Select Page

Shared Assessments Releases Ne...

Charlie Miller 05-15-2018

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committe[...]

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committee members and staff, and were repeatedly vetted with senior practitioners to ensure they were both reasonable and accomplished the primary goal of improving the consistency of the SCA assessment process.

These new standards are intended for use by any third party risk assessor that utilizes the 2018 (and subsequent) Shared Assessments Standardized Control Assessment (SCA) procedures – formerly the Agreed Upon Procedures (AUP). The SCA is a carefully honed and objective set of testing procedures designed to validate the effectiveness of third party controls through onsite testing. SCA test procedures have been reviewed and updated annually since 2005 and align with the Shared Assessments Standardized Information Gathering (SIG) questionnaire.

The SCA Standards will be used by members of the Shared Assessments Program, tool purchasers and assessment firms (including Certified Public Accounting firms) who hold license to the SCA procedures. They cover: the purpose; objectives; participants; scope of work; assessor qualifications; limitations; assessment process; reporting; sharing of reports; and quality assurance practices to be followed when performing SCA procedures.

Highlights of the new standards include:

  • Participants: The Assessee and/or the Outsourcer must hold a license to use the SCA, and the Assessment Firm (Assessor) must be a member of the Shared Assessments Program and hold a license to the SCA.
  • Assessor Qualifications: The Lead Assessor for an SCA Engagement must hold a Shared Assessments Certified Third Party Risk Assessor (CTPRA) Certification and a Certified Third Party Risk Professional (CTPRP) Certification.
  • Reporting; The Assessor will utilize the SCA Report Template to document the results of the SCA Engagement
  • Sharing of Reports: Participants will agree upon any restrictions, limitations or requirements for sharing the SCA Report as part of the contract process.
  • Quality Assurance: The Outsourcer or Assessee will ensure that the Assessment Firm has performed the engagement in accordance with its own internal quality assurance practices and verified that the Assessment Firm is a current member of the Shared Assessments Program.


The compliance date for adherence to SCA Standards is May 31, 2019.


Summit 2018 Day One: Recap...

Jenny Burke 05-08-2018

Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this y[...]

Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this year’s Summit was resilience, and our 300+ attendees were able to hear from subject matter experts across an array of different industries on how to stay resilient amongst an abundance of new concerns.


Opening Remarks

The day started with opening remarks from our CEO, Catherine Allen, who discussed these new concerns, namely, cyber warfare, fake news, supply chain disruptions, AI, and IoT, and how to focus on detection strategies—we live in an era of when, not if. Following her opening remarks, she introduced our keynote speaker, and first ever recipient of our new Lifetime Achievement Award, Richard Clarke.


The Importance of Cassandras in Risk

Clarke, CEO of Good Harbor LLC, explained the importance of “Cassandras” in assessing risk. AI, genetic engineering, and the IoT are all current fields where experts have data that proves we are going to have significant problems, but nothing is being done about it.

When it comes to risk management at the national and corporate level, these outlier experts are being ignored. Clarke stressed the importance of systematically looking for Cassandras and being willing to listen them, despite the risk seeming outlandish, or even laughable.

While we don’t necessarily need to believe the Cassandra, we do need to give them enough credibility to show the data. Companies may need to adjust so that when they start to see what the Cassandra is predicting, they’ll already have contingency plans in place. As risk professionals, we need to take heed of the Cassandras, start making decisions, and reallocating resources in order to do things differently and mitigate the effects of catastrophic events.


New Vulnerabilities

Following Clarkes eye-opening keynote, we began our first panel discussion entitled, “The Future is Now: Emerging Technologies and the Impact on Controls.” The panel, moderated by Joe Prochaska, Synovus Financial Corp, included Holly Dockery, Sandia National Laboratories; Catherine Lotrionte, Georgetown University; and Jeff DeCoux, Hangar Technology. The panel focused on Artificial Intelligence (AI) and Internet of Things (IoT)—one of the main takeaways was the vulnerability that these new devices open us up to, and how manufacturers need to start stepping up and start involving the entire management team when evaluating the risks and exposures of their devices. Everyone should have visibility into what their technology can do and what the risks could entail.

Frameworks to Make the Dream Work

After a brief networking break, we began our second panel discussion on “Third Party Risk Frameworks.” The panel, moderated by Roger Parsley, Deutsche Bank, included Mark Holladay, Synovus Financial Corporation; Lin Lu, Freddie Mac; and Renee Forney, Capital One; and focused on how third party risk management fits into different organizations. The panel agreed that we in a new era of risk management, so it’s crucial to increase our skills and expertise in order to fulfill our responsibilities, no matter what the size of our organization. While risk classifications have changed over time, tiering is still important and mission critical vendors are integral to our risk framework, whether we’re at a small company, financial institution, or enterprise corporation. Lin Lu, Freddie Mac, said it best when she stated, “…third party risk is no different than any other risk.” Additionally, the panel touched on how emerging technologies are impacting how we handle third party risk and the importance of scalability. Organizations need to ask themselves:

  • What risks do we have?
  • What risks are we willing to take?
  • What risks are we not willing to take?
  • How does that impact the strategic goals of our business?


Believe in Your Mission

Following the frameworks panel, we enjoyed a case study presented by Prevalent. Brenda Ferraro, Senior Director, led the discussion with customer Bob Maley, Senior Strategist at PayPal.  Maley stressed the importance of understanding your company’s mission—if you’re building a program that’s driving your mission, when the regulators and examiners come in, it’s going to be easy. He also introduced the concepts of Chen, the things that everybody knows you do, and Chi, the unexpected, and explained how they relate to risk—if we do the same things over and over, the chen and chi flip. We have to figure out unique ways of staying ahead and understanding the risk of our vendors.


Making a Vendor Naughty List

After a delicious lunch buffet, and Solutions Showcases presented by Prevalent and Security Scorecard, we returned to hear insights on third party risk and resiliency from industry thought-leader Jim Routh. Routh gave us the frightening example of “Tina and Tony,” the office manager and broker who did not go through the proper authentication processes when using Amazon Web Services. Since “Tony” did not like passwords, there was no encryption or logging, which led to a security researcher finding and publishing the data, ultimately leaving him without a business. The main takeaway from Rouths’ presentation was the need to educate our third party vendors on their configuration of cloud controls. Finally, if you don’t have a vendor naughty list, you should—vendors need to be held accountable to the same high internal standards.


Will China Overtake Us?

Perhaps even more frightening than Routh’s “Tony and Tiny” example were John M. B. O’Connor’s thoughts on supply chain risk. O’Connor, Chief  Executive Officer, J.H. Whitney Investment Management, LLC highlighted the fact that we’re stepping into an unknown domain of technological complexity and the need to pivot hard and fast to global geo-politics, or risk being overtaken by China. O’Connor even cited how Henry Kissinger spent the majority of his career making sure the US was always more important to China than Russia. We need to widen our aperture and observe more broadly in order to put ourselves at the strategic level and fight at the strategic level.


People are the Problem… And the Solution

After this frighteningly eye-opening presentation, O’Connor joined our next panel discussion, which included Jim Routh, Chief Security Officer, Aetna, and Rocco Grillo, Executive Managing Director, Stroz Friedberg, for a discussion on resiliency. They highlighted how people are our biggest strength, but also our biggest vulnerability. We have to use the innovation in technology to shrink the threat of risk and acknowledge that behaviors at every level are subject to continuous monitoring. Redundancy is expensive and useless—we need to define resilience, create a sense of community that can endure stress, and have faith in the resilience of these community members to be strong enough to let go of the superficial senses of privacy.

Maintaining Personal Resilience

Following a brief networking break where attendees were able to mingle with our exhibitors, we returned for a heart-warming discussion on personal resiliency with Ambassador (ret.) Mary Ann Peters, Chief Executive Officer, Carter Center. According to Peters, who has had a long and rewarding career where she had to quickly adapt to different cultures, the top 5 keys to personal resilience are:

1) Be flexible and adapt to change

2) Embrace ambiguity

3) Get tough, but stay charming

4) Learn from mistakes and failures

5) Focus on helping others


Get Your Regulatory Geek On

Day one concluded with a panel discussion on the regulatory landscape, moderated by Ken Mortensen, Data Protection Officer, InterSystems Corporation, with panelists Valerie Abend, Managing Director, Accenture Security; Kevin Greenfield, Director for Bank Information Technology, Office of the Comptroller of the Currency; and Adam Greene, Partner, Davis Wright Tremaine LLP. As we watched Abend get her “regulatory geek” on, we were asked to contemplate our responsibilities in terms of the broader environments. As third party risk analysts, we need to push the needle a bit more, ask ourselves where we are going to start to fix some of the problems, and ensure that we’re operating at the level we need to operate with the level of assurance that every one of our parties is going to be confident in.


Celebrating Day One

We ended the first day of the conference with a reception, sponsored by SecurityScorecard—appetizers, refreshments, and networking with other risk professionals were the perfect conclusion to day one of our 11th Annual Shared Assessments Summit.


Stay tuned for our summary of day two!





What Would Data Subjects Want?...

Linnea Solem 04-19-2018

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Manageme[...]

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Management Best Practices, plus moderate a discussion panel on the current privacy landscape.  Not surprising that GDPR was top of mind for many of the over 300 third party risk professional attendees, but so was digital privacy a topic not often deeply discussed when addressing the tenets of third party oversight. But, as risk professionals know, timing is everything. Having a third-party risk summit in Washington D.C during testimony by Facebook Inc. CEO Mark Zuckerberg, made for lively and thought-provoking dialog by participants.

While the starting point of the dialog was on the state of GDPR readiness, the overarching themes started to emerge in a broader context.  So, let’s get the GDPR discussion out of the way, and the tipping point we experienced in our workshop and panel.

Five things on GDPR

  1. GDPR enforcement is close – the grace period is ending
  2. GDPR is complex due to unintended consequences
  3. There are no simple guarantees to determine if your vendors are GDPR compliance
  4. Following the data daisy chain is daunting to determine GDPR scope
  5. It’s a cloudy legal environment – GDPR guidelines require context and interpretation

The dialog on data maps, data protection impact assessments, data transfers, breach notification, and subcontractors are familiar concepts to most Information Technology, Security, and Risk Professionals. Whether requirements are coming from GDPR, OCC, NY DFS Section 500 or SEC Cybersecurity Disclosure Guidance, the expectations for maturing third party risk oversight are maturing along common themes.

The hype on GDPR has been the fear in the C-Suite of the potential for 4% fines and the burden it will place on many organizations to address new obligations. However, GDPR constructs of Data Controller” and “Data Processor” roles are becoming a more accepted framework internationally when looked at from the data subject point of view.  Implementing data portability and the right to be forgotten are absolutely requirements focused on the rights of the data subject.  At its core, GDPR is all about privacy rights, which is beyond a compliance checklist, but speaks to the culture and ethics of organizations. Focusing on only meeting the “legal” obligation vs. what is “right” thing to do can be short sighted.

Many organizations may be missing an opportunity to treat GDPR readiness as an opportunity to affirm customer trust. Transparency and disclosure of consumer privacy rights should not be simply looked at as a compliance burden, but an opportunity to send a positive message to customers.  Don’t let the customer or data subject become the last area of focus in your readiness and GDPR program management plan.

The consumer theme became even more apparent due to the serendipity of having risk management sessions amid congressional Facebook, Inc. testimony.  The questioning on data sharing and usage disclosures requires looking at this not only from an organizational but consumer’s rights point of view. While the audience makeup was more technology savvy than other conferences I have attended, it was sadly amusing to see how little some of our D.C. legislators knew about how social media works. Data sharing platforms are designed to deliver customized content.  The purpose of the platform is about collecting and using data to sell content and provide a consumer application. Customization can’t occur without collecting and using elements of data. The concept of consent and how it is obtained I think will be the broader implication to reconciling U.S. Privacy Law and EU based models.

We are living in a mobile world that is becoming even more digitally connected, with layers of third party relationships involved in the internet ecosystem. That genie is out of the bottle to use a tired expression, but now that genie is in the cloud, and there is not any going back to the days of analog.

Five things on Digital Privacy

  1. Make sure that social media/web marketing providers have contracts that outline not only their obligations but the limitations they must adhere to.
  2. For marketers, educate within your organization on the differences between explicit and implicit consent. Likely your own C-Suite may not understand those differences and the limitations on data utilization.
  3. Remember that customers have a short attention span and memory of what they agreed to when they signed up for a service. Don’t just inform when a change has occurred but put reminders into ongoing campaigns.
  4. Privacy is personal. Just like there are different risk appetites, there are different privacy appetites. Recognize that you must think about customers from both ends of the privacy risk continuum.
  5. Don’t just hide the terms in the click agreement – enable privacy preferences with easy to use options. Put the consumer or data subject first.

Our ending privacy take-away to the attendees, was to get yourself a rubber bracelet, commonly used to promote causes, but this time your cause is the consumer or data subject. That privacy bracelet, “What Would Data Subjects Want” is your litmus test to assessing requirements, changes, or interpretation for those gray areas of privacy compliance. So, wear your privacy bracelet with pride as a constant reminder as you navigate the upcoming year of change in privacy and data protection!  #WWDSW

Privacy Panel:  (Moderator) Linnea Solem, President Solem Risk Partners, LLC and Advisory Board Member and Chairperson of the Shared Assessments Program Privacy Working Group; Andrew McDevitt, Sr. Privacy Analyst, Northrop Grumman; Nathan Johnson, Sr. Privacy Manager, Eli Lilley and Company; and Lisa Berry-Tayman, Sr. Manager, Cyberscout Solutions.

The Fraud Implications of Weak...

Bob Jones 03-19-2018

By Bob Jones, Senior Advisor, The Santa Fe Group   There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees [...]

By Bob Jones, Senior Advisor, The Santa Fe Group


There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees exploiting inadequate internal controls.  The second is fraud perpetrated by the principals of the third party. The third, and most common, is data breaches perpetrated by both insiders and outsiders.


As a Certified Fraud Examiner, I subscribe to the Fraud Triangle, defined by noted criminologist Donald Cressey, that describes the three causative elements of occupational white-collar crime.  The elements are: pressure (usually an unsharable financial need); perceived opportunity; and the ability to rationalize the act.


Typical rationalizations include: “I’m just borrowing it and will pay it back”; “They’ll never miss it”; “Everybody does it”; “They owe it to me”.  The greater the person’s need, the less opportunity he requires to act.  Conversely, the greater the perceived opportunity, the less need required to act.


Understanding the fraud triangle illustrates the white-collar crime truism that only a trusted employee will steal. I am occasionally engaged by banks to provide independent expert testimony in litigation involving fraud claims. In the last few years most of the lawsuits I have been involved in have been brought against banks by small to mid-sized businesses alleging that their business’ losses arose from their employees’ embezzlements that were facilitated by the bank’s failure to detect those actions. Quite frequently, however, my bank clients are able to show that the embezzlements resulted from the business customer’s employees’ exploiting the lack of effective internal controls at the customer’s level.


Another point of opportunity arises during the confusion and uncertainty endemic in the integration phase of mergers/acquisitions that offer particularly fertile ground for embezzlement. Employees worried about their future can be tempted to set up their own “severance packages”. Research to resolve imbalances in financial accounts can be delayed, because of the assumption they are the result of errors or carelessness, instead of defalcations.  In fact, these periods demand greater scrutiny.


The second aspect is fraud perpetrated by the principals of the third party. A recent example is the February 27, 2018 guilty plea by a senior executive of a large soft drink corporation in a federal prosecution resulting from his incorporating a marketing & promotions firm in his wife’s name. He hired her firm to provide goods and services to his employer, and, over a 10-year period, submitted more than 200 false invoices totaling more than $1.7 million. He is scheduled to be sentenced in June for wire fraud and for failing to report his fraudulent income on his tax returns.


The third, and most common aspect of fraud, is data breaches perpetrated by both insiders and outsiders. While most typically considered information security issues, most often the intent of acquiring the Personally Identifiable Information and/or Protected Health Information obtained through a breach is to commit fraud.


What these three aspects have in common is that their impact can be reduced by a sound Third Party Risk Management (TPRM) program that incorporates a vendor selection process that includes elements such as:

  • An assessment of a prospective third party’s internal control regime to ensure it contains basic controls, such as segregation of duties and physical and virtual access control. More rigorous attention needs to be applied in merger/acquisition situations.
  • An assessment of the candidate vendor’s financial viability. With publicly traded firms, that assessment includes audit reports and SEC filings; and with small, privately held firms, a review of tax returns and principals’ backgrounds (education, professional, criminal). This assessment would apply to any prospective third party relationship.
  • Similarly, the outsourcer will want to inquire into the third party’s reputation. Dun & Bradstreet, other business rating companies, client references and social media can provide insight.
  • Vendor responses to Requests for Information (RFI) from an outsourcer can provide valuable information about a prospective vendor’s general suitability by making sure that RFIs include questions dealing with:
    • Licenses and certifications.
    • Ongoing/pending litigation.
    • Operational/fraud loss experience.
    • Insurance coverage, e.g., Errors and Omissions, cyber, etc.
    • Resiliency.
  • Task/service-specific assessments using responses to Requests For Proposal (RFP). RFPs should:
    • Specify outsourced functionality.
    • Specify desired service levels.
    • Specify security hygiene expectations in detail (level should always meet the outsourcer’s internal security expectations).
    • Seek arm’s length security evaluations if recent and relevant.
    • Specify resiliency expectations: disaster recovery, etc.
    • Obtain information for input into an Anti-money laundering, Bribery and Corruption (ABC) check.
    • Specify desired audit rights and commitment to closing open risk related issues within a specified time period.
    • Obtain references.
    • Solicit information about the third party’s third parties who would be deployed to provide the service/function.


Ultimately, preventing fraud from all three of the causative elements relies on robust TPRM program hygiene, which requires that the program ensures the security and other controls at the vendor level always meet the outsourcer’s internal security expectations.


Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for nearly 50 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.





Expert Interview: Tom Garrubba...

Kelly Wagner 02-21-2018

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk managemen[...]

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk management. Read what Tom has to say about the ways that collaboration can enhance your TPRM program.

Collaboration is a term that makes people either cheer or wince. However, today collaboration is essential to be a successful third party risk manager – the discipline has moved well beyond administrative box-ticking. Now, a strong culture of collaboration can help create the right environment to foster TPRM program excellence, and drive real value for organizations.

If that sounds difficult to achieve, third party risk executives need to become aware that they are not “flying this plane alone,” says Tom Garrubba, Senior Director at Shared Assessments, a member-driven consortium that creates standards around outsourcing, including assessment questionnaires. “Remember, you have a pilot, a co-pilot, a navigator, flight attendants, baggage handlers and others.” All of these stakeholders need to be involved to make TPRM work – and to make it work better.

Below are Garrubba’s six key ways that collaboration can put the right wind into the sails of a TPRM program:

  • Become involved in standardization programs. Standardization is on the rise, and will become best practice for firms over the next two or three years, says Garrubba. Programs such as Shared Assessments enable organizations to benefit from a substantial body of knowledge and understanding that has been built up over more than a decade. “When creating a third party risk assessment, there is no need to reinvent the wheel,” says Garrubba. “It is very likely that other organizations have run into similar challenges, or have comparable information needs about the vendors they work with.” Working with a well-known group means that an organization can trust the information and suggestions it is receiving. “Google,” Garrubba says, “is a less reliable source of ideas about what a third party assessment should be asking about.” Being part of a group can help when it comes to new requirements, too. Garrubba worked with the Shared Assessments’ Privacy Committee to develop the Shared Assessments GDPR Data Processor Privacy Toolkit, launched in December 2017. This Tool Kit provides guidance to help organizations conform to the European Union’s (EU) General Data Protection Regulation (GDPR) Article 28. The Tool Kit outlines what companies need to do to comply with this privacy-focused element of the regulation.
  • Reach out to your regulators. Around the globe, regulators are beginning to put out more guidance and rules around third party risk. “The US regulators’ Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Appendix J and Office of the Comptroller (OCC) 2013-29 provide a very user-friendly foundation for what third party risk best practice looks like,” says Garrubba. “You don’t have to have a lawyer sitting next to you to understand it. It’s really good guidance on what organizations should be doing.” These regulatory frameworks can provide an excellent starting point for third party risk programs, he says. The EU’s GDPR is also a good framework to understand what a company should be doing around data privacy. Organizations should make sure that, first of all, their programs are complying with all of the necessary rules that may impact them from around the globe, before moving on to enhance their program further. Secondly, a third party program manager can do to enhance the organization’s regulatory relationships is to “document, document, document!” says Garrubba. This gives the regulator the ability to see – quickly and easily – just how well the third party risk program is doing, and to take all of the organization’s efforts into consideration. “You are never going to hit 100% compliance; however, you can hit conformity,” says Garrubba. “Compliance is very black and white, either you have it or you don’t, there is not a lot of grey. There are some regulators who might throw in a touch of grey – that’s more in the lines of conformity, rather than compliance.”
  • Bond with your board of directors. Third party risk programs need to have board support. “Otherwise,” says Garrubba, “they can become a paper tiger. If you do not have senior-level support, you are not going to have a successful program.” All policies and processes should be agreed, at least in principle, by senior management and the board – and should be actively promoted by them. As well, senior management and the board are sometimes needed to ensure business units comply with third party programs and the changes they may require. Says Garrubba, “You want to make sure that what you are doing is something that will go across the entire enterprise.” In return, the third party risk program should be sure it is supplying the board of directors and senior management with the information it wants and needs to think constructively about third party risk.
  • Have coffee with internal audit, legal, compliance… When creating an assessment questionnaire, it’s important to work with all of the key stakeholders. Says Garrubba, “It’s important that they are on board with what you are doing and that they are helping you shape your questions.” Having several pairs of eyes vet a list of questions can help make sure that the language is clear and that it will achieve the answers needed. A close relationship with internal audit can be particularly fruitful, he says – often internal auditors can provide expertise on not only drafting questions but also analysing the answers.”
  • Friend your vendors. “Why do organizations contract with a third party,” asks Garrubba. “Either because it is cheaper or because they don’t have the talent and the technology to do the process themselves.” This implies that a third party has wisdom it can bring to the relationship between the two organizations. “Organizations really should be treating third parties as a component within their organization – they are a partner, treat them like a partner,” he says. “Don’t treat them like a step brother or sister you cannot really stand.” The reality is that the third party may be able to share information that can help the organization, and they in turn may be running their own third party programs that you can learn from. Says Garrubba, “I’ve spoken with companies that have said their third parties made their own company stronger. They looked at what a third party was doing and said, ‘We should be doing this too.'” He also says he’s seen organizations give third parties extra business, to grow the relationship, as a result of benefitting from this kind of collaboration.
  • Know your business. Having a good working relationship with the business units is essential, says Garrubba. He says that when he was in previous roles, he used to have coffees, lunches, and dinners with a wide range of internal stakeholders to find out what their upcoming projects were, and better understand the company’s overall business strategy and ability to execute. For example, these conversations often helped ensure that new business opportunities were analysed correctly, keeping in mind the company’s own operations and outsourcing needs for fulfilment. Sometimes, best practices from one business unit could be shared with others. Or a casual conversation can help both the business unit and third party risk feel comfortable that things are just “on track.” Having less formal give-and-take can make it easier to resolve challenges, when they occur, too.
  • In short, third party risk managers need to be sure they are actively collaborating across the business – and outside the business – to be successful today. Many firms are choosing to support this with a software solution, which can make collaboration easier – by providing a “single source of truth” for data, and a platform through which some key conversations, particularly around specific processes, can take place. Creating the right third party risk environment will enable the correct culture to take root and flourish.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. His is an internationally recognized subject matter expert and top-rated speaker on third party risk.

Announcing the 2018 Shared Ass...

Kelly Wagner 01-30-2018

Tools That Empower Vendor Risk Management Confidence Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for ris[...]

Tools That Empower Vendor Risk Management Confidence

Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for risk management, regardless of size and industry. The Tools help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and termination. The Tools embody a “Trust, but Verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

  • 2018 Standardized Information Gathering (SIG) questionnaire for remote assessment;
  • 2018 Shared Assessment Standardized Control Assessment (SCA) procedures for performing onsite assessments;
  • 2018 Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices; and
  • The new EU General Data Protection Regulation (GDPR) Tool Kit

Creating Sustainable Standardization in Today’s High Risk, Cyber-Based Environment
Continuous quality improvement evaluation of the Program Tools and our other third party risk management resources is conducted to ensure that:

  • Content updates are in line with modifications in domestic and international regulations, changes in industry standards and guidelines, and the emergence of new risks.
  • Program Tools remain relevant in response to the growing and shifting nature of cyber security threats and vulnerabilities.
  • A standardized process and tools are available that employ a clear, consistent methodology for third party service provider management strategy and risk control verification assessments to reduce duplication of effort for outsourcers and providers.

Updated 2018 Program Tools
These updated Tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The 2018 Standardized Information Gathering (SIG) Questionnaire

  • The SIG employs a holistic set of industry best practices for gathering and assessing information technology, cybersecurity, privacy and data security risks and their corresponding controls. It serves as the “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information regarding a service provider’s controls. The SIG can also be used proactively by providers, to reduce initial assessment duplication and assessment fatigue.

Enhancements to the 2018 SIG include:

  • SIG Scoping: In response to user feedback, the most significant change you will notice is the addition of a new Scoping Tab, which allows for multiple ways to customize the SIG questions for a company’s individual needs. This tab will be the first stop in starting a new SIG. From this tab, the LITE, CORE, or FULL SIG will be available. The CORE SIG is a new designation and will be used for assessing service providers that run business critical functions, data, and systems. It is meant to meet the needs of most assessments.
  • Industry References: Updates for 2018 that reflect industry and regulatory standards included:
    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
  • Content Organization and Updates:
    • Tab K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Tab P. Privacy was updated to reflect current privacy rules, GDPR & domestic rule updates.
    • Tab U. System Hardening Standards was updated to reflect new industry best practices.
    • Tab V. Cloud Hosting was created to organize cloud security questions into its own separate tab and updated to reflect new industry standards and best practices.
    • The total number of questions has been decreased by removing duplication and redundancy.

    The 2018 Shared Assessments Standardized Control Assessment (SCA) Procedures – Formerly the Agreed Upon Procedures (AUP)

    To better communicate the function of the tool and its alignment with the SIG questionnaire, the Agreed Upon Procedures (AUP) has been renamed the Standardized Control Assessment (SCA) procedures. This name change will also help eliminate any confusion with the formal definition of AUP within the AICPA practice standards, allowing for expansion of general attestation engagements to their client base using the SCA Tool and SCA Report Template.

    Enhancements to the 2018 SCA include:

    Content Re-Organization and Updates:

    • The SCA, and its companion SCA Report Template, have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.((AT § 201.03: Agreed-Upon Procedures Engagements. American Institute of Certified Public Accountants (AICPA). June 1, 2001. Statement on Standards for Attestation Agreements (SSAE) No. 10. SSAE No. 11. AICPA. 2015; and as adopted by the Public Company Accounting Oversight Board (PCAOB), April 2003.))
    • Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
    • Section I. Application Security subsections were added to more closely align with the SIG.
    • Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Section P. Privacy was updated for current privacy rules, GDPR & domestic regulatory updates.
    • Section U. System Hardening Standards were updated to reflect new industry best practices.
    • Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
    • SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.

    Industry References: Updates reflect industry standards and regulatory including:

    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
    • Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project.

    The 2018 Vendor Risk Management Maturity Model (VRMMM)

    • Greater adoption of the VRMMM will improve third party risk management overall by assisting industry members in assessing and benchmarking the maturity of their own third party risk management programs. The VRMMM also allows for better benchmarking within and across industries in the annual benchmarking study.
    • Access to this benchmarking tool is especially important to organizations new to third party risk and is aligned to the goal of Shared Assessments to advance the art of third party risk management.
    • To download the Shared Assessments’ Free VRMMM, go to:

    GDPR Data Processor Privacy Tool Kit:
    This new tool provides guidance for Data Processors who fall under compliance to the of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, stringent new requirements, which go into effect on May 25, 2018. To meet this deadline, organizations are being challenged with the very sizeable task of not only “re-papering” or modifying their vendor arrangements, but also of applying increased vigor in IT and privacy risk assessments to ensure that customer data is being processed according to the controller/processor contractual arrangements, in keeping with the regulation. Direct compliance liability for data protection provisions will now extend to the data processors or vendors.

    The Tool Kit is Free: The bundle provides a narrative introduction and a series of mini-tools to help determine how to meet the new requirements that will be imposed on how Controllers (i.e., outsourcers) may appoint and monitor Data Processors (i.e., third party vendors).

    Some of the insights provided by this Tool Kit – for both Controllers and Processors:

    • Questions to ask your vendors regarding the secure and private handling of your affected customer data.
    • Test steps to ensure controls are in effect and are operating as intended.
    • A scoping checklist designed to help manage or structure the contract provision tool set needed for compliance.
    • Identifying artifacts to support customer data controls and other privacy program efforts.

    Members of the Shared Assessments Program can access the tools in the Member section of the website by clicking here. If you are interested in purchasing the Program Tools please contact

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted leader in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle. These resources are creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of Shared Assessments third party risk management resources, including Program Tools, offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. The Shared Assessments Program ( is managed by The Santa Fe Group (, a strategic advisory company based in Santa Fe, New Mexico.

The State of Data Protection R...

Kelly Wagner 01-22-2018

By Linnea Solem, Chair, Shared Assessments Privacy Committee On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting [...]

By Linnea Solem, Chair, Shared Assessments Privacy Committee

On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Each year organizations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2017 and the potential challenges for data protection in 2018, a common thread in the media landscape is the risks that third parties bring to the table for organizations who need to protect customer data. The web site for Data Privacy Day, provides a suite of infographics and tools as to why privacy is important for consumers, businesses, organizations, schools, and non-profits. 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.

Personally Identifiable Information (PII) Remains Top Information Risk
The International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year. The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%. After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other third parties. That was a jump of 22% over the first report, which emphasizes the criticality of third party oversight and third party risk management. While most organizations indicated that changes in privacy laws and legal standards is a risk, only 10% specifically mentioned the upcoming enforcement of the EU General Data Protection Regulation (GDPR).

Third Party Risk Management a Key Priority in 2018
Changes in data protection regulations and legal standards are top of mind for many organizations in 2018 with the upcoming enforcement milestones of everything from New York State’s Cyber Security regulation to GDPR. In a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards. GDPR. The impact of GDPR is not simply that the regulation extends liability directly to the service providers, but has an enforcement mechanism of fines up to $23.6 million or 4% of the total worldwide annual turnover of the company, whatever is higher. It is not surprising then that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

GDPR compliance readiness is challenging to measure since many organizations may not be fully aware that they have triggered heightened compliance obligations. GDPR compliance can be triggered by any organization that stores or processes personal information about European Union citizens, regardless of their location or geographic boundaries. Compliance requirements are specific for data controllers and data processors. Access to personal data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions. The concept of knowing where your data is, becomes an even more crucial part of compliance when looking at the third-party ecosystem. Being ready to conform to GDPR will require organizations to implement or expand third party vendor management programs to include third party assurance approaches that require additional due diligence to meet these new requirements.

To help meet this need, the Shared Assessments Program’s Privacy Committee – a leading group of
third party risk management privacy professionals across a variety of industries, has designed a
GDPR Data Processor Privacy Tool Kit to provide preliminary guidance to effectively evaluate and
manage third party risk for “Data Processors” under the GDPR. This GDPR Data Processor Privacy Tool Kit contains tools, checklists and templates that highlight a broad range of privacy-relevant requirements for third party relationships, and identify potential artifacts for review as evidence of conformance with GDPR requirements. The GDPR Data Processor Privacy Tool Kit is designed as a flexible set of tools and templates that any organization can incorporate into their third party risk management structures and processes.

So on this Data Privacy Day, access tools to Be Safe Online, and start to plan for GDPR readiness!

#PrivacyAware and #SAGDPRToolkit

2018 – Three New Year’s Pr...

Kelly Wagner 01-16-2018

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predict[...]

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program

I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predictions on the upcoming year’s threat horizon. Though I’m certainly not Carnac the Magnificent (one of the late Johnny Carson’s most memorable Tonight Show skits) however, kindly allow me to put on my big purple turban, hold an envelope to my head and mutter my three predictions…

“Going Mobile…Big Money…Third and Four.”

(Now let’s open the envelope, blow into it, and extract the answer…)
“Going Mobile” – No, this has nothing to do with the classic up-tempo song from The Who. It is a reference to data breaches through mobile devices. Through encounters with numerous cybersecurity professionals over the past year, I see that there appears to be quite consensus that a breach stemming from mobile devices lies on the horizon. This is understandable, as many organizations (particularly small and mid-sized organizations) continue to grapple with the challenges of securing not only the various mobile operating systems that they’re supporting, but for identifying the applications on these devices that may pose a threat to unauthorized data exposure. As “bring your own device” (BYOD) is increasingly adopted by organizations, it’s prudent to revisit your policies, procedures, practices, and standards to ensure that controls are present that are capable of tackling current, known threats and investigate ways to deal with mobile threats on the horizon.

“Big Money” – I’m predicting big payouts this year, from companies to regulatory agencies, from companies to other companies, and/or from companies to customers (via class-action lawsuits). US regulators, and even the New York Department of Financial Services (NYDFS), have made it clear that organizations must employ – and provide evidence – that a sound security and privacy posture exists ata their organization. Additionally, as the European General Data Protection Regulation (GDPR) goes into full affect this coming May, there’s much chatter in the privacy profession that companies out of compliance with GDPR will be hit hard financially (up to 4% of total turnover) as European data protection authorities (DPA’s) make efforts to show that any organization in possession of European customer data must take this regulation very seriously. The GDPR is no paper tiger – it certainly does have teeth – BIG teeth. Lastly, lawsuits between companies and even class-action lawsuits will result in hefty legal expenses and payouts to affected parties due to poor security or privacy posture. It’s additionally important to note that cybersecurity insurance normally does not cover a legal action brought against your organization.

“Third and Four” – Since we’re heading into NFL post season play, this may sound like “third down with four yards to go;” but since we’re talking cybersecurity, I am referencing third and fourth parties. Hackers are cognizant that most organizations outsource sensitive functions and data. Hackers will identify their targets and begin to scope the companies they’ve most likely contracted to (those that perform or handle certain key functions) and will then position those vendors for attack. Hackers will hunt for “back doors” and exploit any vulnerabilities to access their target’s network, so they can locate, browse, steal, poison (destroy or deploy malware), or highjack (via ransomware) the data on which they’ve set their sights. To prevent this, organizations need to be diligent in performing risk control assessments on their third parties and, where possible, their fourth parties as well. (Note that this effort may require assistance from the third party to examine fourth parties). It’s also extremely wise (and if you’re in a regulated environment, this part is practically mandatory) to participate in cyber and business resilience activities with your “critical” third and fourth parties.
So, now that I’ve made these predictions, I’m curious to see how long I’ll have to wait to see these come true. While I certainly hope none of these predictions come to fruition, given the current state of world we live in, I’m simply being a realist.

Have a safe and secure new year!

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Are Your Vendors Ready for GDP...

Kelly Wagner 01-13-2018

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc. Chair, Shared Assessments Assessments VRMMM Committee Great, yet another blog talking about the need to get ready fo[...]

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc.
Chair, Shared Assessments Assessments VRMMM Committee

Great, yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR). Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do? Well folks I’m here to do just that.

Determining vendor compliance with GDPR requires a fairly rigorous process. It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role. Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller). I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.

The Shared Assessment’s Privacy Working Group has developed a Tool Kit to help guide you through the process. Their GDPR Data Processor Privacy Tool Kit has everything you need: the processes you need to have in place to identify and map customer data; samples of model contract provisions to get your vendor contracts in compliance; lists of documentation you’ll need to obtain; an updated privacy survey to obtain the information you need to assess your vendor’s GDPR privacy readiness; and, many other useful resource documents. The best part about the Tool Kit is that it’s free and can be downloaded on their web site .

The Shared Assessments Standard Information Gathering Questionnaire (SIG) already contains the information you need to determine if your vendors have adequate IT security controls in place. Now with the help of the GDPR Processor Privacy Tool Kit addressing data privacy concerns, you’ll have what you need to make sure your vendors are ready for GDPR.

Preview: 2018 Shared Assessmen...

Jenny Burke 12-13-2017

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an impor[...]

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an important component of the Shared Assessments Framework that help set standards, and through those standards, efficiency, in third party risk management. The Shared Assessments Program Tools are developed using the collective intelligence of member organizations. Our members bring their expertise in cybersecurity, risk management and privacy as well as their knowledge of the regulatory landscape and specific vertical industry needs to the development of the Tools, which are updated to keep the tools current and effective.

The 2018 Program Tools will include:

  • 2018 Standardized Information Gathering (SIG) Questionnaire;
  • 2018 Shared Assessments Standardized Control Assessment (SCA) procedures (Formerly the Agreed Upon Procedures (AUP));
  • 2018 Vendor Risk Management Maturity Model (VRMMM); and
  • The new General Data Protection Regulation (GDPR) Tool Kit


SIG Enhancements:

We are excited about a new capability in the 2018 SIG – a Scoping Tab that will allow multiple ways to customize the SIG for a company’s individual needs. The Scoping Tab will allow for a SIG LITE, FULL SIG, and a new CORE SIG designed for assessing service providers that run business critical functions, data and systems. It was created to meet the needs of most assessments. In addition, content changes were made to reflect the current regulatory and threat environment, including the European Union (EU) GDPR Privacy rules, and the total number of questions was decreased by removing duplication and redundancy.


Standardized Control Assessment (SCA):

To better communicate the function of the “Verify” portion of our “Trust, but Verify” approach, the formerly titled Agreed-Upon Procedures (AUP) used for performing onsite assessments, was renamed the Standardized Control Assessment (SCA) procedures and was thoroughly reviewed and re-organized to align more closely with the SIG.



The VRMMM will continue to allow companies to benchmark the maturity of  their third party risk programs. It is also the basis of the annual Vendor Risk Management Benchmark Study, recently released that allows Shared Assessments and Protiviti to analyze third party risk program maturity across verticals and over time.,

We will continue to offer the VRMMM free as a tool to assist the industry.


GDPR:  Data Processor Privacy Tool Kit

This new and important tool set provides guidance for Data Processors who fall under compliance to the European Union (EU) General Data Protection Regulation (GDPR) 2016/679, new requirements which will begin to be enforced on May 25, 2018. The Tool Kit contains tools, checklists and templates to help organizations evaluate their readiness and maturity of controls against GDPR privacy requirements. These tools are free and can be used as a standalone privacy assessment or incorporated into a comprehensive Vendor Risk Management program. Download the GDPR: Data Processor Privacy Tool Kit.



Release of the 2018 Program Tools is slated for late January 2018. The Tools are free to Shared Assessments Program members, or you can purchase the Complete Bundle (all tools above) for $9,000. You may also purchase the standalone version of the SIG for $7,000 or the  SCA for $6,000. If there are any questions about the tool or membership, please contact us.