Fourth-Party Data Breaches Seen as Latest Threat to Customer Information; Healthcare and Financial Services Primary Targets

FEBRUARY 4, 2014
Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, or Kelly Stremel,

Fourth-Party Data Breaches Seen as Latest Threat to Customer Information; Healthcare and Financial Services Primary Targets

New 2014 Shared Assessment Program Tools Deliver Comprehensive Assessment of
IT, Privacy and Data Security Controls to Manage Threats

SANTA FE, N.M. — February 4, 2014 — Following one of the largest data breaches in history, The Shared Assessments Program today released an updated version of its Program Tools, to help address the latest threat to customers’ data: fourth-party data breaches. The new 2014 Tools—the Standard Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP) and Vendor Risk Management Maturity Model (VRMMM) for 2014—have been updated to include the latest data protection, privacy and IT security standards and regulations around managing and protecting customer information, by leveraging best practices from vendor risk management professionals in financial services, healthcare and other industries.

The new Program Tools help financial institutions and healthcare organizations to assess and measure third parties’ (Business Associates’) security and compliance readiness and risks, including software security, cloud, mobile, and fourth-party risks. Updates to the tools address federal regulations, including HIPAA/HITECH, Office of the Comptroller of the Currency (OCC) and Federal Reserve guidances, along with industry standards and guidelines that organizations need to adhere to, in order to protect personally identifiable information (PII) and protected health information (PHI). By using the Shared Assessment Program Tools, organizations can conduct rigorous assessments of controls in order to evaluate IT, privacy, and data security risks.

“Organizations that are tasked with managing PII and PHI are facing unprecedented levels of risk compounded by a threat landscape that changes on a daily basis,” commented Catherine Allen, Chairman and CEO of the Santa Fe Group. “The updated Shared Assessment Program Tools for 2014 have been developed and rigorously tested by members representing a cross section of industry leaders in financial services, healthcare, retail, energy, telecommunications and others.”

The Latest Threat: Targeting Industry Service Providers
Risk managers are dealing with an extremely volatile data breach landscape where many breaches and security incidents happen at the service provider level. Service providers and Business Associates are now held to compliance requirements such as HIPAA/HITECH that require extreme diligence in the protection of PHI. These new tools assess the risks and software security-readiness of third-party service providers and their outsourcers, also referred to as fourth parties.

Shared Assessments is the trusted source for third-party risk management. “The Program’s Tools help us ensure rigor in our evaluations of vendors that touch private data”, said Tom Garrubba, Senior Manager, Technical Assessments Group, CVS Caremark.

Updates to Entire Shared Assessment Toolkit for 2014
The following updates are included in the new release:

  • The Standard Information Gathering Questionnaire (SIG) uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment. Among the enhancements to SIG 2014 is an entirely new section for assessing a vendor’s software security development lifecycle, and the expansion of questions related to service provider outsourcing (fourth-party risks).
  • The Agreed Upon Procedures (AUP) is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. For 2014, a new AUP Report Template allows users of the AUP to track the results of an AUP assessment and generate a clear and concise report of assessment results.
  • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the VRMMM include the ability to score program components to indicate those areas that are currently under development and provide tracking of program improvements over time. The Model now includes a dashboard that displays scores for each component; each foundational program area; and, an overall maturity score for the program. In this new version, the optional functionality allows the user to set threshold maturity levels for program areas to indicate which areas require remediation, and demonstrate areas of improvement over time.

Pricing and Availability
The new tools are available now to all Shared Assessment Members and are included in the annual membership fee. Membership provides opportunities to deepen vendor risk management expertise through members-only meetings, events, teleconferences and regular cross-industry working groups that discuss the regulatory climate, including OCC, Federal Reserve, FFIEC, ISO 27001:27005, PCI, NIST, and HIPAA/HITECH. Non-members can purchase the Shared Assessment Tools either as a bundle or separately by visiting here.

About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk Management Maturity Model), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (, a strategic consulting company based in Santa Fe, New Mexico.