970’s. However, they were also one of the first bands to take on the road such a massive stage show consisting of, according to the band’s lead David Lee Roth, “Eight Hundred and fifty par lamp lights to illuminate the stage”. Due to the size of such a light set they struggled in the band’s early touring years to get the massive rig into many of the older arenas, as their loading dock doors were ill prepared to handle such a massive spectacle. Additionally, “there were many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through”. On top of all that, set up and tear-down times would “grossly exceed” the local union’s overtime, largely because of the time it took for the crew to set up and take down the production – all of which added to the cost of touring.

Roth noted that in most cases, the promotor wouldn’t fully read the contract and would therefore fail to take note of the various structural requirements required and understand the issues (such as loading bearing stress, electrical amperage, etc.) that could cause serious damage to the band, the crew, and even to the audience.

According to Roth, to help ensure compliance to the contract, they stuck in a clause in the technical section of the contract, requiring a bowl of M&M’s to be placed backstage but not to contain any “brown M&M’s”. Now this would normally be characterized as silly “rock star-like demands” being placed on the promotor and venue, but it was actually a rather clever test of whether or not the promotor and other notable parties had thoroughly reviewed and honored the contract fully, including how  the items it contained addressing safety concerns. Roth added that if a bowl of M&M’s was missing backstage, or if brown ones were present, then he and other band or crew members could safely assume that other items in the contract were not reviewed, glossed-over, or worse – completely ignored. The band members and crew would then be within their rights to have the venue inspect the work, ask that it be redone, and – per the terms inscribed in the contract – even force the promotor to forfeit the entire show at full pay. Their concern for safety was real as not only had equipment been damaged, but according to Roth, several members of their road crew were severely injured due to poor preparation and lack of appropriate safety measures on the part of the venue.

A great example he provided to drive home this wisdom was when Van Halen was playing at a university in the mid-west (his autobiography purports it as a gymnasium in Pueblo, Colorado, while an online interview with Roth purports it to be in New Mexico) Roth noted “the university took the contract rather casually”, adding further “they had one of these new rubberized bouncy basketball floorings in their arena. They hadn’t read the contract, and weren’t sure, really, about the weight of this production; this thing weighed like the business end of a 747.” He added that they found some brown M&M’s in the candy jar and Roth “went into full Shakespearean ‘What is this before me?’… and promptly trashed the dressing room, dumped the buffet, kicked a hole in the door…” causing approximately twelve thousand dollars’ worth of damage. He stated that they “didn’t bother to look at the weight requirements or anything (in the contract) and this sank through their new flooring and did eighty thousand dollars’ worth of damage to the arena floor. The whole thing had to be replaced.” Clearly, this could have been avoided if it were not to the ineffective or non-review of the physical requirements needed to hold such a concert.

On top of the structural damage – that had to be replaced – the press blamed Van Halen for the incident. “…It came out in the press that I discovered brown M&M’s and did eighty-five thousand dollars’ worth of damage to the backstage area”.

Can similar events happen to you? You bet. You may not have to deal with moving around massive light and sound fixtures from one town to the next, but how truly confident are you that your vendors really understand what you is required of them? Have you built conditions, service-level bench marks, touch-points, and penalties into the contracts? Are they understood and agreed to by all before it becomes fully executed? Part of employing sound principles of contract review is reviewing all documents with all affected parties (both vendor and business line) and making sure that they not only understand the terms laid out in the contract but that they can fulfil all stated obligations.

The final takeaway of this piece is to remind you of the importance of going over the details – you know, those small things which can lead to bigger problems. It’s a good idea to employ the advice from legendary UCLA basketball coach John Wooden who used to say “It’s the little details that are vital. Little things make big things happen.”

So, with that, do you prefer plain or peanut?

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone better. Or perhaps there’s been an unforgivable breach of contract.

Naturally we’re talking about an organization’s partnership with a third-party provider and the importance of mitigating third-party risk. There’s a distinct lifecycle to every business relationship—new relationships, existing and evergreen relationships, renewals and terminations.

Managing third-party contracts can be a delicate matter throughout this lifecycle. When it comes to terminating these contracts, the need to have a well-defined strategy already in place is paramount. A contingency plan built upon established business standards and best practices can help avoid damages, alleviate any reputational risks, and help facilitate a smooth exit.

There are four basic types of termination:

• Normal: The business relationship is no longer necessary or appropriate
• Cause: There is irreparable violation of contract terms
• Convenience: Either you or the vendor has a better arrangement/opportunity
• Regulatory/supervisory: The vendor cannot live up to regulatory expectations

“Third Party Contract Development, Adherence & Management,” © 2018 The Santa Fe Group, Shared Assessments Program

It’s crucial to ensure that the predetermined terms of the contract are acceptably fulfilled in the final stages of the third-party vendor relationship. This includes any ongoing services with the departing vendor; recovery of work product and intellectual property; data recovery and security; and a seamless transition to the new provider, if applicable.

More specific best practices will need to be implemented if the contract was terminated for cause. For example, was the provider appropriately rated? Did internal controls or assessment methods fail? Was Pen (penetration) testing conducted and evaluated by credentialed testers? These questions can help safeguard third-party business relationships and guide future contract negotiation processes.

In business, as in one’s personal life, it always helps to have an exit strategy, based on open communication and shared expectations agreed upon from the very beginning.

And, you should probably get that in writing.

A brief chat with Tom Garrubba, Senior Director/CISO of Shared Assessment, The Santa Fe Group

In your experience, what are some of the core reasons that a third-party contract is terminated for cause (i.e. fraud or misrepresentation)? What are some examples?

In most cases [the third party] is just not able to achieve what fits into the agreement. Basic cause is when vendors overpromise and underdeliver. Or if they’re falling way behind and start grossly misrepresenting what they said they could do. We need to monitor the contracts. You should be getting something back from the vendor for not living up to contract expectations.

I was in a situation at my previous employer where we had a vendor that did something kind of crafty. A company can turn to a vendor and say, we don’t really have much of an increase in budget next year so we need you guys to hold on to your fees. So this vendor took its offshore support and shifted it from India to China because it’s much lower cost.

They did it on the backend. They’re still supporting your system but now the cost went from $100/hour to $60/hour and they never told the business unit. They didn’t break the contract per se but what they did was kind of unethical, doing something and not telling us about it. You can’t say at that point, I’m taking my ball and going home. But they were banned from all new projects and not allowed to bid on upcoming projects.

How can a business protect itself to mitigate the inherent risks of working with third-party providers?

Get everything in the contract. Organizations I’ve had conversations with are not very good at it – they’re working in a silo. Sometimes they don’t want to focus on risk because they want to get things up and running.

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to be in place. This is the third year in a row I’ve written about changes in external audit reporting standards that impact service provider controls and executing external assurance engagements. Each year the changes drive maturity, transparency and stronger governance into the process, but also create confusion and need for knowledge. So, let’s dust off the boxing gloves and understand the new assessment protocols that will be in place once we jump back into the audit boxing ring.

Acronyms, Terminology & Methodology – Alphabet Soup
Heavyweight sports fans know terms like Knockout (KO), Clinch. Down & Out. Fall Through the Ropes. Sucker Punch. Throw in the Towel. Prizefighter auditors and assurance practitioners understand terms like AICPA, Attestation. SOC, SSAE18, TSC, CSOC, Carve-outs. Subservice organizations. Qualified Opinion. Information security and IT professionals rely on frameworks like COSO, NIST, and COBIT.

While the terms are quite different the work effort to simply navigate audit standard changes easily creates emotional comparisons to a few of those boxing terms, especially for the non-accountant. Let’s level set on a few of the key concepts that are changing within SOC engagements, but from a more sports fan or business user point of view.

The American Institute of Certified Public Accountants (AICPA) is the national professional organization that sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profits, and governments. They have updated their standards and protocols for audit engagements to align with the 2013 Committee of Sponsoring Organizations (COSO) framework which was designed to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. COSO frameworks are traditionally part of the SOX compliance program for financial accounting of public companies.

The changes in the SOC audit reporting will be effective for audit periods ending on or after December 15th, 2018 . That means the changes will be effective for all engagements in 2019, triggering readiness, migration, and process changes in 2018. During this transition, for audit engagements executed in 2018, a company can choose to early adopt the new criteria structure or continue with the current Trust Services Principles.

Report Changes and Updated Naming Conventions
The methodology standards set out in the SSAE18 framework will now apply to all SOC2/SOC3 reports. Those changes include the requirements to clarify control ownership when there are subcontractors or sub-service organizations in scope for the system being assessed. With the remapping effort to the COSO framework, additional terminology changes for SOC audit reports have been defined:

• SOC: Was Service & Organizational Control and now is System & Organizational Control.
• SSAE: Statements on Standards for Attestation Engagements.
• TSPC and TSC: Trust Services Principles & Criteria (TSPC) are being renamed Trust Services Criteria(TSC)
• Principles & Categories: Principles will now be called categories, but they still focus on security, availability, processing integrity, confidentiality, and privacy of a system.
• Risks/Controls: Within the report structure and protocol, the assessor will now use terminology of “points of focus” for the specific control topic area being reviewed.

A SOC2 report must include the Security Category, with all the Common Criteria, and may include the additional categories. Each category will have their own unique criteria to be met as part of the audit. These changes expanded the number of common control criteria and streamlined some of the additional criteria in the Trust Services Categories.

It is important for all organizations to prepare for the new requirements to build out process maturity in conjunction with this year’s audit engagement. The requirements will apply to service providers who use a SOC report to provide assurance to their clients; but also, will trigger changes to the processes a service provider uses to get assurance from its fourth parties.

Implications for Service Providers
External assurance audit reports are a mechanism to provide independent assurance and testing of controls. Each service provider defines the type of audit engagement needed to meet their client contractual obligations based on the systems and services that are outsourced. With the growing focus on cyber security and enterprise risk management, many of the changes in common controls have broadened beyond traditional IT controls or public company financial controls. The shift to include risk management functions and programs will trigger the need for additional control owners, compliance documentation, processes to be tested, and includes operational risk management programs.

There are eight new common criteria related to the alignment with COSO principles:

• Board oversight
• Use of information to support internal control
• Sufficiency and clarity of the entity’s objectives
• Identification and assessment of changes
• Controls deployed through formal policies and procedures
• Procedures to identify new vulnerabilities
• Business disruption risk mitigation
• Vendor and business risk management

Third party risk management functions may be implicated in many of these criteria but the focus on Vendor and Business Risk Management as a common control in scope for all engagements shows the growing attention to third party risk. The inclusion will provide a deeper dive into the third-party risk management program structure, implementation, governance and risk reporting. The third-party risk management program elements that will be assessed, audited, and tested include:

• Requirements for Vendor and Business Partner Engagements
• Vendor and Business Partner Risks
• Responsibility and Accountability for Managing Vendors and Business Partners.
• Communication Protocols for Vendors and Business Partners.
• Exception Handling Procedures from Vendors and Business Partners.
• Vendor and Business Partner Performance.
• Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments.
• Procedures for Terminating Vendor and Business Partner Relationships.
• Process to obtains Confidentiality Commitments from Vendors and Business Partners.
• Assessment process for Compliance with Confidentiality Commitments of Vendors and Business Partners.
• Process to obtains Privacy Commitments from Vendors and Business Partners.
• Assessment process for Compliance with Privacy Commitments of Vendors and Business Partners.

Each of these operational processes are part of the implementation of a third-party risk management program structure. However, to make the controls auditable and testable will require not only compliance documentation but artifacts and testing of the controls, to provide evidence to auditors of the implementation of the third -party governance program requirements. Multiple regulatory drivers are triggering changes to mature the third- party risk governance process. Creating an external assurance maturity calendar, requires taking a long view, embedding into readiness this year for what is tested next year.

Business Readiness
While it can be easy to feel like throwing in the towel, the reality is the SOC boxing matches will continue, and evolve as new scoring mechanisms are defined. Here are six readiness steps to tackle, one per month to avoid feeling on the ropes or down for the count while you prepare for an audit of your third-party risk governance program.

1. Policies: Review and create a comparison of the Vendor and Risk Management criteria to your Third-Party Policies and Procedures. Plan for need for additional compliance documentation, process maps.

2. Employee Knowledge: Prepare employees who manage controls, by sending out a self-assessment of their understanding of the roles, accountabilities and governance for third party risk. Update control owners, assess internal expertise and identify gaps
3. Technology: Conduct an assessment with your current GRC tools to prepare for any IT or configuration changes
4. Benchmark: Refresh benchmarking the maturity of your Third-Party Program to the Vendor Risk Management Maturity Model
5. Risk Reporting: Review existing scorecards, dashboards and management reporting on third party risk governance and identify changes to meet the new common criteria.
6. Process Refinement: Embed security, confidentiality, and privacy commitment processes into a common third party continuous monitoring process.

Yes, audit standard changes can feel daunting, and complex. However, just like there are weight levels in boxing to make the fights fair, assessing a third-party program is also risk based. Focus on the critical activities, critical services, critical controls, and third-party relationships, most of these requirements are not dramatically new, they are simply driving maturity into the third-party risk governance program that have been in place for financial controls.

Linnea Solem is a former Shared Assessments Program Steering Committee Chairperson, and current Advisory Board Member. She is the President and Founder of Solem Risk Partners, LLC a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management.

The tone of resilience followed the 11^th Annual Shared Assessments Summit to the Santa Fe, New Mexico home of Catherine A. Allen, Chairman and CEO of The Santa Fe Group. Recovering from an email hack, Cathy hosted sixty guests who enjoyed her signature Missouri ham, dined al fresco in the courtyard as the sun set, and listened to an esteemed panel of subject matter experts speak about Cyberwarfare and National Security: What Americans Need to Know.

Senator Jeff Bingaman, former US State Senator from New Mexico, reinforced the importance of cyber issues and the urgent need for Congress to understand this importance. He introduced the evening’s panelists including:

• Catherine A. Allen, The Santa Fe Group
• Mark Fidel, Co-Founder of RiskSense, Inc.
• Damon Martinez, Former U.S. Attorney and Congressional Candidate
• Valerie Plame, Former CIA Operative, Author and Cyber Expert

Damon Martinez, former U.S. Attorney and Congressional candidate, covered cyber threats to our democracy, the evolution of protection technologies, protecting voting machines and the undermining of the fundamental basics of our democracy. He spoke about the role of New Mexico National Labs, airspace and missiles and showed Russia’s development of strikingly similar technology to ours, subsequent to us developing it first, in his handout entitled “Emerging Threats: Russian Interference in U.S. Elections and the New Frontier of Cyber Security”.

Mark Fidel, Co-Founder of RiskSense, Inc. focused on vulnerabilities including threat and vulnerability management, election systems vulnerabilities, and the supply chain of digital information that serves the labs in and out of New Mexico. Citing the issues surrounding our election system, Mark described the various vendors involved with the management of the voting process and his commitment to shoring up our systems to protect our democracy and to ensuring a fair, free, and accurate election process.

Valerie Plame, former CIA operative, author, and cyber expert shared her expertise in nuclear proliferation and experience with The New War: Cyberwarfare. Valerie described the relationship between international security and cyberwarfare, our adversaries, and why we should be concerned about Iran, North Korea, China and Russia. Speaking to the gray area between war and peace, she explained the financial benefits of war to a few versus the low profit margin of fighting cyberwarfare.

Catherine A. Allen, Chairman and CEO at The Santa Fe Group and corporate board director, explained the concern of cyberwarfare and critical infrastructures as well as the impact of cyber tactics. Sitting on several boards including that of El Paso Electric Company, Cathy knows the corporate perspective on cyberwarfare. She described the impact of fake news with a visual graphic in hand and reinforced the importance of data integrity. In addition to the media biased chart, The Santa Fe Group provided handouts and multiple relevant materials to guests, including Cathy’s “Cyberwarfare and Critical Infrastructures” and the Ponemon Institute’s “Second Annual Study on The Internet of Things (IoT): A New Era of Third-Party Risk” sponsored by Shared Assessments, a program under The Santa Fe Group umbrella. Handouts quickly moved into guest’s hands as Cathy emphasized that protecting one’s personal and company assets are a must in today’s world of new warfare.

Stating there are not enough people in public policy who are aware of cyber issues and the impact associated, panelists recapped their concerns and suggestions as:

• Heighten awareness of one’s own biases – go far and wide and beyond
• Education is key
• Think
• Stay strong and informed
• Voice your concerns about cyberwarfare and the threat to our democracy and safety to your Congressmen
• Vote

The sun set. And as guests left, they left more aware of cyber threats, than when they arrived, with a tone of resilience.

Sylvie Obledo is a Project Manager with The Santa Fe Group, Shared Assessments Program. As Project Manager, Sylvie facilitates thought leadership and collaboration of leadership teams and a variety of groups including the Continuous Monitoring Working Group and Vertical Strategy Groups in industry sectors including Asset Management, Consumer Product Goods, and Insurance. Her scope of work requires creative problem solving, planning, organization, and managing multiple timelines.

Our 11^th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this year’s Summit was resilience, and our 300+ attendees were able to hear from subject matter experts across an array of different industries on how to stay resilient amongst an abundance of new concerns.

Opening Remarks

The day started with opening remarks from our CEO, Catherine Allen, who discussed these new concerns, namely, cyber warfare, fake news, supply chain disruptions, AI, and IoT, and how to focus on detection strategies—we live in an era of when, not if. Following her opening remarks, she introduced our keynote speaker, and first ever recipient of our new Lifetime Achievement Award, Richard Clarke.

The Importance of Cassandras in Risk

Clarke, CEO of Good Harbor LLC, explained the importance of “Cassandras” in assessing risk. AI, genetic engineering, and the IoT are all current fields where experts have data that proves we are going to have significant problems, but nothing is being done about it.

When it comes to risk management at the national and corporate level, these outlier experts are being ignored. Clarke stressed the importance of systematically looking for Cassandras and being willing to listen them, despite the risk seeming outlandish, or even laughable.

While we don’t necessarily need to believe the Cassandra, we do need to give them enough credibility to show the data. Companies may need to adjust so that when they start to see what the Cassandra is predicting, they’ll already have contingency plans in place. As risk professionals, we need to take heed of the Cassandras, start making decisions, and reallocating resources in order to do things differently and mitigate the effects of catastrophic events.

New Vulnerabilities

Following Clarkes eye-opening keynote, we began our first panel discussion entitled, “The Future is Now: Emerging Technologies and the Impact on Controls.” The panel, moderated by Joe Prochaska, Synovus Financial Corp, included Holly Dockery, Sandia National Laboratories; Catherine Lotrionte, Georgetown University; and Jeff DeCoux, Hangar Technology. The panel focused on Artificial Intelligence (AI) and Internet of Things (IoT)—one of the main takeaways was the vulnerability that these new devices open us up to, and how manufacturers need to start stepping up and start involving the entire management team when evaluating the risks and exposures of their devices. Everyone should have visibility into what their technology can do and what the risks could entail.

Frameworks to Make the Dream Work

After a brief networking break, we began our second panel discussion on “Third Party Risk Frameworks.” The panel, moderated by Roger Parsley, Deutsche Bank, included Mark Holladay, Synovus Financial Corporation; Lin Lu, Freddie Mac; and Renee Forney, Capital One; and focused on how third party risk management fits into different organizations. The panel agreed that we in a new era of risk management, so it’s crucial to increase our skills and expertise in order to fulfill our responsibilities, no matter what the size of our organization. While risk classifications have changed over time, tiering is still important and mission critical vendors are integral to our risk framework, whether we’re at a small company, financial institution, or enterprise corporation. Lin Lu, Freddie Mac, said it best when she stated, “…third party risk is no different than any other risk.” Additionally, the panel touched on how emerging technologies are impacting how we handle third party risk and the importance of scalability. Organizations need to ask themselves:

• What risks do we have?
• What risks are we willing to take?
• What risks are we not willing to take?
• How does that impact the strategic goals of our business?

Believe in Your Mission

Following the frameworks panel, we enjoyed a case study presented by Prevalent. Brenda Ferraro, Senior Director, led the discussion with customer Bob Maley, Senior Strategist at PayPal.  Maley stressed the importance of understanding your company’s mission—if you’re building a program that’s driving your mission, when the regulators and examiners come in, it’s going to be easy. He also introduced the concepts of Chen, the things that everybody knows you do, and Chi, the unexpected, and explained how they relate to risk—if we do the same things over and over, the chen and chi flip. We have to figure out unique ways of staying ahead and understanding the risk of our vendors.

Making a Vendor Naughty List

After a delicious lunch buffet, and Solutions Showcases presented by Prevalent and Security Scorecard, we returned to hear insights on third party risk and resiliency from industry thought-leader Jim Routh. Routh gave us the frightening example of “Tina and Tony,” the office manager and broker who did not go through the proper authentication processes when using Amazon Web Services. Since “Tony” did not like passwords, there was no encryption or logging, which led to a security researcher finding and publishing the data, ultimately leaving him without a business. The main takeaway from Rouths’ presentation was the need to educate our third party vendors on their configuration of cloud controls. Finally, if you don’t have a vendor naughty list, you should—vendors need to be held accountable to the same high internal standards.

Will China Overtake Us?

Perhaps even more frightening than Routh’s “Tony and Tiny” example were John M. B. O’Connor’s thoughts on supply chain risk. O’Connor, Chief  Executive Officer, J.H. Whitney Investment Management, LLC highlighted the fact that we’re stepping into an unknown domain of technological complexity and the need to pivot hard and fast to global geo-politics, or risk being overtaken by China. O’Connor even cited how Henry Kissinger spent the majority of his career making sure the US was always more important to China than Russia. We need to widen our aperture and observe more broadly in order to put ourselves at the strategic level and fight at the strategic level.

People are the Problem… And the Solution

After this frighteningly eye-opening presentation, O’Connor joined our next panel discussion, which included Jim Routh, Chief Security Officer, Aetna, and Rocco Grillo, Executive Managing Director, Stroz Friedberg, for a discussion on resiliency. They highlighted how people are our biggest strength, but also our biggest vulnerability. We have to use the innovation in technology to shrink the threat of risk and acknowledge that behaviors at every level are subject to continuous monitoring. Redundancy is expensive and useless—we need to define resilience, create a sense of community that can endure stress, and have faith in the resilience of these community members to be strong enough to let go of the superficial senses of privacy.

Maintaining Personal Resilience

Following a brief networking break where attendees were able to mingle with our exhibitors, we returned for a heart-warming discussion on personal resiliency with Ambassador (ret.) Mary Ann Peters, Chief Executive Officer, Carter Center. According to Peters, who has had a long and rewarding career where she had to quickly adapt to different cultures, the top 5 keys to personal resilience are:

1) Be flexible and adapt to change

2) Embrace ambiguity

3) Get tough, but stay charming

4) Learn from mistakes and failures

5) Focus on helping others

Get Your Regulatory Geek On

Day one concluded with a panel discussion on the regulatory landscape, moderated by Ken Mortensen, Data Protection Officer, InterSystems Corporation, with panelists Valerie Abend, Managing Director, Accenture Security; Kevin Greenfield, Director for Bank Information Technology, Office of the Comptroller of the Currency; and Adam Greene, Partner, Davis Wright Tremaine LLP. As we watched Abend get her “regulatory geek” on, we were asked to contemplate our responsibilities in terms of the broader environments. As third party risk analysts, we need to push the needle a bit more, ask ourselves where we are going to start to fix some of the problems, and ensure that we’re operating at the level we need to operate with the level of assurance that every one of our parties is going to be confident in.

Celebrating Day One

We ended the first day of the conference with a reception, sponsored by SecurityScorecard—appetizers, refreshments, and networking with other risk professionals were the perfect conclusion to day one of our 11^th Annual Shared Assessments Summit.

Stay tuned for our summary of day two!

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Management Best Practices, plus moderate a discussion panel on the current privacy landscape.  Not surprising that GDPR was top of mind for many of the over 300 third party risk professional attendees, but so was digital privacy a topic not often deeply discussed when addressing the tenets of third party oversight. But, as risk professionals know, timing is everything. Having a third-party risk summit in Washington D.C during testimony by Facebook Inc. CEO Mark Zuckerberg, made for lively and thought-provoking dialog by participants.

While the starting point of the dialog was on the state of GDPR readiness, the overarching themes started to emerge in a broader context.  So, let’s get the GDPR discussion out of the way, and the tipping point we experienced in our workshop and panel.

Five things on GDPR

1. GDPR enforcement is close – the grace period is ending
2. GDPR is complex due to unintended consequences
3. There are no simple guarantees to determine if your vendors are GDPR compliance
4. Following the data daisy chain is daunting to determine GDPR scope
5. It’s a cloudy legal environment – GDPR guidelines require context and interpretation

The dialog on data maps, data protection impact assessments, data transfers, breach notification, and subcontractors are familiar concepts to most Information Technology, Security, and Risk Professionals. Whether requirements are coming from GDPR, OCC, NY DFS Section 500 or SEC Cybersecurity Disclosure Guidance, the expectations for maturing third party risk oversight are maturing along common themes.

The hype on GDPR has been the fear in the C-Suite of the potential for 4% fines and the burden it will place on many organizations to address new obligations. However, GDPR constructs of Data Controller” and “Data Processor” roles are becoming a more accepted framework internationally when looked at from the data subject point of view.  Implementing data portability and the right to be forgotten are absolutely requirements focused on the rights of the data subject.  At its core, GDPR is all about privacy rights, which is beyond a compliance checklist, but speaks to the culture and ethics of organizations. Focusing on only meeting the “legal” obligation vs. what is “right” thing to do can be short sighted.

Many organizations may be missing an opportunity to treat GDPR readiness as an opportunity to affirm customer trust. Transparency and disclosure of consumer privacy rights should not be simply looked at as a compliance burden, but an opportunity to send a positive message to customers.  Don’t let the customer or data subject become the last area of focus in your readiness and GDPR program management plan.

The consumer theme became even more apparent due to the serendipity of having risk management sessions amid congressional Facebook, Inc. testimony.  The questioning on data sharing and usage disclosures requires looking at this not only from an organizational but consumer’s rights point of view. While the audience makeup was more technology savvy than other conferences I have attended, it was sadly amusing to see how little some of our D.C. legislators knew about how social media works. Data sharing platforms are designed to deliver customized content.  The purpose of the platform is about collecting and using data to sell content and provide a consumer application. Customization can’t occur without collecting and using elements of data. The concept of consent and how it is obtained I think will be the broader implication to reconciling U.S. Privacy Law and EU based models.

We are living in a mobile world that is becoming even more digitally connected, with layers of third party relationships involved in the internet ecosystem. That genie is out of the bottle to use a tired expression, but now that genie is in the cloud, and there is not any going back to the days of analog.

Five things on Digital Privacy

1. Make sure that social media/web marketing providers have contracts that outline not only their obligations but the limitations they must adhere to.
2. For marketers, educate within your organization on the differences between explicit and implicit consent. Likely your own C-Suite may not understand those differences and the limitations on data utilization.
3. Remember that customers have a short attention span and memory of what they agreed to when they signed up for a service. Don’t just inform when a change has occurred but put reminders into ongoing campaigns.
4. Privacy is personal. Just like there are different risk appetites, there are different privacy appetites. Recognize that you must think about customers from both ends of the privacy risk continuum.
5. Don’t just hide the terms in the click agreement – enable privacy preferences with easy to use options. Put the consumer or data subject first.

Our ending privacy take-away to the attendees, was to get yourself a rubber bracelet, commonly used to promote causes, but this time your cause is the consumer or data subject. That privacy bracelet, “What Would Data Subjects Want” is your litmus test to assessing requirements, changes, or interpretation for those gray areas of privacy compliance. So, wear your privacy bracelet with pride as a constant reminder as you navigate the upcoming year of change in privacy and data protection!  #WWDSW

Privacy Panel:  (Moderator) Linnea Solem, President Solem Risk Partners, LLC and Advisory Board Member and Chairperson of the Shared Assessments Program Privacy Working Group; Andrew McDevitt, Sr. Privacy Analyst, Northrop Grumman; Nathan Johnson, Sr. Privacy Manager, Eli Lilley and Company; and Lisa Berry-Tayman, Sr. Manager, Cyberscout Solutions.

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk management. Read what Tom has to say about the ways that collaboration can enhance your TPRM program.

Collaboration is a term that makes people either cheer or wince. However, today collaboration is essential to be a successful third party risk manager – the discipline has moved well beyond administrative box-ticking. Now, a strong culture of collaboration can help create the right environment to foster TPRM program excellence, and drive real value for organizations.

If that sounds difficult to achieve, third party risk executives need to become aware that they are not “flying this plane alone,” says Tom Garrubba, Senior Director at Shared Assessments, a member-driven consortium that creates standards around outsourcing, including assessment questionnaires. “Remember, you have a pilot, a co-pilot, a navigator, flight attendants, baggage handlers and others.” All of these stakeholders need to be involved to make TPRM work – and to make it work better.

Below are Garrubba’s six key ways that collaboration can put the right wind into the sails of a TPRM program:

• Become involved in standardization programs. Standardization is on the rise, and will become best practice for firms over the next two or three years, says Garrubba. Programs such as Shared Assessments enable organizations to benefit from a substantial body of knowledge and understanding that has been built up over more than a decade. “When creating a third party risk assessment, there is no need to reinvent the wheel,” says Garrubba. “It is very likely that other organizations have run into similar challenges, or have comparable information needs about the vendors they work with.” Working with a well-known group means that an organization can trust the information and suggestions it is receiving. “Google,” Garrubba says, “is a less reliable source of ideas about what a third party assessment should be asking about.” Being part of a group can help when it comes to new requirements, too. Garrubba worked with the Shared Assessments’ Privacy Committee to develop the Shared Assessments GDPR Data Processor Privacy Toolkit, launched in December 2017. This Tool Kit provides guidance to help organizations conform to the European Union’s (EU) General Data Protection Regulation (GDPR) Article 28. The Tool Kit outlines what companies need to do to comply with this privacy-focused element of the regulation.
• Reach out to your regulators. Around the globe, regulators are beginning to put out more guidance and rules around third party risk. “The US regulators’ Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Appendix J and Office of the Comptroller (OCC) 2013-29 provide a very user-friendly foundation for what third party risk best practice looks like,” says Garrubba. “You don’t have to have a lawyer sitting next to you to understand it. It’s really good guidance on what organizations should be doing.” These regulatory frameworks can provide an excellent starting point for third party risk programs, he says. The EU’s GDPR is also a good framework to understand what a company should be doing around data privacy. Organizations should make sure that, first of all, their programs are complying with all of the necessary rules that may impact them from around the globe, before moving on to enhance their program further. Secondly, a third party program manager can do to enhance the organization’s regulatory relationships is to “document, document, document!” says Garrubba. This gives the regulator the ability to see – quickly and easily – just how well the third party risk program is doing, and to take all of the organization’s efforts into consideration. “You are never going to hit 100% compliance; however, you can hit conformity,” says Garrubba. “Compliance is very black and white, either you have it or you don’t, there is not a lot of grey. There are some regulators who might throw in a touch of grey – that’s more in the lines of conformity, rather than compliance.”
• Bond with your board of directors. Third party risk programs need to have board support. “Otherwise,” says Garrubba, “they can become a paper tiger. If you do not have senior-level support, you are not going to have a successful program.” All policies and processes should be agreed, at least in principle, by senior management and the board – and should be actively promoted by them. As well, senior management and the board are sometimes needed to ensure business units comply with third party programs and the changes they may require. Says Garrubba, “You want to make sure that what you are doing is something that will go across the entire enterprise.” In return, the third party risk program should be sure it is supplying the board of directors and senior management with the information it wants and needs to think constructively about third party risk.
• Have coffee with internal audit, legal, compliance… When creating an assessment questionnaire, it’s important to work with all of the key stakeholders. Says Garrubba, “It’s important that they are on board with what you are doing and that they are helping you shape your questions.” Having several pairs of eyes vet a list of questions can help make sure that the language is clear and that it will achieve the answers needed. A close relationship with internal audit can be particularly fruitful, he says – often internal auditors can provide expertise on not only drafting questions but also analysing the answers.”
• Friend your vendors. “Why do organizations contract with a third party,” asks Garrubba. “Either because it is cheaper or because they don’t have the talent and the technology to do the process themselves.” This implies that a third party has wisdom it can bring to the relationship between the two organizations. “Organizations really should be treating third parties as a component within their organization – they are a partner, treat them like a partner,” he says. “Don’t treat them like a step brother or sister you cannot really stand.” The reality is that the third party may be able to share information that can help the organization, and they in turn may be running their own third party programs that you can learn from. Says Garrubba, “I’ve spoken with companies that have said their third parties made their own company stronger. They looked at what a third party was doing and said, ‘We should be doing this too.'” He also says he’s seen organizations give third parties extra business, to grow the relationship, as a result of benefitting from this kind of collaboration.
• Know your business. Having a good working relationship with the business units is essential, says Garrubba. He says that when he was in previous roles, he used to have coffees, lunches, and dinners with a wide range of internal stakeholders to find out what their upcoming projects were, and better understand the company’s overall business strategy and ability to execute. For example, these conversations often helped ensure that new business opportunities were analysed correctly, keeping in mind the company’s own operations and outsourcing needs for fulfilment. Sometimes, best practices from one business unit could be shared with others. Or a casual conversation can help both the business unit and third party risk feel comfortable that things are just “on track.” Having less formal give-and-take can make it easier to resolve challenges, when they occur, too.

In short, third party risk managers need to be sure they are actively collaborating across the business – and outside the business – to be successful today. Many firms are choosing to support this with a software solution, which can make collaboration easier – by providing a “single source of truth” for data, and a platform through which some key conversations, particularly around specific processes, can take place. Creating the right third party risk environment will enable the correct culture to take root and flourish.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. His is an internationally recognized subject matter expert and top-rated speaker on third party risk.

Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for risk management, regardless of size and industry. The Tools help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and termination. The Tools embody a “Trust, but Verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

• 2018 Standardized Information Gathering (SIG) questionnaire for remote assessment;
• 2018 Shared Assessment Standardized Control Assessment (SCA) procedures for performing onsite assessments;
• 2018 Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices; and
• The new EU General Data Protection Regulation (GDPR) Tool Kit

Creating Sustainable Standardization in Today’s High Risk, Cyber-Based Environment
Continuous quality improvement evaluation of the Program Tools and our other third party risk management resources is conducted to ensure that:

• Content updates are in line with modifications in domestic and international regulations, changes in industry standards and guidelines, and the emergence of new risks.
• Program Tools remain relevant in response to the growing and shifting nature of cyber security threats and vulnerabilities.
• A standardized process and tools are available that employ a clear, consistent methodology for third party service provider management strategy and risk control verification assessments to reduce duplication of effort for outsourcers and providers.

Updated 2018 Program Tools
These updated Tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The 2018 Standardized Information Gathering (SIG) Questionnaire

• The SIG employs a holistic set of industry best practices for gathering and assessing information technology, cybersecurity, privacy and data security risks and their corresponding controls. It serves as the “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information regarding a service provider’s controls. The SIG can also be used proactively by providers, to reduce initial assessment duplication and assessment fatigue.

Enhancements to the 2018 SIG include:

• SIG Scoping: In response to user feedback, the most significant change you will notice is the addition of a new Scoping Tab, which allows for multiple ways to customize the SIG questions for a company’s individual needs. This tab will be the first stop in starting a new SIG. From this tab, the LITE, CORE, or FULL SIG will be available. The CORE SIG is a new designation and will be used for assessing service providers that run business critical functions, data, and systems. It is meant to meet the needs of most assessments.

• Industry References: Updates for 2018 that reflect industry and regulatory standards included:
• New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
• European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
• Content Organization and Updates:
• Tab K. Business Resiliency was updated for current threat environment and recovery planning best practices.
• Tab P. Privacy was updated to reflect current privacy rules, GDPR & domestic rule updates.
• Tab U. System Hardening Standards was updated to reflect new industry best practices.
• Tab V. Cloud Hosting was created to organize cloud security questions into its own separate tab and updated to reflect new industry standards and best practices.
• The total number of questions has been decreased by removing duplication and redundancy.

The 2018 Shared Assessments Standardized Control Assessment (SCA) Procedures – Formerly the Agreed Upon Procedures (AUP)

To better communicate the function of the tool and its alignment with the SIG questionnaire, the Agreed Upon Procedures (AUP) has been renamed the Standardized Control Assessment (SCA) procedures. This name change will also help eliminate any confusion with the formal definition of AUP within the AICPA practice standards, allowing for expansion of general attestation engagements to their client base using the SCA Tool and SCA Report Template.

Enhancements to the 2018 SCA include:

Content Re-Organization and Updates:

• The SCA, and its companion SCA Report Template, have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.((AT § 201.03: Agreed-Upon Procedures Engagements. American Institute of Certified Public Accountants (AICPA). June 1, 2001. Statement on Standards for Attestation Agreements (SSAE) No. 10. SSAE No. 11. AICPA. 2015; and as adopted by the Public Company Accounting Oversight Board (PCAOB), April 2003.))
• Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
• Section I. Application Security subsections were added to more closely align with the SIG.
• Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
• Section P. Privacy was updated for current privacy rules, GDPR & domestic regulatory updates.
• Section U. System Hardening Standards were updated to reflect new industry best practices.
• Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
• SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.

Industry References: Updates reflect industry standards and regulatory including:

• New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
• European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
• Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project.

The 2018 Vendor Risk Management Maturity Model (VRMMM)

• Greater adoption of the VRMMM will improve third party risk management overall by assisting industry members in assessing and benchmarking the maturity of their own third party risk management programs. The VRMMM also allows for better benchmarking within and across industries in the annual benchmarking study.
• Access to this benchmarking tool is especially important to organizations new to third party risk and is aligned to the goal of Shared Assessments to advance the art of third party risk management.
• To download the Shared Assessments’ Free VRMMM, go to: www.sharedassessments.org/vrmmm.

GDPR Data Processor Privacy Tool Kit:
This new tool provides guidance for Data Processors who fall under compliance to the of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, stringent new requirements, which go into effect on May 25, 2018. To meet this deadline, organizations are being challenged with the very sizeable task of not only “re-papering” or modifying their vendor arrangements, but also of applying increased vigor in IT and privacy risk assessments to ensure that customer data is being processed according to the controller/processor contractual arrangements, in keeping with the regulation. Direct compliance liability for data protection provisions will now extend to the data processors or vendors.

The Tool Kit is Free: The bundle provides a narrative introduction and a series of mini-tools to help determine how to meet the new requirements that will be imposed on how Controllers (i.e., outsourcers) may appoint and monitor Data Processors (i.e., third party vendors).

Some of the insights provided by this Tool Kit – for both Controllers and Processors:

• Questions to ask your vendors regarding the secure and private handling of your affected customer data.
• Test steps to ensure controls are in effect and are operating as intended.
• A scoping checklist designed to help manage or structure the contract provision tool set needed for compliance.
• Identifying artifacts to support customer data controls and other privacy program efforts.

Members of the Shared Assessments Program can access the tools in the Member section of the website by clicking here. If you are interested in purchasing the Program Tools please contact info@sharedassessments.org.

About the Shared Assessments Program
The Shared Assessments Program is the trusted leader in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle. These resources are creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of Shared Assessments third party risk management resources, including Program Tools, offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. The Shared Assessments Program (https://sharedassessments.org) is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico.

By Linnea Solem, Chair, Shared Assessments Privacy Committee

On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Each year organizations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2017 and the potential challenges for data protection in 2018, a common thread in the media landscape is the risks that third parties bring to the table for organizations who need to protect customer data. The web site for Data Privacy Day, www.staysafeonline.org provides a suite of infographics and tools as to why privacy is important for consumers, businesses, organizations, schools, and non-profits. 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.

Personally Identifiable Information (PII) Remains Top Information Risk
The International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year. The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%. After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other third parties. That was a jump of 22% over the first report, which emphasizes the criticality of third party oversight and third party risk management. While most organizations indicated that changes in privacy laws and legal standards is a risk, only 10% specifically mentioned the upcoming enforcement of the EU General Data Protection Regulation (GDPR).

Third Party Risk Management a Key Priority in 2018
Changes in data protection regulations and legal standards are top of mind for many organizations in 2018 with the upcoming enforcement milestones of everything from New York State’s Cyber Security regulation to GDPR. In a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards. GDPR. The impact of GDPR is not simply that the regulation extends liability directly to the service providers, but has an enforcement mechanism of fines up to $23.6 million or 4% of the total worldwide annual turnover of the company, whatever is higher. It is not surprising then that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

GDPR compliance readiness is challenging to measure since many organizations may not be fully aware that they have triggered heightened compliance obligations. GDPR compliance can be triggered by any organization that stores or processes personal information about European Union citizens, regardless of their location or geographic boundaries. Compliance requirements are specific for data controllers and data processors. Access to personal data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions. The concept of knowing where your data is, becomes an even more crucial part of compliance when looking at the third-party ecosystem. Being ready to conform to GDPR will require organizations to implement or expand third party vendor management programs to include third party assurance approaches that require additional due diligence to meet these new requirements.

To help meet this need, the Shared Assessments Program’s Privacy Committee – a leading group of
third party risk management privacy professionals across a variety of industries, has designed a
GDPR Data Processor Privacy Tool Kit to provide preliminary guidance to effectively evaluate and
manage third party risk for “Data Processors” under the GDPR. This GDPR Data Processor Privacy Tool Kit contains tools, checklists and templates that highlight a broad range of privacy-relevant requirements for third party relationships, and identify potential artifacts for review as evidence of conformance with GDPR requirements. The GDPR Data Processor Privacy Tool Kit is designed as a flexible set of tools and templates that any organization can incorporate into their third party risk management structures and processes.

So on this Data Privacy Day, access tools to Be Safe Online, and start to plan for GDPR readiness!

#PrivacyAware and #SAGDPRToolkit

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program

I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predictions on the upcoming year’s threat horizon. Though I’m certainly not Carnac the Magnificent (one of the late Johnny Carson’s most memorable Tonight Show skits) however, kindly allow me to put on my big purple turban, hold an envelope to my head and mutter my three predictions…

“Going Mobile…Big Money…Third and Four.”

(Now let’s open the envelope, blow into it, and extract the answer…)
“Going Mobile” – No, this has nothing to do with the classic up-tempo song from The Who. It is a reference to data breaches through mobile devices. Through encounters with numerous cybersecurity professionals over the past year, I see that there appears to be quite consensus that a breach stemming from mobile devices lies on the horizon. This is understandable, as many organizations (particularly small and mid-sized organizations) continue to grapple with the challenges of securing not only the various mobile operating systems that they’re supporting, but for identifying the applications on these devices that may pose a threat to unauthorized data exposure. As “bring your own device” (BYOD) is increasingly adopted by organizations, it’s prudent to revisit your policies, procedures, practices, and standards to ensure that controls are present that are capable of tackling current, known threats and investigate ways to deal with mobile threats on the horizon.

“Big Money” – I’m predicting big payouts this year, from companies to regulatory agencies, from companies to other companies, and/or from companies to customers (via class-action lawsuits). US regulators, and even the New York Department of Financial Services (NYDFS), have made it clear that organizations must employ – and provide evidence – that a sound security and privacy posture exists ata their organization. Additionally, as the European General Data Protection Regulation (GDPR) goes into full affect this coming May, there’s much chatter in the privacy profession that companies out of compliance with GDPR will be hit hard financially (up to 4% of total turnover) as European data protection authorities (DPA’s) make efforts to show that any organization in possession of European customer data must take this regulation very seriously. The GDPR is no paper tiger – it certainly does have teeth – BIG teeth. Lastly, lawsuits between companies and even class-action lawsuits will result in hefty legal expenses and payouts to affected parties due to poor security or privacy posture. It’s additionally important to note that cybersecurity insurance normally does not cover a legal action brought against your organization.

“Third and Four” – Since we’re heading into NFL post season play, this may sound like “third down with four yards to go;” but since we’re talking cybersecurity, I am referencing third and fourth parties. Hackers are cognizant that most organizations outsource sensitive functions and data. Hackers will identify their targets and begin to scope the companies they’ve most likely contracted to (those that perform or handle certain key functions) and will then position those vendors for attack. Hackers will hunt for “back doors” and exploit any vulnerabilities to access their target’s network, so they can locate, browse, steal, poison (destroy or deploy malware), or highjack (via ransomware) the data on which they’ve set their sights. To prevent this, organizations need to be diligent in performing risk control assessments on their third parties and, where possible, their fourth parties as well. (Note that this effort may require assistance from the third party to examine fourth parties). It’s also extremely wise (and if you’re in a regulated environment, this part is practically mandatory) to participate in cyber and business resilience activities with your “critical” third and fourth parties.
So, now that I’ve made these predictions, I’m curious to see how long I’ll have to wait to see these come true. While I certainly hope none of these predictions come to fruition, given the current state of world we live in, I’m simply being a realist.

Have a safe and secure new year!

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc.
Chair, Shared Assessments Assessments VRMMM Committee

Great, yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR). Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do? Well folks I’m here to do just that.

Determining vendor compliance with GDPR requires a fairly rigorous process. It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role. Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller). I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.

The Shared Assessment’s Privacy Working Group has developed a Tool Kit to help guide you through the process. Their GDPR Data Processor Privacy Tool Kit has everything you need: the processes you need to have in place to identify and map customer data; samples of model contract provisions to get your vendor contracts in compliance; lists of documentation you’ll need to obtain; an updated privacy survey to obtain the information you need to assess your vendor’s GDPR privacy readiness; and, many other useful resource documents. The best part about the Tool Kit is that it’s free and can be downloaded on their web site https://sharedassessments.org/gdpr-tool-kit/ .

The Shared Assessments Standard Information Gathering Questionnaire (SIG) already contains the information you need to determine if your vendors have adequate IT security controls in place. Now with the help of the GDPR Processor Privacy Tool Kit addressing data privacy concerns, you’ll have what you need to make sure your vendors are ready for GDPR.

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an important component of the Shared Assessments Framework that help set standards, and through those standards, efficiency, in third party risk management. The Shared Assessments Program Tools are developed using the collective intelligence of member organizations. Our members bring their expertise in cybersecurity, risk management and privacy as well as their knowledge of the regulatory landscape and specific vertical industry needs to the development of the Tools, which are updated to keep the tools current and effective.

The 2018 Program Tools will include:

• 2018 Standardized Information Gathering (SIG) Questionnaire;
• 2018 Shared Assessments Standardized Control Assessment (SCA) procedures (Formerly the Agreed Upon Procedures (AUP));
• 2018 Vendor Risk Management Maturity Model (VRMMM); and
• The new General Data Protection Regulation (GDPR) Tool Kit

SIG Enhancements:

We are excited about a new capability in the 2018 SIG – a Scoping Tab that will allow multiple ways to customize the SIG for a company’s individual needs. The Scoping Tab will allow for a SIG LITE, FULL SIG, and a new CORE SIG designed for assessing service providers that run business critical functions, data and systems. It was created to meet the needs of most assessments. In addition, content changes were made to reflect the current regulatory and threat environment, including the European Union (EU) GDPR Privacy rules, and the total number of questions was decreased by removing duplication and redundancy.

Standardized Control Assessment (SCA):

To better communicate the function of the “Verify” portion of our “Trust, but Verify” approach, the formerly titled Agreed-Upon Procedures (AUP) used for performing onsite assessments, was renamed the Standardized Control Assessment (SCA) procedures and was thoroughly reviewed and re-organized to align more closely with the SIG.

VRMMM:

The VRMMM will continue to allow companies to benchmark the maturity of  their third party risk programs. It is also the basis of the annual Vendor Risk Management Benchmark Study, recently released that allows Shared Assessments and Protiviti to analyze third party risk program maturity across verticals and over time.,

We will continue to offer the VRMMM free as a tool to assist the industry.

GDPR:  Data Processor Privacy Tool Kit

This new and important tool set provides guidance for Data Processors who fall under compliance to the European Union (EU) General Data Protection Regulation (GDPR) 2016/679, new requirements which will begin to be enforced on May 25, 2018. The Tool Kit contains tools, checklists and templates to help organizations evaluate their readiness and maturity of controls against GDPR privacy requirements. These tools are free and can be used as a standalone privacy assessment or incorporated into a comprehensive Vendor Risk Management program. Download the GDPR: Data Processor Privacy Tool Kit.

Availability

Release of the 2018 Program Tools is slated for late January 2018. The Tools are free to Shared Assessments Program members, or you can purchase the Complete Bundle (all tools above) for $9,000. You may also purchase the standalone version of the SIG for $7,000 or the  SCA for $6,000. If there are any questions about the tool or membership, please contact us.

Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman

Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awareness in healthcare security?

R. “The Shared Assessments Summit brings together senior risk executives to share best practices and latest insights on managing third party risk across the security, healthcare, financial services, transportation and government markets. This annual gathering and the conversations we have among peers throughout the year are tremendously important in helping us stay vigilant and focused on continuously improving the safety and security of our client’s most critical information. We’re excited to serve and collaborate with those we met at the 2017 Summit and help them with their risk management and third party vendor programs.”

Q. Tell me about some of the things you’re working on?

R. We continue to be very privileged to serve a wide array of very discerning clients and to collaborate with an incredible group of people. The depth and breadth of the issues we grapple with each and every day continue to become more and more complex. Therefore, it is incumbent on C&H to constantly hone the techniques we apply for our clients. These techniques have a measurable bearing on our client’s inward facing and outward facing cybersecurity risk management program. We’re able to then replicate those techniques as is appropriate for other clients.

Q. Where does Churchill &Harriman fit into the healthcare security market?

R. “Churchill & Harriman (C&H) is a leading provider of cybersecurity risk management and third party risk assessment services to the healthcare industry as well as the financial services, transportation and ecommerce markets. Certain results that C&H contributes to are formally recognized by the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), the National Health ISAC (NH-ISAC), and the National Directorate of ISACs (NCI Directorate). We’re privileged in that our tools, talents and techniques are being leveraged across industry. Working closely with our partners at Prevalent, Churchill & Harriman is further serving the collective good, providing third party risk management services that benefit the entire health care community.”

Q Help me finish this sentence…if a healthcare organization could only focus on 1-2 critical items for safeguarding their data and operations moving forward they should…
R. “Focus on the implementation and maintenance of a Threat and Vulnerability Management program that enables the organization to acquire and retain a thorough understanding of the threats to their information and operations, the vulnerabilities that those threats can exploit, and the probability of occurrence so that resources can be appropriately managed. Over time threats change, vulnerabilities can change quickly, and probabilities are never static. Therefore, the program must have the ability to take advantage of real time sources of accurate intelligence and information as well as continuous monitoring of their environment so that changes to policy, processes and technology do not fall behind and expose the organization to adverse results.”

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the “Evaluating Cloud Risk for the Enterprise” white paper produced by the Shared Assessments members.

In the past five years, we have seen tremendous changes in technology, personnel and business practices. Cloud has now become the de-facto industry model for providing computing services. Mobile has become the most common model for accessing data. Cloud platforms are managing billions of Internet of Things (IoT) devices daily, and new exciting developments are evolving, such as microservices, to enable previously unimaginable scalability and efficiencies.

However, with the introduction of enterprise cloud, new audit controls are required to address the use of these new technologies, new service models, and new nuances in how existing audit controls apply to cloud.

The Evaluating Cloud Risk for the Enterprise whitepaper is a Shared Assessment guide that provides step-by-step guidance for enterprise organizations moving their services to the cloud. It assists in helping enterprise organizations create a cloud strategy that will scale across hundreds of their cloud providers, both locally and internationally. I had the privilege of being the chair of this enterprise cloud whitepaper. My role as CISO at Domo, the largest analytics platform in the Cloud and with more than 25% of the Global Fortune 50 companies as customers, enabled me to incorporate some key industry best practices and lessons learned into this whitepaper.

Best Practices for Enterprise Cloud Computing Management

The whitepaper introduces the concept of Common Cloud Controls. These are mature control areas associated with traditional IT services environments, also equally applicable to cloud-based services. These audit mechanisms are considered mature (e.g., anti-virus, background checks, etc.), and there are hundreds of these mature controls that apply to cloud. Organizations can simply use their existing audit vehicles to assess these controls, such as SOC II, ISO 27001, Shared Assessments AUP, etc.

This process should allow an organization to quickly and efficiently evaluate greater than 80% of a cloud provider’s controls, using current audit programs.

This then leaves those control areas that are not typically covered in ISO 27001 or SOC II (e.g., multi-tenancy, containerization, etc.). The whitepaper refers to these as Delta Cloud Controls and provides dozens of practical examples of how to effectively incorporate these control areas into an organization’s cloud strategy and audit program.

The Evaluating Cloud Risk for the Enterprise white paper includes the full list of practical recommendations, questions to discuss with cloud providers and lessons learned for cloud-related control domains, but we have summarized the Cloud Control evaluation steps into some key themes to consider:

Data Management:

What are the controls at each of the four main layers? As public cloud services all run on the same cloud environment, they share the same infrastructure.

Look at the data segmentation and separation controls at the main layers: network, physical, system and application, and evaluate each of the above controls at each layer (e.g., cloud data separation controls are typically weaker or non-existent at the physical layer as there is often no physical separation), requiring controls on the other three layers to be far stronger. Pay particular attention to the application controls, since this is the layer where the majority of critical cloud controls will reside.

Also organizations should understand their role and responsibility as the “data controller” and that of the cloud provider as the “data processor.” Misunderstanding who is responsible for what is one of the leading causes of security and privacy incidents.

Determine whether each customer is provided with a unique encryption key or whether encryption keys are shared. Unique customer keys are a strong control that can render co-mingled data unreadable in the database by another customer.

Ascertain whether customer data will be encrypted at storage and in-network transmissions, across external and internal networks, i.e. cloud provider and their underlying infrastructure (e.g., AWS, Azure). Internal network and datacenter-to-datacenter network encryption is increasingly important; as private or internal networks are susceptible to unauthorized network sniffing.

Location Management:

Where is my data? This is particularly important for cloud providers that may have datacenters and support teams in multiple legal jurisdictions.

It is important to ask your cloud providers to list all the locations that they store, process, transmit or access customer data and whether these are explicitly defined in the contract. Ensuring that the cloud contract documents all the countries or legal jurisdictions where company data will be stored, processed or accessed from is important in helping organizations meet their internal data privacy requirements. It is important to note that simple web access by support from another country is oftentimes considered the same as “data storage” in that country, and as such the full set of security and privacy requirement for data storage can apply.

The evaluation process should include investigating thoroughly any potential conflict in countries’ data privacy and legal requirements. One example is that a data privacy conflict could arise if the customer and cloud provider are located in the US and the provider has multiple datacenters in the US, but also has a datacenter in Germany for disaster recovery and resilience. The US could mandate certain data be deleted (due to a US data privacy requirement), while German law may require that the data be retained (as evidence in a subsequent legal case). In this scenario, the conflict of laws between jurisdictions may place the integrity of the customer data at risk.

User Management:

How is user authentication, authorization and accounting managed? A unified user management model is an essential component of cloud, from a business, usability and security perspective.

Businesses using cloud may be presented with the challenge of integrating their existing identity and log management solutions with that of the cloud provider. Ensure that the cloud provider supports identity federation standards such as SAML or OpenID, so as to help prevent costly and one-off individual integrations.

Once the user is authenticated, the next step is authorization. It is important that the cloud provider can support a granular set of user permissions, so that a customer’s least privilege and separation of duties requirements can be complied followed within that cloud provider’s environment.

Also, ensure that all end user actions, be it write or view, are logged in the cloud and that there is an API available to integrate the log data directly into the customer’s security monitoring tools. This is important so that the customer can monitor their numerous cloud providers from the customer’s Security Operations Center (SOC).

Vendor Management:

How do I assess my cloud vendor? As with any vendor model, an organization can outsource the responsibility for the service, but not the associated risk or accountability.

One of the foundations of cloud is its agile nature, which is inherent in its roots in innovation and rapid change. As such, the classic model of assessing your vendor once per annum does not scale for cloud. Instead companies must build an on-demand vendor monitoring and management program that is based on the continuous level of change in cloud. Where possible, this should mandate that the cloud vendor provides a number of notification requirement triggers, including notification upon substantive security control changes, change of the cloud provider’s relevant vendors (e.g., move from AWS to Azure), or upon certain defined control deficiencies (e.g., an external high level vulnerability remains open for a certain period of time).

One challenge is to ensure the benefit of deploying a cloud solution is not outweighed by the complexity of doing business in the cloud. The cloud provider should provide a single point of contact, a single contract and a single point of accountability to manage the solution end-to-end, independent of what underlying services that they themselves use.

It’s important to guard against an “out of sight, out of mind” mentality: it’s still your data and your service even if it is hosted or directly managed by the cloud provider.

The above are just some of the best practices that can be found in the recently-published Shared Assessments Evaluating Cloud Risk for the Enterprise white paper.

I hope that you find value in the Evaluating Cloud Risk guide and that it becomes an integral component of your cloud vendor management toolkit. The complete whitepaper can be downloaded from here.

This two-part article responds to an increasing number of requests to outline foundational concepts to support Boards and executive managers as they work to define, design and implement best practice-based Third Party Risk Management (TRPM) programs. In particular, this article provides starting point approaches and essential areas for focus for an organization attempting to implement a TPRM program from scratch. The second part will provide key program activities that need definition and implementation at a third party risk management program level within an organization.

Four foundational elements for achieving a successful TPRM program are:

1. Early High-Level Buy-In: Obtaining Board and senior management buy-in is essential, along with the need to set early expectations for ongoing, defined reporting periods and effective metrics for managing and mitigating third party risk. In most cases, this will require a Board and senior management education initiative.
2. Defined Metrics: In parallel with program implementation, a set of program metrics must be developed that includes Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Depending on organization maturity and approach, this can be implemented along with an independent Operational Risk Management (ORM) function implementation and defined program reporting requirements that meet Board and senior management expectations defined from step 1 above.
3. Defined Roles: Clear definition of stakeholder roles and responsibilities at each phase of the framework is needed, as defined in the table below.
4. Address the Effect of Silos on Implementation: This element has to be addressed prior to implementation if the program is to achieve a functional level of effectiveness and maturity. Recommendations and other input from all relevant stakeholders should be sought to provide insight into the true structure and nature of key roles and responsibilities and the perceived effect that silos have on program implementation. Continuous quality improvement (CQI) is an essential element of understanding how silos and other organizational structure elements impact the program as it develops and becomes mature.

The following table will assist in understanding which stakeholders can effectively interact together throughout these four foundational steps.

This concise, considered approach to TPRM program development and execution will assist your organization in reaping the return on investment in risk management programs and help you achieve a program level that responds directly to evolving regulatory, industry and other guidelines and standards and emerging risks. The second part of this article will provide guidance regarding essential activities for implementing a robust TPRM program.

Robert Wilkinson, Chief Strategy Officer at The Santa Fe Group and the Shared Assessments Program has provided support to these organizations for more than 15 years, including as an Advisory Board member and Advisory Board Chair with a deep understanding of results-oriented risk management. He has more than 30 years of extensive global experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology, having worked in 45 countries and various locations throughout the United States. He has extensive experience interacting with government regulators and addressing regulatory findings.

Shared Assessments finished the 2016 year with 85 new members, a 25% increase over 2015. We closed out the year with a total of 226 members, showing continuing year-over-year growth in the commitment of organizations to improving third party risk management and advancing best practices worldwide.

We’ve come a long way together since Shared Assessments was founded in 2006, when we set out to ease the burden on both outsourcers and third parties by streamlining the cumbersome evaluation process and creating a proven industry standard. Today the Shared Assessments Program’s membership is industry agnostic as companies from across the globe in a variety of industries have adopted the Shared Assessments standards.

The year’s highlights include:

• The Ninth Annual Shared Assessments Summit boasted record attendance by 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic of Third Party Risk Assessment.
• We provided roundtables, workshops, training and other educational resources for risk professionals throughout the year.
• We continued our increased international focus, working with organizations with an international presence, as well as those headquartered overseas.
• Release in November of the 2017 Shared Assessments Program Tools, updated to reflect emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent.

2016 Shared Assessments Summit
The Ninth Annual Shared Assessments Summit was held May 18-19, 2016 in Baltimore, MD. The pre-Summit workshops drew more than 100 attendees. And, in keeping with our efforts to recognize the industry champions who are joining together to minimize risk and make our world a safer place to do business, we celebrated several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. You can read more about the Summit here.

International Expansion
In 2016, Shared Assessments expanded its international footprint by working with leaders in the heavily regulated Singapore market to involve them in building best practices for third party risk. Additional roundtables, conference participation and sponsorships were developed in 2016 and will be expanded throughout the UK and Singapore in 2017.

Industry Roundtables
This past year, Shared Assessments convened our members and other thought leaders, providing a venue for:

• Privacy and Shared Assessments Program Tools Development Committees.
• Committees for regulatory compliance awareness and best practices third party risk management and assurance awareness.
• Industry and regional groups in the UK and in the areas of legal and healthcare/pharma.

Shared Assessments convened and/or participated in the following industry roundtables:

• Financial Institution Roundtable – January 2016.
• International Singapore APAC – March 2016.
• Asset Management Roundtable – March 2016.
• 2016 Shared Assessments Summit – May 2016.

2016 Studies and Papers
Member participation in various Committees and Awareness Groups increased drastically in 2016. For instance, the Best Practices Awareness Group increased to over 70 committee members, an increase of 84%. Each of the papers listed below were released in 2016 by Shared Assessments member volunteers and partner member organizations, who also participated in the monthly Member Forum webinars on each of these topics:

• The results of the third annual 2016 Shared Assessments-Protiviti Vendor Risk Management Benchmark Study included new insight into an improving landscape that supports significantly more mature Vendor Risk Component activities among outsourcers.
• The 2016 Tone at the Top and Third Party Risk Survey examines the role of executives in third party risk management in a broad range of industries and the effect of “Tone at the Top” on minimizing business risks within organizations. This study was sponsored by Shared Assessments and conducted by the Ponemon Institute.
• Financial Services Industry Call to Action puts out the call for creating true efficiencies through standardization, cooperation and public-private partnerships focused on critical third party risk management issues in the face of increased connectivity and complexity of critical infrastructure systems both nationally and globally. This is a response to economic and public security being squarely placed at the forefront of risk management in every sector and industry vertical.
• Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program white paper examines and outlines best practice processes for outsourcing companies. This effort was sponsored by the Shared Assessments Program Standardized Information Gathering (SIG) Committee.
• Best Practices Awareness Group White Papers:
  • A Guided Assessment – Shared Assessments Working Group: Onsite Assessment Best Practices Guidelines Shared Assessments white paper discusses best practice assessment and scoping guidelines that are practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope.
  • Building Best Practices in Third Party Risk Management: Involving Procurement white paper examines the tools and framework within which the Procurement function can work closely, efficiently and effectively with all areas of an organization, to help provide partners and regulators with a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship.

• Regulatory Compliance Awareness Group White Paper and Initiatives:
  • It Takes It Takes In-Tune Tone at the Top to Shape an Effective Risk Management Culture white paper addresses the growing consensus that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues.
  • EU General Data Protection Regulation (GDPR) and Brexit have been examined in articles and Member Forum calls.
  • A subject matter expert article was prepared upon invitation by the ISACA Journal, The Tone at the Top – Assessing the Board’s Effectiveness, and accepted for publication and released in November 2016.
  • The Committee prepared a response in May 2016 to a Request for Comments from the Office of Comptroller of the Currency (OCC) on its Supporting Responsible Innovation in the Federal Banking System white paper and conducted ongoing Committee discussions on the issues involved and the June OCC Forum in response to comments..

Shared Assessments Certified Third Party Risk Professional Certification
In 2016, 10 CTPRP in-person workshops were offered. Our Certified Third Party Risk Professional (CTPRP) certification has now trained more than 500 CTPRP certification holders. A new Associate CTPRP designation is now available, announced in September 2016, which is awarded to individuals who have successfully completed the full CTPRP training, yet lack the requisite five-year work experience for the full CTPRP certification. In 2017, we will announce the ability to participate in online CTPRP training opportunities and are expanding CTPRP in-person workshops internationally.

Updated 2017 Program Tools
Shared Assessments Program Tools help organizations create sustainable, organization-wide efficiencies in today’s high risk environment. The tools, which are foundational elements for risk management program assessment and evaluation of third party service provider cybersecurity, IT, privacy, data security and business resiliency controls, are: Standardized Information Gathering (SIG) questionnaire; Agreed Upon Procedures (AUP), a tool for standardized onsite assessments; and the Vendor Risk Management Maturity Model (VRMMM).

The Shared Assessments Program maintains its status as the trusted source for industry standard third party risk assurance leadership, in part through regular identification of modifications in domestic and international regulations, industry standards and guidelines and the emergence of new risks. Evaluation of pertinent changes to the Program Tools is made on an ongoing basis against tool content and related updates. It is the partnership between Shared Assessments and member organizations, which creates the essential industry leadership that helps our members to meet the surge in regulatory, consumer and business scrutiny within the constant landscape of cyber and other security threats and vulnerabilities.

These updated tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns. Changes to the 2017 Program Tools reflect US and International regulatory changes and guidelines, as well as industry specific standards and best practices for gathering and assessing cybersecurity, IT, privacy, data security and business resiliency in an information technology environment to provide a complete picture of service provider controls, with scoring capability for response analysis and reporting.

On the Horizon for 2017
Shared Assessments will continue to provide a professional platform for examining and resolving the critical issues as they emerge in the evolving third party risk landscape, including managing for risk rather than compliance, optimizing third party risk mitigation and leveraging resilience to ensure positive outcomes. Members can sign up to participate in our 2017 initiatives by completing our “request to participate.” More information about each activity and to sign up you can go here.

Deliverables from the working groups and supporting staff from The Santa Fe Group include publications, research studies, speaking opportunities, webinars and podcasts, events and meetings, social media input, and consulting and advisory services. The CTPRP Program will seek to expand its offerings by providing online training opportunities, SIG and AUP master-level course additions and a Certified Third Party Risk Assessor (CTPRA) certification.

2017 committee initiatives include:

• The Best Practices Awareness Group has already released its first white paper of 2017, Continuous Monitoring of Third Party Vendors: Building Best Practices, which discusses moving the needle on longitudinal tracking for more effective processes and more effective decision-making and achieve discernable gains in risk management.
• Other 2017 Best Practices Awareness Group initiatives and white papers include: Vendor Risk Rating for Third Party Management; Assessment of Public Cloud Computing Vendors; and Fourth Party Risk Management.
• The 2017 Regulatory Compliance Awareness Group is working on: Phase II of the Tone at the Top and Third Party Risk project; building a Compliance Maturity Model for Third Party Risk; and examination, and where appropriate response to, both domestic and international regulatory changes in this dynamic area, including GDPR.
• The 2017 Vendor Risk Management Benchmark study, sponsored by our member partner, Protiviti, Inc.
• The 2017 Ponemon-Shared Assessments Study is being developed, with a focus on third party risk management.
• Additional Member Awareness Group committees are being developed for individual sectors, benchmarking, continuous monitoring, cybersecurity, and environmental trend groups. Invitations to participate are being fielded to all members.
• Additional Member Resources are under development, such as a Third Party Risk Management library, which would include the Collaborative Onsite Assessments (COA) Addendum.

Jenny Burke, is a Senior Vice President for Marketing and Communications with The Santa Fe Group, with key responsibilities that include advancing strategy to increase awareness of the Shared Assessments program, grow memberships, improve tool adoption and communicate all the combined efforts of our staff and members. Prior to joining The Santa Fe Group, she has worked both as an independent marketing consultant and in private industry in branding, digital strategy, website redesign, content management and social media for a variety of software, consumer and website clients. Connect with Jenny on LinkedIn.