Press Release – Updated for 2016: Tools Designed to Manage Third Party Risk

Press Release – Updated for 2016: Tools Designed to Manage Third Party Risk

Jan 26, 2016 | Press Release, Shared Assessments



Marya Roddis, Vice President of Communications
O: 575.235.8228

Updated for 2016: Tools Designed to Manage Third Party Risk

Shared Assessments Program Tools Empower Vendor Management Confidence

Santa Fe, NM — January 26, 2016 — Shared Assessments has released its updated 2016 Shared Assessments Program Tools, which allow risk management professionals to respond to the rapidly increasing security threats and vulnerabilities associated with outsourcing, Cloud, mobile and fourth party security issues. These assessment tools serve organizations regardless of size and industry, to meet the recent surge in regulatory, consumer and business scrutiny alongside rapidly increasing threats and vulnerabilities posed by third party service providers, which have led an onslaught of data breaches in recent months.

“The Shared Assessments Program Tools allow organizations to rigorously assess and manage IT, security, privacy and resiliency risk,” explains Seth Bailey, Director, Information Security of Iron Mountain and the Shared Assessments Program Chair. The tools are: the Standardized Information Gathering (SIG) questionnaire; Agreed Upon Procedures (AUP), used for standardized onsite assessments; and the Vendor Risk Management Maturity Model (VRMMM).

The tools provide a tangible gain in risk management, improving the risk posture at the service provider level over using proprietary questionnaires. The tools can be tailored to an organization’s unique interpretation of regulations, divisional needs and risk appetites.

Creating Sustainable Efficiencies in Today’s High Risk Environment
The Shared Assessments Program Tools have been aligned with a multitude of regulatory guidance and industry standards, most recently including: FFIEC Business Continuity Planning Handbook Appendix J (April 2015); PCI DSS – v3.1 (June 2015); ISO 22301:2012 – Societal security – Business continuity management systems – Requirements (May 2015); NIST Cybersecurity Framework and Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations (April 2013); AICPA Incident Response Plan (2004); DOJ Instruction – Incident Response Procedures for Data Breaches (published August 2013); FCC Computer Security Incident Response Guide (published December 2001)] HIPAA Incident Response and Reporting (published September 2011); NERC CIP-008-5 – Cyber Security – Incident Reporting and Response Planning (published July 2014); NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide (published August 2012); and US-CERT Federal Incident Notification Guidelines (effective October 2014).

In addition, the 2016 Shared Assessments AUP includes an addendum to allow multiple outsourcers to collaborate and assess the risk controls of a single outsourcer. This content was developed through top-tier financial institutions who shared collective intelligence to develop and test an augmented AUP, specifically geared to a collaborative assessment that profiles the full and complete control environment using a substantiation-based, standardized, efficient methodology. Benefits of using the collaboratively developed, AUP for a larger set of common service providers include consistency, rigor and efficiency.

Updated 2016 Program Tools
The following updates are included in the 2016 release:

  • The Standardized Information Gathering (SIG) questionnaire and SIG Lite use industry best practices to gather and assess information technology, security, privacy and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to the 2016 SIG include alignment with the ISO 22301:2012 international standard and the FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services, which addresses cyber resilience. Additional updates include new controls for hardware security, information security, mobile security and new, industry-relevant glossary terminology. A new maturity field, containing five levels of maturity ranking, was added to the SIG and SIG Lite to identify how mature the question is within the environment. The maturity value will help to provide an added dimension to the question response.
  • The Shared Assessments Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business resiliency risk. For the 2016 AUP, Shared Assessments not only updated the tool based on current industry trends, changes and best practices, it also added an addendum for performing Collaborative Onsite Assessments (COA). The AUP, along with the COA addendum, provides a robust, substantiation-based, standardized, efficient methodology. Its use is expected to yield a higher confidence that third party service providers are compliant and more likely to remain compliant.
  • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the 2016 VRMMM include updates to align with the FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services, which addresses cyber resilience.

Pricing and Availability
The updated Program Tools are available now to all Shared Assessments Members and are included in the annual membership fee. Membership provides opportunities to deepen vendor risk management expertise through members-only meetings, events, teleconferences and regular cross-industry working groups that discuss best practices, new standards and guidelines and the regulatory climate. Non-members can purchase the Shared Assessments Tools either as a bundle or separately by visiting

“The Program Tools create sustainable efficiencies around the implementation of standardized, robust, tested strategies and processes,” says Cathy Allen, Chairman and CEO of the Santa Fe Group. “Applying the tools increases rigor, consistency and speed, resulting in cost savings in the control assessment process for both the outsourcing organization and the service provider. This, in turn, also allows organizations to redirect resources away from assessment costs and toward control and monitoring by limiting site visit and annual review man hours.”

About the Shared Assessments Program
The Shared Assessments Program is the trusted source in global third party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures (AUP), Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM)), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (, a strategic advisory company based in Santa Fe, New Mexico. For more information on Shared Assessments, please visit


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics