As the third party risk environment continues to require more from C-level executive and third party risk management professionals, Shared Assessments again takes the lead in providing powerful tools to improve assessment-related economies and scalability for both outsourcers and providers.
The January 2016 Shared Assessments Program Tools release provides another level of advance in third party risk assurance. The tools provide a tangible gain in risk management, improving the risk posture at the service provider level over using proprietary questionnaires.
By meeting the recent surge in regulatory, consumer and business scrutiny and changes in the current threat environment in a “trust, but verify” standardized approach, Shared Assessments is seeing growing adoption of the tools globally. Importantly, these assessment tools serve organizations regardless of size or industry and help manage the entire vendor risk management lifecycle. The tools can be tailored to an organization’s unique interpretation of regulations, divisional needs and risk appetites.
The updated tools employ tested strategies and processes and reflect the combined efforts of members, which informs the tools at the most robust level to allow for rigorous assessment and management of IT, security, privacy and resiliency risks. The tools’ focus on third party risk management helps professionals to implement a standardized and efficient program to take action on security threats and vulnerabilities that surround outsourcing of critical services, including issues associated with Cloud, mobile and fourth party security.
The 2016 Program Tools have been aligned and updated in keeping with regulatory guidance and industry standards addressing, in part, enterprise-wide business continuity and operational risks as they relate to information security. ((Most recently including: FFIEC Information Technology Examination Handbook. Appendix J: Strengthening the Resilience of Outsourced Technology Services. Federal Financial Institutions Examination Council (FFIEC). February 2015; Payment Card Industry (PCI) Data Security Standard: PCI DSS Designated Entities Supplemental Validation. Version 1.0. PCI Security Standards Council. June 2015; ISO 22301:2012 – Societal security – Business continuity management systems – Requirements. International Organization for Standards. May 15, 2012; NIST Cybersecurity Framework and Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards & Technology (NIST). April 30, 2013; AICPA Privacy Incident Response Plan. American Institute of Certified Public Accountants, Inc. New York. 2004. DOJ Instruction – Incident Response Procedures for Data Breaches. US Department of Justice. August 6, 2013; FCC Computer Security Incident Response Guide. Federal Communications Commission, Office of the Managing Director, Information Technology Center, Computer Security Program. December 2001; HIPAA Incident Response and Reporting. US Health & Human Services. September 2011; NERC CIP-008-5 – Cyber Security – Incident Reporting and Response Planning. North American Electric Reliability Corporation (NERC). July 9, 2014; NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide. NIST. August 8, 2012; US-CERT Federal Incident Notification Guidelines. US Computer Emergency Readiness Team (CERT). Effective October 1, 2014.)) Included in this release:
Catherine A. Allen, Chairman and CEO of The Santa Fe Group notes that “applying the tools increases rigor, consistency and speed, resulting in cost savings in the control assessment process for both the outsourcing organization and the service provider. This, in turn, also allows organizations to redirect resources away from assessment costs and toward control and monitoring by limiting site visit and annual review man hours.” The AUP, along with the COA addendum, provides a robust, substantiation-based, standardized, efficient methodology. Its use is expected to yield a higher confidence that third party service providers are compliant and more likely to remain compliant. For more information about the Shared Assessments Program and the Program Tools, contact info@sharedassessments.org, or visit our website at www.sharedassessments.org.
Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.