Select Page

Expert Interview: Tom Garrubba...

Kelly Wagner 02-21-2018

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk managemen[...]

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk management. Read what Tom has to say about the ways that collaboration can enhance your TPRM program.

Collaboration is a term that makes people either cheer or wince. However, today collaboration is essential to be a successful third party risk manager – the discipline has moved well beyond administrative box-ticking. Now, a strong culture of collaboration can help create the right environment to foster TPRM program excellence, and drive real value for organizations.

If that sounds difficult to achieve, third party risk executives need to become aware that they are not “flying this plane alone,” says Tom Garrubba, Senior Director at Shared Assessments, a member-driven consortium that creates standards around outsourcing, including assessment questionnaires. “Remember, you have a pilot, a co-pilot, a navigator, flight attendants, baggage handlers and others.” All of these stakeholders need to be involved to make TPRM work – and to make it work better.

Below are Garrubba’s six key ways that collaboration can put the right wind into the sails of a TPRM program:

  • Become involved in standardization programs. Standardization is on the rise, and will become best practice for firms over the next two or three years, says Garrubba. Programs such as Shared Assessments enable organizations to benefit from a substantial body of knowledge and understanding that has been built up over more than a decade. “When creating a third party risk assessment, there is no need to reinvent the wheel,” says Garrubba. “It is very likely that other organizations have run into similar challenges, or have comparable information needs about the vendors they work with.” Working with a well-known group means that an organization can trust the information and suggestions it is receiving. “Google,” Garrubba says, “is a less reliable source of ideas about what a third party assessment should be asking about.” Being part of a group can help when it comes to new requirements, too. Garrubba worked with the Shared Assessments’ Privacy Committee to develop the Shared Assessments GDPR Data Processor Privacy Toolkit, launched in December 2017. This Tool Kit provides guidance to help organizations conform to the European Union’s (EU) General Data Protection Regulation (GDPR) Article 28. The Tool Kit outlines what companies need to do to comply with this privacy-focused element of the regulation.
  • Reach out to your regulators. Around the globe, regulators are beginning to put out more guidance and rules around third party risk. “The US regulators’ Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Appendix J and Office of the Comptroller (OCC) 2013-29 provide a very user-friendly foundation for what third party risk best practice looks like,” says Garrubba. “You don’t have to have a lawyer sitting next to you to understand it. It’s really good guidance on what organizations should be doing.” These regulatory frameworks can provide an excellent starting point for third party risk programs, he says. The EU’s GDPR is also a good framework to understand what a company should be doing around data privacy. Organizations should make sure that, first of all, their programs are complying with all of the necessary rules that may impact them from around the globe, before moving on to enhance their program further. Secondly, a third party program manager can do to enhance the organization’s regulatory relationships is to “document, document, document!” says Garrubba. This gives the regulator the ability to see – quickly and easily – just how well the third party risk program is doing, and to take all of the organization’s efforts into consideration. “You are never going to hit 100% compliance; however, you can hit conformity,” says Garrubba. “Compliance is very black and white, either you have it or you don’t, there is not a lot of grey. There are some regulators who might throw in a touch of grey – that’s more in the lines of conformity, rather than compliance.”
  • Bond with your board of directors. Third party risk programs need to have board support. “Otherwise,” says Garrubba, “they can become a paper tiger. If you do not have senior-level support, you are not going to have a successful program.” All policies and processes should be agreed, at least in principle, by senior management and the board – and should be actively promoted by them. As well, senior management and the board are sometimes needed to ensure business units comply with third party programs and the changes they may require. Says Garrubba, “You want to make sure that what you are doing is something that will go across the entire enterprise.” In return, the third party risk program should be sure it is supplying the board of directors and senior management with the information it wants and needs to think constructively about third party risk.
  • Have coffee with internal audit, legal, compliance… When creating an assessment questionnaire, it’s important to work with all of the key stakeholders. Says Garrubba, “It’s important that they are on board with what you are doing and that they are helping you shape your questions.” Having several pairs of eyes vet a list of questions can help make sure that the language is clear and that it will achieve the answers needed. A close relationship with internal audit can be particularly fruitful, he says – often internal auditors can provide expertise on not only drafting questions but also analysing the answers.”
  • Friend your vendors. “Why do organizations contract with a third party,” asks Garrubba. “Either because it is cheaper or because they don’t have the talent and the technology to do the process themselves.” This implies that a third party has wisdom it can bring to the relationship between the two organizations. “Organizations really should be treating third parties as a component within their organization – they are a partner, treat them like a partner,” he says. “Don’t treat them like a step brother or sister you cannot really stand.” The reality is that the third party may be able to share information that can help the organization, and they in turn may be running their own third party programs that you can learn from. Says Garrubba, “I’ve spoken with companies that have said their third parties made their own company stronger. They looked at what a third party was doing and said, ‘We should be doing this too.'” He also says he’s seen organizations give third parties extra business, to grow the relationship, as a result of benefitting from this kind of collaboration.
  • Know your business. Having a good working relationship with the business units is essential, says Garrubba. He says that when he was in previous roles, he used to have coffees, lunches, and dinners with a wide range of internal stakeholders to find out what their upcoming projects were, and better understand the company’s overall business strategy and ability to execute. For example, these conversations often helped ensure that new business opportunities were analysed correctly, keeping in mind the company’s own operations and outsourcing needs for fulfilment. Sometimes, best practices from one business unit could be shared with others. Or a casual conversation can help both the business unit and third party risk feel comfortable that things are just “on track.” Having less formal give-and-take can make it easier to resolve challenges, when they occur, too.
  • In short, third party risk managers need to be sure they are actively collaborating across the business – and outside the business – to be successful today. Many firms are choosing to support this with a software solution, which can make collaboration easier – by providing a “single source of truth” for data, and a platform through which some key conversations, particularly around specific processes, can take place. Creating the right third party risk environment will enable the correct culture to take root and flourish.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. His is an internationally recognized subject matter expert and top-rated speaker on third party risk.

Announcing the 2018 Shared Ass...

Kelly Wagner 01-30-2018

Tools That Empower Vendor Risk Management Confidence Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for ris[...]

Tools That Empower Vendor Risk Management Confidence

Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for risk management, regardless of size and industry. The Tools help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and termination. The Tools embody a “Trust, but Verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

  • 2018 Standardized Information Gathering (SIG) questionnaire for remote assessment;
  • 2018 Shared Assessment Standardized Control Assessment (SCA) procedures for performing onsite assessments;
  • 2018 Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices; and
  • The new EU General Data Protection Regulation (GDPR) Tool Kit

Creating Sustainable Standardization in Today’s High Risk, Cyber-Based Environment
Continuous quality improvement evaluation of the Program Tools and our other third party risk management resources is conducted to ensure that:

  • Content updates are in line with modifications in domestic and international regulations, changes in industry standards and guidelines, and the emergence of new risks.
  • Program Tools remain relevant in response to the growing and shifting nature of cyber security threats and vulnerabilities.
  • A standardized process and tools are available that employ a clear, consistent methodology for third party service provider management strategy and risk control verification assessments to reduce duplication of effort for outsourcers and providers.

Updated 2018 Program Tools
These updated Tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The 2018 Standardized Information Gathering (SIG) Questionnaire

  • The SIG employs a holistic set of industry best practices for gathering and assessing information technology, cybersecurity, privacy and data security risks and their corresponding controls. It serves as the “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information regarding a service provider’s controls. The SIG can also be used proactively by providers, to reduce initial assessment duplication and assessment fatigue.

Enhancements to the 2018 SIG include:

  • SIG Scoping: In response to user feedback, the most significant change you will notice is the addition of a new Scoping Tab, which allows for multiple ways to customize the SIG questions for a company’s individual needs. This tab will be the first stop in starting a new SIG. From this tab, the LITE, CORE, or FULL SIG will be available. The CORE SIG is a new designation and will be used for assessing service providers that run business critical functions, data, and systems. It is meant to meet the needs of most assessments.
  • Industry References: Updates for 2018 that reflect industry and regulatory standards included:
    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
  • Content Organization and Updates:
    • Tab K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Tab P. Privacy was updated to reflect current privacy rules, GDPR & domestic rule updates.
    • Tab U. System Hardening Standards was updated to reflect new industry best practices.
    • Tab V. Cloud Hosting was created to organize cloud security questions into its own separate tab and updated to reflect new industry standards and best practices.
    • The total number of questions has been decreased by removing duplication and redundancy.

    The 2018 Shared Assessments Standardized Control Assessment (SCA) Procedures – Formerly the Agreed Upon Procedures (AUP)

    To better communicate the function of the tool and its alignment with the SIG questionnaire, the Agreed Upon Procedures (AUP) has been renamed the Standardized Control Assessment (SCA) procedures. This name change will also help eliminate any confusion with the formal definition of AUP within the AICPA practice standards, allowing for expansion of general attestation engagements to their client base using the SCA Tool and SCA Report Template.

    Enhancements to the 2018 SCA include:

    Content Re-Organization and Updates:

    • The SCA, and its companion SCA Report Template, have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.((AT § 201.03: Agreed-Upon Procedures Engagements. American Institute of Certified Public Accountants (AICPA). June 1, 2001. Statement on Standards for Attestation Agreements (SSAE) No. 10. SSAE No. 11. AICPA. 2015; and as adopted by the Public Company Accounting Oversight Board (PCAOB), April 2003.))
    • Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
    • Section I. Application Security subsections were added to more closely align with the SIG.
    • Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Section P. Privacy was updated for current privacy rules, GDPR & domestic regulatory updates.
    • Section U. System Hardening Standards were updated to reflect new industry best practices.
    • Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
    • SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.

    Industry References: Updates reflect industry standards and regulatory including:

    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
    • Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project.

    The 2018 Vendor Risk Management Maturity Model (VRMMM)

    • Greater adoption of the VRMMM will improve third party risk management overall by assisting industry members in assessing and benchmarking the maturity of their own third party risk management programs. The VRMMM also allows for better benchmarking within and across industries in the annual benchmarking study.
    • Access to this benchmarking tool is especially important to organizations new to third party risk and is aligned to the goal of Shared Assessments to advance the art of third party risk management.
    • To download the Shared Assessments’ Free VRMMM, go to:

    GDPR Data Processor Privacy Tool Kit:
    This new tool provides guidance for Data Processors who fall under compliance to the of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, stringent new requirements, which go into effect on May 25, 2018. To meet this deadline, organizations are being challenged with the very sizeable task of not only “re-papering” or modifying their vendor arrangements, but also of applying increased vigor in IT and privacy risk assessments to ensure that customer data is being processed according to the controller/processor contractual arrangements, in keeping with the regulation. Direct compliance liability for data protection provisions will now extend to the data processors or vendors.

    The Tool Kit is Free: The bundle provides a narrative introduction and a series of mini-tools to help determine how to meet the new requirements that will be imposed on how Controllers (i.e., outsourcers) may appoint and monitor Data Processors (i.e., third party vendors).

    Some of the insights provided by this Tool Kit – for both Controllers and Processors:

    • Questions to ask your vendors regarding the secure and private handling of your affected customer data.
    • Test steps to ensure controls are in effect and are operating as intended.
    • A scoping checklist designed to help manage or structure the contract provision tool set needed for compliance.
    • Identifying artifacts to support customer data controls and other privacy program efforts.

    Members of the Shared Assessments Program can access the tools in the Member section of the website by clicking here. If you are interested in purchasing the Program Tools please contact

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted leader in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle. These resources are creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of Shared Assessments third party risk management resources, including Program Tools, offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. The Shared Assessments Program ( is managed by The Santa Fe Group (, a strategic advisory company based in Santa Fe, New Mexico.

The State of Data Protection R...

Kelly Wagner 01-22-2018

By Linnea Solem, Chair, Shared Assessments Privacy Committee On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting [...]

By Linnea Solem, Chair, Shared Assessments Privacy Committee

On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Each year organizations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2017 and the potential challenges for data protection in 2018, a common thread in the media landscape is the risks that third parties bring to the table for organizations who need to protect customer data. The web site for Data Privacy Day, provides a suite of infographics and tools as to why privacy is important for consumers, businesses, organizations, schools, and non-profits. 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.

Personally Identifiable Information (PII) Remains Top Information Risk
The International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year. The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%. After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other third parties. That was a jump of 22% over the first report, which emphasizes the criticality of third party oversight and third party risk management. While most organizations indicated that changes in privacy laws and legal standards is a risk, only 10% specifically mentioned the upcoming enforcement of the EU General Data Protection Regulation (GDPR).

Third Party Risk Management a Key Priority in 2018
Changes in data protection regulations and legal standards are top of mind for many organizations in 2018 with the upcoming enforcement milestones of everything from New York State’s Cyber Security regulation to GDPR. In a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards. GDPR. The impact of GDPR is not simply that the regulation extends liability directly to the service providers, but has an enforcement mechanism of fines up to $23.6 million or 4% of the total worldwide annual turnover of the company, whatever is higher. It is not surprising then that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

GDPR compliance readiness is challenging to measure since many organizations may not be fully aware that they have triggered heightened compliance obligations. GDPR compliance can be triggered by any organization that stores or processes personal information about European Union citizens, regardless of their location or geographic boundaries. Compliance requirements are specific for data controllers and data processors. Access to personal data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions. The concept of knowing where your data is, becomes an even more crucial part of compliance when looking at the third-party ecosystem. Being ready to conform to GDPR will require organizations to implement or expand third party vendor management programs to include third party assurance approaches that require additional due diligence to meet these new requirements.

To help meet this need, the Shared Assessments Program’s Privacy Committee – a leading group of
third party risk management privacy professionals across a variety of industries, has designed a
GDPR Data Processor Privacy Tool Kit to provide preliminary guidance to effectively evaluate and
manage third party risk for “Data Processors” under the GDPR. This GDPR Data Processor Privacy Tool Kit contains tools, checklists and templates that highlight a broad range of privacy-relevant requirements for third party relationships, and identify potential artifacts for review as evidence of conformance with GDPR requirements. The GDPR Data Processor Privacy Tool Kit is designed as a flexible set of tools and templates that any organization can incorporate into their third party risk management structures and processes.

So on this Data Privacy Day, access tools to Be Safe Online, and start to plan for GDPR readiness!

#PrivacyAware and #SAGDPRToolkit

2018 – Three New Year’s Pr...

Kelly Wagner 01-16-2018

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predict[...]

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program

I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predictions on the upcoming year’s threat horizon. Though I’m certainly not Carnac the Magnificent (one of the late Johnny Carson’s most memorable Tonight Show skits) however, kindly allow me to put on my big purple turban, hold an envelope to my head and mutter my three predictions…

“Going Mobile…Big Money…Third and Four.”

(Now let’s open the envelope, blow into it, and extract the answer…)
“Going Mobile” – No, this has nothing to do with the classic up-tempo song from The Who. It is a reference to data breaches through mobile devices. Through encounters with numerous cybersecurity professionals over the past year, I see that there appears to be quite consensus that a breach stemming from mobile devices lies on the horizon. This is understandable, as many organizations (particularly small and mid-sized organizations) continue to grapple with the challenges of securing not only the various mobile operating systems that they’re supporting, but for identifying the applications on these devices that may pose a threat to unauthorized data exposure. As “bring your own device” (BYOD) is increasingly adopted by organizations, it’s prudent to revisit your policies, procedures, practices, and standards to ensure that controls are present that are capable of tackling current, known threats and investigate ways to deal with mobile threats on the horizon.

“Big Money” – I’m predicting big payouts this year, from companies to regulatory agencies, from companies to other companies, and/or from companies to customers (via class-action lawsuits). US regulators, and even the New York Department of Financial Services (NYDFS), have made it clear that organizations must employ – and provide evidence – that a sound security and privacy posture exists ata their organization. Additionally, as the European General Data Protection Regulation (GDPR) goes into full affect this coming May, there’s much chatter in the privacy profession that companies out of compliance with GDPR will be hit hard financially (up to 4% of total turnover) as European data protection authorities (DPA’s) make efforts to show that any organization in possession of European customer data must take this regulation very seriously. The GDPR is no paper tiger – it certainly does have teeth – BIG teeth. Lastly, lawsuits between companies and even class-action lawsuits will result in hefty legal expenses and payouts to affected parties due to poor security or privacy posture. It’s additionally important to note that cybersecurity insurance normally does not cover a legal action brought against your organization.

“Third and Four” – Since we’re heading into NFL post season play, this may sound like “third down with four yards to go;” but since we’re talking cybersecurity, I am referencing third and fourth parties. Hackers are cognizant that most organizations outsource sensitive functions and data. Hackers will identify their targets and begin to scope the companies they’ve most likely contracted to (those that perform or handle certain key functions) and will then position those vendors for attack. Hackers will hunt for “back doors” and exploit any vulnerabilities to access their target’s network, so they can locate, browse, steal, poison (destroy or deploy malware), or highjack (via ransomware) the data on which they’ve set their sights. To prevent this, organizations need to be diligent in performing risk control assessments on their third parties and, where possible, their fourth parties as well. (Note that this effort may require assistance from the third party to examine fourth parties). It’s also extremely wise (and if you’re in a regulated environment, this part is practically mandatory) to participate in cyber and business resilience activities with your “critical” third and fourth parties.
So, now that I’ve made these predictions, I’m curious to see how long I’ll have to wait to see these come true. While I certainly hope none of these predictions come to fruition, given the current state of world we live in, I’m simply being a realist.

Have a safe and secure new year!

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Are Your Vendors Ready for GDP...

Kelly Wagner 01-13-2018

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc. Chair, Shared Assessments Assessments VRMMM Committee Great, yet another blog talking about the need to get ready fo[...]

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc.
Chair, Shared Assessments Assessments VRMMM Committee

Great, yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR). Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do? Well folks I’m here to do just that.

Determining vendor compliance with GDPR requires a fairly rigorous process. It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role. Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller). I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.

The Shared Assessment’s Privacy Working Group has developed a Tool Kit to help guide you through the process. Their GDPR Data Processor Privacy Tool Kit has everything you need: the processes you need to have in place to identify and map customer data; samples of model contract provisions to get your vendor contracts in compliance; lists of documentation you’ll need to obtain; an updated privacy survey to obtain the information you need to assess your vendor’s GDPR privacy readiness; and, many other useful resource documents. The best part about the Tool Kit is that it’s free and can be downloaded on their web site .

The Shared Assessments Standard Information Gathering Questionnaire (SIG) already contains the information you need to determine if your vendors have adequate IT security controls in place. Now with the help of the GDPR Processor Privacy Tool Kit addressing data privacy concerns, you’ll have what you need to make sure your vendors are ready for GDPR.

Preview: 2018 Shared Assessmen...

Jenny Burke 12-13-2017

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an impor[...]

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an important component of the Shared Assessments Framework that help set standards, and through those standards, efficiency, in third party risk management. The Shared Assessments Program Tools are developed using the collective intelligence of member organizations. Our members bring their expertise in cybersecurity, risk management and privacy as well as their knowledge of the regulatory landscape and specific vertical industry needs to the development of the Tools, which are updated to keep the tools current and effective.

The 2018 Program Tools will include:

  • 2018 Standardized Information Gathering (SIG) Questionnaire;
  • 2018 Shared Assessments Standardized Control Assessment (SCA) procedures (Formerly the Agreed Upon Procedures (AUP));
  • 2018 Vendor Risk Management Maturity Model (VRMMM); and
  • The new General Data Protection Regulation (GDPR) Tool Kit


SIG Enhancements:

We are excited about a new capability in the 2018 SIG – a Scoping Tab that will allow multiple ways to customize the SIG for a company’s individual needs. The Scoping Tab will allow for a SIG LITE, FULL SIG, and a new CORE SIG designed for assessing service providers that run business critical functions, data and systems. It was created to meet the needs of most assessments. In addition, content changes were made to reflect the current regulatory and threat environment, including the European Union (EU) GDPR Privacy rules, and the total number of questions was decreased by removing duplication and redundancy.


Standardized Control Assessment (SCA):

To better communicate the function of the “Verify” portion of our “Trust, but Verify” approach, the formerly titled Agreed-Upon Procedures (AUP) used for performing onsite assessments, was renamed the Standardized Control Assessment (SCA) procedures and was thoroughly reviewed and re-organized to align more closely with the SIG.



The VRMMM will continue to allow companies to benchmark the maturity of  their third party risk programs. It is also the basis of the annual Vendor Risk Management Benchmark Study, recently released that allows Shared Assessments and Protiviti to analyze third party risk program maturity across verticals and over time.,

We will continue to offer the VRMMM free as a tool to assist the industry.


GDPR:  Data Processor Privacy Tool Kit

This new and important tool set provides guidance for Data Processors who fall under compliance to the European Union (EU) General Data Protection Regulation (GDPR) 2016/679, new requirements which will begin to be enforced on May 25, 2018. The Tool Kit contains tools, checklists and templates to help organizations evaluate their readiness and maturity of controls against GDPR privacy requirements. These tools are free and can be used as a standalone privacy assessment or incorporated into a comprehensive Vendor Risk Management program. Download the GDPR: Data Processor Privacy Tool Kit.



Release of the 2018 Program Tools is slated for late January 2018. The Tools are free to Shared Assessments Program members, or you can purchase the Complete Bundle (all tools above) for $9,000. You may also purchase the standalone version of the SIG for $7,000 or the  SCA for $6,000. If there are any questions about the tool or membership, please contact us.

5 Steps to Take Now to Protect...


Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organiz[...]

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organization’s four walls and with the third parties that so often support mission critical activities.

Many of the report’s findings are troublesome: the lack of Board understanding about IoT in the context of both in-house and third party risk management; the lack of an integrated approach to IoT risk management; even the lack of some of the most basic elements required to build an effective IoT risk management program, such as having a complete inventory of IoT devices (only 16% of respondents said they had such an inventory). Those findings come despite the recognition that security incidents related to IoT devices or applications could be catastrophic (94% of survey respondents said they thought such a result could emerge within two years).

What are the consequences of such a large gap between recognized IoT risks and an ability to effectively mitigate them? What are the key steps required to close that gap?

Last October’s headline making IoT-based DDoS attack was a small sample of what the future may hold. That attack disrupted a number of websites including Twitter, Netflix, PayPal, Verizon and Comcast, and was orchestrated by the Mirai botnet. That botnet employed “tens of millions” of malware-infected devices connected to the internet (Bloomberg, October 21, 2016).

The Internet of Things report’s key findings provide important insight on how the state of IoT security will play into the evolving threat landscape as the number of IoT devices expands over the next few years.

The Internet of Things results are strongly indicative of a low level of IoT risk management maturity: only 30% of respondents reported that managing third party IoT risks is an organizational priority; only 27% of respondents said their organization allocates sufficient resources to manage third party IoT risks; and only 25% reported that their governing board required assurances that third party IoT risk was being assessed, managed and monitored appropriately. Only 31% of organizations regularly report to the CEO and board on the effectiveness of their third party risk management program. Why?

More than half of respondents said the effectiveness of their organization’s third party risk management program was not a priority for the board and CEO. Perhaps even more disturbing is the perception (by 56% of respondents) that it is not possible to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach. This last finding suggests that many respondents don’t understand what a mature IoT risk management environment would comprise.

The sheer magnitude in the expected growth of IoT devices suggests that a high degree of automation is vital to effective IoT risk management. Industrial firms have had a focus on Operational Technology (OT) for years because of its essential nature in the production process. What is OT? Gartner defines operational technology as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

For those outside of organizations where industrial device control has been a longstanding requirement, the importance of operational technology security may not be second hand. That will change as IoT security concerns emerge, and we’ll rapidly see a security environment where information security, IT security, OT security and physical security require close coordination to achieve effective risk mitigation. One key question is how quickly that convergence will occur, and there is ample evidence to suggest that here too we’re early-on in that maturity process.

Source: Gartner, 2015

No matter how the IoT security ecosystem evolves, there are steps organizations can take now to protect against emerging IoT threats. The most important are these:

  1. Ensure that third-party and IoT risk management processes are defined and operational at all governance levels, up to and including the board.
  2. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
  3. Enhance third party contracts and polices to include IoT specific requirements.
  4. Expand third party assessment techniques and processes to ensure the presence and effectiveness of controls specific to IoT devices.
  5. Develop specific sourcing and procurement requirements to ensure that only IoT devices designed with appropriate security functions included and enabled are considered for product selection and acquisition.

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

Best Practices in Third Party ...


Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awaren[...]

Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman

Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awareness in healthcare security?

R. “The Shared Assessments Summit brings together senior risk executives to share best practices and latest insights on managing third party risk across the security, healthcare, financial services, transportation and government markets. This annual gathering and the conversations we have among peers throughout the year are tremendously important in helping us stay vigilant and focused on continuously improving the safety and security of our client’s most critical information. We’re excited to serve and collaborate with those we met at the 2017 Summit and help them with their risk management and third party vendor programs.”

Q. Tell me about some of the things you’re working on?

R. We continue to be very privileged to serve a wide array of very discerning clients and to collaborate with an incredible group of people. The depth and breadth of the issues we grapple with each and every day continue to become more and more complex. Therefore, it is incumbent on C&H to constantly hone the techniques we apply for our clients. These techniques have a measurable bearing on our client’s inward facing and outward facing cybersecurity risk management program. We’re able to then replicate those techniques as is appropriate for other clients.

Q. Where does Churchill &Harriman fit into the healthcare security market?

R. “Churchill & Harriman (C&H) is a leading provider of cybersecurity risk management and third party risk assessment services to the healthcare industry as well as the financial services, transportation and ecommerce markets. Certain results that C&H contributes to are formally recognized by the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), the National Health ISAC (NH-ISAC), and the National Directorate of ISACs (NCI Directorate). We’re privileged in that our tools, talents and techniques are being leveraged across industry. Working closely with our partners at Prevalent, Churchill & Harriman is further serving the collective good, providing third party risk management services that benefit the entire health care community.”

Q Help me finish this sentence…if a healthcare organization could only focus on 1-2 critical items for safeguarding their data and operations moving forward they should…
R. “Focus on the implementation and maintenance of a Threat and Vulnerability Management program that enables the organization to acquire and retain a thorough understanding of the threats to their information and operations, the vulnerabilities that those threats can exploit, and the probability of occurrence so that resources can be appropriately managed. Over time threats change, vulnerabilities can change quickly, and probabilities are never static. Therefore, the program must have the ability to take advantage of real time sources of accurate intelligence and information as well as continuous monitoring of their environment so that changes to policy, processes and technology do not fall behind and expose the organization to adverse results.”

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email

Internet of Things (IoT) and T...

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are a[...]

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are at the grocery store. The era of connectivity and immediacy of data has created a new worldwide web out of normal everyday devices. The concept of “Internet of Things” or IoT, has created functionality and convenience, but can also introduce new risks to our ecosystem.

Common definitions of IoT include (from Wikipedia) “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data” and (from OWASP), “the proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data”. IoT is a game changer to consumerism, but also a game changer to the hacktivist. It changes our thinking about risk in typically non-risky areas of our lives, or of our workplace.

Identifying risks in the IoT ecosystem and managing or mitigating them can be daunting for the risk professional. The norms of criticality, materiality, and critical infrastructure don’t equate when the risk is in a benign system or device. Dealing with these risks impacts not only the organizations’ who leverage technology but requires organizations to adopt their viewpoints on third party risk.

This past month a joint research project by the Ponemon Institute and Shared Assessments Program was released to focus on the Internet of Things: A New Era of Third-Party Risk. The report highlights are shown in this infographic. The sheer volume or proliferation of connective devices is expected to double in two years; creating more challenges on how to monitor and contain risk. Key themes that emerged from the survey show the concerns risk professionals face:

  • 78% believe loss or theft of data could be caused by IoT
  • 76% think a cyber-attack could be executed through IoT
  • 69% of risk managers don’t regularly report to the C-Suite and Board the effectiveness or maturity of third-party risk oversight programs.

Some of the challenges in enabling security for IoT requires a multi-layered approach. Not all organizations consider IoT devices to be endpoints and may not be monitored, inventoried, or tracked like asset management. Technology will evolve, as do controls. Key areas of focus to assist with maturity risk management for IoT include:

  • Integrate IoT into third party risk management reporting
  • Enhance asset management processes and inventory systems
  • Assess contracts and policies
  • Expand third party controls to identify risks/controls unique to IoT devices
  • Broaden security and awareness training to include IoT themes

Web site standards have long been developed by industry groups, and collaboration to enhance the world-wide web. The OWASP top 10 threats have been table stakes in securing traditional web applications and eCommerce sites. When I first started in web development and eCommerce, the threats we phased were mild in comparison and complexity to our vastly connected world today. The OWASP group has expanded their tool sets and risk focus as IoT has evolved and they have created the OWASP Internet of Things Project to provide free tools to industry members on how to assess and address the risks of IoT.

We need to continue to embrace technology – the advances make up for the risks, it simply requires industry collaboration and the evolution of our risk viewpoints and perspectives, to ensure we look at risk and third party risk from a multi-dimensional point of view.

The full survey report can be downloaded from

OWASP tools can be seen at

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Applying a Risk Management App...

jaengen 07-05-2017

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the "Evaluating Cloud Risk for the Enterprise" white paper produced by th[...]

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the “Evaluating Cloud Risk for the Enterprise” white paper produced by the Shared Assessments members.

In the past five years, we have seen tremendous changes in technology, personnel and business practices. Cloud has now become the de-facto industry model for providing computing services. Mobile has become the most common model for accessing data. Cloud platforms are managing billions of Internet of Things (IoT) devices daily, and new exciting developments are evolving, such as microservices, to enable previously unimaginable scalability and efficiencies.

However, with the introduction of enterprise cloud, new audit controls are required to address the use of these new technologies, new service models, and new nuances in how existing audit controls apply to cloud.

The Evaluating Cloud Risk for the Enterprise whitepaper is a Shared Assessment guide that provides step-by-step guidance for enterprise organizations moving their services to the cloud. It assists in helping enterprise organizations create a cloud strategy that will scale across hundreds of their cloud providers, both locally and internationally. I had the privilege of being the chair of this enterprise cloud whitepaper. My role as CISO at Domo, the largest analytics platform in the Cloud and with more than 25% of the Global Fortune 50 companies as customers, enabled me to incorporate some key industry best practices and lessons learned into this whitepaper.

Best Practices for Enterprise Cloud Computing Management

The whitepaper introduces the concept of Common Cloud Controls. These are mature control areas associated with traditional IT services environments, also equally applicable to cloud-based services. These audit mechanisms are considered mature (e.g., anti-virus, background checks, etc.), and there are hundreds of these mature controls that apply to cloud. Organizations can simply use their existing audit vehicles to assess these controls, such as SOC II, ISO 27001, Shared Assessments AUP, etc.

This process should allow an organization to quickly and efficiently evaluate greater than 80% of a cloud provider’s controls, using current audit programs.

This then leaves those control areas that are not typically covered in ISO 27001 or SOC II (e.g., multi-tenancy, containerization, etc.). The whitepaper refers to these as Delta Cloud Controls and provides dozens of practical examples of how to effectively incorporate these control areas into an organization’s cloud strategy and audit program.

The Evaluating Cloud Risk for the Enterprise white paper includes the full list of practical recommendations, questions to discuss with cloud providers and lessons learned for cloud-related control domains, but we have summarized the Cloud Control evaluation steps into some key themes to consider:

Data Management:

What are the controls at each of the four main layers? As public cloud services all run on the same cloud environment, they share the same infrastructure.

Look at the data segmentation and separation controls at the main layers: network, physical, system and application, and evaluate each of the above controls at each layer (e.g., cloud data separation controls are typically weaker or non-existent at the physical layer as there is often no physical separation), requiring controls on the other three layers to be far stronger. Pay particular attention to the application controls, since this is the layer where the majority of critical cloud controls will reside.

Also organizations should understand their role and responsibility as the “data controller” and that of the cloud provider as the “data processor.” Misunderstanding who is responsible for what is one of the leading causes of security and privacy incidents.

Determine whether each customer is provided with a unique encryption key or whether encryption keys are shared. Unique customer keys are a strong control that can render co-mingled data unreadable in the database by another customer.

Ascertain whether customer data will be encrypted at storage and in-network transmissions, across external and internal networks, i.e. cloud provider and their underlying infrastructure (e.g., AWS, Azure). Internal network and datacenter-to-datacenter network encryption is increasingly important; as private or internal networks are susceptible to unauthorized network sniffing.

Location Management:

Where is my data? This is particularly important for cloud providers that may have datacenters and support teams in multiple legal jurisdictions.

It is important to ask your cloud providers to list all the locations that they store, process, transmit or access customer data and whether these are explicitly defined in the contract. Ensuring that the cloud contract documents all the countries or legal jurisdictions where company data will be stored, processed or accessed from is important in helping organizations meet their internal data privacy requirements. It is important to note that simple web access by support from another country is oftentimes considered the same as “data storage” in that country, and as such the full set of security and privacy requirement for data storage can apply.

The evaluation process should include investigating thoroughly any potential conflict in countries’ data privacy and legal requirements. One example is that a data privacy conflict could arise if the customer and cloud provider are located in the US and the provider has multiple datacenters in the US, but also has a datacenter in Germany for disaster recovery and resilience. The US could mandate certain data be deleted (due to a US data privacy requirement), while German law may require that the data be retained (as evidence in a subsequent legal case). In this scenario, the conflict of laws between jurisdictions may place the integrity of the customer data at risk.


User Management:

How is user authentication, authorization and accounting managed? A unified user management model is an essential component of cloud, from a business, usability and security perspective.

Businesses using cloud may be presented with the challenge of integrating their existing identity and log management solutions with that of the cloud provider. Ensure that the cloud provider supports identity federation standards such as SAML or OpenID, so as to help prevent costly and one-off individual integrations.

Once the user is authenticated, the next step is authorization. It is important that the cloud provider can support a granular set of user permissions, so that a customer’s least privilege and separation of duties requirements can be complied followed within that cloud provider’s environment.

Also, ensure that all end user actions, be it write or view, are logged in the cloud and that there is an API available to integrate the log data directly into the customer’s security monitoring tools. This is important so that the customer can monitor their numerous cloud providers from the customer’s Security Operations Center (SOC).


Vendor Management:

How do I assess my cloud vendor? As with any vendor model, an organization can outsource the responsibility for the service, but not the associated risk or accountability.

One of the foundations of cloud is its agile nature, which is inherent in its roots in innovation and rapid change. As such, the classic model of assessing your vendor once per annum does not scale for cloud. Instead companies must build an on-demand vendor monitoring and management program that is based on the continuous level of change in cloud. Where possible, this should mandate that the cloud vendor provides a number of notification requirement triggers, including notification upon substantive security control changes, change of the cloud provider’s relevant vendors (e.g., move from AWS to Azure), or upon certain defined control deficiencies (e.g., an external high level vulnerability remains open for a certain period of time).

One challenge is to ensure the benefit of deploying a cloud solution is not outweighed by the complexity of doing business in the cloud. The cloud provider should provide a single point of contact, a single contract and a single point of accountability to manage the solution end-to-end, independent of what underlying services that they themselves use.

It’s important to guard against an “out of sight, out of mind” mentality: it’s still your data and your service even if it is hosted or directly managed by the cloud provider.

The above are just some of the best practices that can be found in the recently-published Shared Assessments Evaluating Cloud Risk for the Enterprise white paper.

I hope that you find value in the Evaluating Cloud Risk guide and that it becomes an integral component of your cloud vendor management toolkit. The complete whitepaper can be downloaded from here.