Shared Assessments has released its updated 2020 Third Party Risk Management (TPRM) Toolkit which supports organizations in their vendor risk management efforts, regardless of size and industry. The Toolkit elements help both Outsourcers and third party providers meet regulatory, consumer and business scrutiny within the constantly evolving cyber and other security threat landscape.
Shared Assessments keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool, ISO 2700X, GDPR, emerging CCPA regulation and PCI 3.2.1. That knowledge is used to refine the new Toolkit, which includes multiple Tools that embody a substantiation-based, standardized, efficient methodology for a comprehensive “Trust, but Verify” approach to TPRM.
The 2020 Shared Assessments TPRM Toolkit includes:
- Standardized Information Gathering (SIG) Questionnaire Tools
- Standardized Control Assessment (SCA) Procedure Tools
- Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
- Third Party Privacy Tools – NEW
Updates to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;
- Outsourcers, service providers, licensees, assessment firms and regulators.
- Organizations from start-ups to large, global corporations.
- Industries including Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
- Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and Third Party risk.
The 2020 Toolkit reflects not only updates to the changing regulatory and risk landscape; it also incorporates elements that help to our hundreds of members and tool subscribers to perform risk assessments with a high degree of assurance that are also efficient and fast. The 2020 Toolkit was built to allow that standardized excellence in content while making assessments easier to create, customize and manage. The Toolkit elements can work singly, but were built to work together to follow the typical process a Third Party risk practitioner would use to implement their program.
Standardized Information Gathering (SIG) Questionnaire Tools
The 2020 SIG has been streamlined and includes new automation that makes it easier for Outsourcers to manage SIGs, and for service providers to respond to, export and share assessment responses.
- Multiple Questionnaire Management – Service Providers can now manage a SIG for each of their service offerings or environments. When requests from customers come in, service providers can select and further customize when necessary, the best questionnaire for that partner.
- Collaborative Responses – Often, more than one person at an organization must work together to complete a SIG questionnaire, which can add complexity to the response process. In the most recent SIG, questions can be assigned to individuals, and responses seamlessly compiled, easing this process.
- Issue and Remediation Management – A SIG can automatically analyze completed questionnaires against the “right answers”. A SIG Master is an answer key that allows you to store what your preferred responses for each question and rank the question’s importance into a Master Answer Key. Automated reports let you compare your SIG Master against any completed SIG to quickly determine any vendor discrepancies.
- Exportable Responses and Configuration – The SIG can now be exported into a standardized formal called “JSON” that is recognized by various types of software and makes sharing more secure and simpler. This allows Shared Assessments’ partners to more easily integrate SIG content into their own tools and allows improved confidentiality when sharing SIG responses.
Content updates to the 2020 SIG Tools include;
- Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including CCPA and GDPR.
- New Operational Risk Content – New content around ethical sourcing, includingmoney laundering, anti-trust, anti-bribery, call center security, payments compliance and human trafficking.
- Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) risk controls content.
- Mapping – The following ten mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
- FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
- FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
- FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
- GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
- HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
- ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
- NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
- NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
- NYDFS 23 NYCRR 500 – New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
- PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –
Standardized Control Assessment (SCA) Procedure Tools
The SCA Tools are a standardized set of assessment procedures that, when combined with the scoping features of the SIG, provide a quick and efficient way to assess service providers during onsite or virtual assessments.
Enhancements to the 2020 SCA include;
- Single worksheet format that enables efficient extraction of data to external platforms.
- Consolidation of optional and standard procedures into one library of test procedures.
- Simplified report format to provide consistency in assessor documentation.
Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced TPRM professionals.
2020 saw changes to VRMMM functionality, including;
- Target Maturity – the flexibility to hide or display Target Maturity ratings when gathering responses to improve respondent objectivity.
- Process Maturity – ability to assess program maturity at the individual criteria level allowing for more granular diagnosis.
- Dynamic Risk Reporting – enhanced executive management reporting dashboard including color coded indicators for maturity gaps.
The VRMMM is an essential element for benchmarking TPRM programs in all industries, so we’ve made it free to both members and non-members. It can be download here.
2020 Third Party Privacy Tools
New for 2020. This set of tools was originally built to meet the demands of GDPR. This year we’ve expanded the Privacy Tools to include requirements from various privacy regulations and framework updates, including CCPA.
The Third Party Privacy Tool include:
- Privacy Tools Implementation Guide which provides users with a summary overview of the Privacy Tools and best practice guidance.
- Privacy Tools Questionnaire based on the SIG, that focuses on 10 critical privacy risk domains.
- The same Privacy Test Procedures found in the SCA that align to current international and state privacy changes.
- Target Data Tracker – an updated data governance tool that enhances your ability to document and manage Third Party due diligence artifacts across the life of the relationship.
- Target Data Tracker How-To-Guide providing step-by-step instructions for using the Third Party Privacy Tools.
To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;