Program Tool Updates: Member-Driven Updates Are Creating Sustainable Efficiencies in Risk Management

As the third party risk environment continues to require more from C-level executive and third party risk management professionals, Shared Assessments again takes the lead in providing powerful tools to improve assessment-related economies and scalability for both outsourcers and providers.

The January 2016 Shared Assessments Program Tools release provides another level of advance in third party risk assurance. The tools provide a tangible gain in risk management, improving the risk posture at the service provider level over using proprietary questionnaires.

By meeting the recent surge in regulatory, consumer and business scrutiny and changes in the current threat environment in a “trust, but verify” standardized approach, Shared Assessments is seeing growing adoption of the tools globally. Importantly, these assessment tools serve organizations regardless of size or industry and help manage the entire vendor risk management lifecycle. The tools can be tailored to an organization’s unique interpretation of regulations, divisional needs and risk appetites.

The updated tools employ tested strategies and processes and reflect the combined efforts of members, which informs the tools at the most robust level to allow for rigorous assessment and management of IT, security, privacy and resiliency risks. The tools’ focus on third party risk management helps professionals to implement a standardized and efficient program to take action on security threats and vulnerabilities that surround outsourcing of critical services, including issues associated with Cloud, mobile and fourth party security.

The 2016 Program Tools have been aligned and updated in keeping with regulatory guidance and industry standards addressing, in part, enterprise-wide business continuity and operational risks as they relate to information security. ((Most recently including: FFIEC Information Technology Examination Handbook. Appendix J: Strengthening the Resilience of Outsourced Technology Services. Federal Financial Institutions Examination Council (FFIEC). February 2015; Payment Card Industry (PCI) Data Security Standard: PCI DSS Designated Entities Supplemental Validation. Version 1.0. PCI Security Standards Council. June 2015; ISO 22301:2012 – Societal security – Business continuity management systems – Requirements. International Organization for Standards. May 15, 2012; NIST Cybersecurity Framework and Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards & Technology (NIST). April 30, 2013; AICPA Privacy Incident Response Plan. American Institute of Certified Public Accountants, Inc. New York. 2004. DOJ Instruction – Incident Response Procedures for Data Breaches. US Department of Justice. August 6, 2013; FCC Computer Security Incident Response Guide. Federal Communications Commission, Office of the Managing Director, Information Technology Center, Computer Security Program. December 2001; HIPAA Incident Response and Reporting. US Health & Human Services. September 2011; NERC CIP-008-5 – Cyber Security – Incident Reporting and Response Planning. North American Electric Reliability Corporation (NERC). July 9, 2014; NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide. NIST. August 8, 2012; US-CERT Federal Incident Notification Guidelines. US Computer Emergency Readiness Team (CERT). Effective October 1, 2014.)) Included in this release:

  • The Standardized Information Gathering (SIG) questionnaire and SIG Lite use industry best practices to gather and assess information technology, security, privacy and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to the 2016 SIG include streamlining of the instrument, as well as alignment with the ISO 22301:2012 international standard and the FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services, which addresses cyber resilience. Updates include new controls for hardware security, information security, mobile security and new, industry-relevant terminology. A new maturity field, containing five levels of maturity ranking to help provide an added dimension to the question response was added to the SIG and SIG Lite.
  • The Shared Assessments Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, is used to evaluate the controls third party service providers have in place for information data security, privacy and business resiliency risk. AUP updates respond to the overwhelming number of security breaches that have occurred in the past two years. It has been reconstructed to cover regulatory guidelines and industry standards with guidance on incident response. For the 2016 AUP, Shared Assessments not only updated the tool based on current industry trends, changes and best practices, but also added an addendum for performing Collaborative Onsite Assessments (COA). The addendum is specifically geared to a collaborative assessment that profiles the full and complete control environment using a substantiation-based, standardized, efficient methodology. Developed through top-tier financial institutions to allow multiple outsourcers to collaborate and assess the risk controls of a single outsourcer, benefits of its use for a larger set of common service providers include consistency, rigor and efficiency.
  • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model for assessing the current and desired future state of a vendor risk management program. The VRMMM helps organizations make well-informed decisions on how to assign resources to most effectively and cost efficiently manage vendor-related risks. New enhancements to the 2016 VRMMM include updates to align with the FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services, which addresses cyber resilience.

Catherine A. Allen, Chairman and CEO of The Santa Fe Group notes that “applying the tools increases rigor, consistency and speed, resulting in cost savings in the control assessment process for both the outsourcing organization and the service provider. This, in turn, also allows organizations to redirect resources away from assessment costs and toward control and monitoring by limiting site visit and annual review man hours.” The AUP, along with the COA addendum, provides a robust, substantiation-based, standardized, efficient methodology. Its use is expected to yield a higher confidence that third party service providers are compliant and more likely to remain compliant. For more information about the Shared Assessments Program and the Program Tools, contact, or visit our website at

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.