All SBFE Communications: firstname.lastname@example.org
For Shared Assessments, contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-225-0725,
email@example.com or Kelly Stremel, firstname.lastname@example.org
A Repeatable, Consistent Process For Third Party Vendors
SANTA FE, N.M. and CLEVELAND — May 13, 2015 —The Small Business Financial Exchange (SBFE), the leading source of U.S. small business credit information, and member of the Shared Assessments Program, has developed a vendor risk program to address data security needs for third party due diligence and oversight. Based on proven industry third party risk management tools from Shared Assessments, this program will provide SBFE an evidence-based security protocol to ensure robust third party oversight during the entire vendor relationship lifecycle.
Following a thorough review of the Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, SBFE’s working group members agreed the methodology would provide for an objective, consistent and repeatable onsite assessment protocol and would be key for pre-contract due diligence and ongoing monitoring.
“We need a comprehensive methodology that gives us the ability to both examine the existence of IT data, privacy and security controls, and also verify the organizations adherence to those controls. Leveraging the AUP for due diligence as a standardized framework allows us to rigorously assess third parties in advance of and throughout our relationship with a vendor. The AUP from Shared Assessments is central to that process,” said Pete Tannish, director of information security at SBFE.
“We allowed each small business lender in our working group to align the Collaborative AUP against its own corporate requirements to ensure it met their particular needs,” added Tannish. “This collaborative approach is what makes the Shared Assessments program and the Program Tools a vital part of the financial services industry.”
“We applaud SBFE’s stringent due diligence processes to ensure its SBFE Certified Vendors™ are putting the necessary risk controls in place in advance of contracting with them,” said Robin Slade, executive vice president and chief operating officer, The Santa Fe Group, the managing agent for the Shared Assessments Program. “This effort reinforces SBFE’s commitment to fostering robust third party risk oversight.”
Standards-Based Program Tools Empower Vendor Management Confidence
The Shared Assessments Program Tools were developed by its members and are based on international, federal, and industry standards, regulations and guidelines, in order to ensure sensitive outsourced data is protected. The standards are based on ISO-27001/27002, and are aligned with PCI DSS, HIPAA/HITECH, COBIT, NIST Cyber Security Framework, Federal Reserve, Office of the Comptroller of the Currency OCC-2013-29, and FFIEC guidance.
“We have enabled the financial services industry to build a strong third party/vendor risk management capability, using a substantiation-based, standardized and efficient methodology. Now, multiple organizations can assess vendors that provide common services creating significant cost savings and efficiencies for the industry,” added Slade.
About the Shared Assessments Program
The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at https://sharedassessments.org.
About Small Business Financial Exchange, Inc. and SBFE, LLC (SBFE®)
The Small Business Financial Exchange, Inc. and SBFE, LLC (collectively known as SBFE) is the leading source of US small business credit information. Established in 2001 as a non-profit organization, today the exchange houses information on about 24 million businesses in its SBFE Data Warehouse™, and enables blind information exchange among its Members. Through its resources, relationships and SBFE Certified Vendors™, SBFE makes possible innovative risk management solutions by providing industry insight and analysis of aggregated small business financial data to its Members. SBFE sets the highest standards for data quality, integrity of use, data governance and information security for SBFE Data™ to protect its Members and their customers’ information. SBFE is the only Member-controlled organization of its type and is a trusted advocate in promoting the needs of the small business lending community. For more information, visit www.sbfe.org.