2013 will go down as an extremely unusual year as an unprecedented amount of attention was placed on a single risk area – third party risk. Beginning with the Consumer Financial Protection Bureau (CFPB) guidance in April and ending with the Federal Reserve guidance in December, both regulatory agencies and standards bodies alike found it necessary to sharpen their focus on the need to better manage outsourced services. The list of regulators and standards bodies expanding their look at third party risk is impressive: CFPB, ISO 27001/2, PCI’s Payment Application Data Security Standards 3.0, Office of the Comptroller of the Currency (OCC) Third Party Risk Guidance, and NIST’s Cybersecurity Framework. The importance of effectively managing outsourced services was further driven home by the most recent round of data breaches at Target, Neiman Marcus (and perhaps a half dozen additional retailers). Our newsletter Feature Article, written by Santa Fe Group Senior Consultant, Gary Roboff, provides an overview of last year’s third party risk changes, and takes a look at where both the OCC and CFPB are headed as they increase regulatory scrutiny on third party risk management and the likely consequences for financial institutions and service providers.
Never has there been a better time for Shared Assessments to release the newest version of its
More importantly, given the volatile data breach landscape where most breaches and security incidents happen at the service provider level, these new tools assess the risks and software security-readiness of third-party service providers. Shared Assessments Tools inject standardization, consistency, speed, efficiency and cost savings into the vendor risk assessment process.
The Standard Information Gathering (SIG) Questionnaire has been expanded to include an entirely new section, which covers software application security (including the type of software found on POS devices). This section lets you fully examine a service provider’s software security development lifecycle. In addition, coverage for the risks associated with service provider outsourcing have been expanded to ensure that 4th party risks are adequately covered.
Using the AUP as your on-site assessment tool lets you verify information provided in the SIG, or conduct an independent assessment of the controls a service provider should have in place to properly protect your data and systems. In addition, by specifying the procedures to be used to conduct controls testing, and recommending industry standard sampling parameters, the AUP allows you to obtain consistent and cost effective results.
The long awaited guidance from the Office of the Comptroller of the Currency (OCC) on third party risk management was finally issued October 31st. The primary focus of this guidance is to ensure that financial institutions properly manage third party risk throughout the full term of an outsourcing relationship. One of the most notable components of the OCC Guidance is the discussion of senior management’s active participation in the vendor risk management lifecycle. Shared Assessments Vendor Risk Management Maturity Model (VRMMM) is an invaluable resource in demonstrating a company’s focus on the entire vendor lifecycle, and documenting senior management’s active involvement in that process.
The VRMMM incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. The VRMMM has been substantially enhanced for 2014 and now provides a scoring dashboard and the ability to score program components on a scale of 0-5 in .5 increments. Incremental scoring allows users to indicate that program components are under development and provides better tracking of program improvements over time. The scoring dashboard displays scores for: each component; each foundational program area; and, an overall maturity score for the program.
While we are confident that the issues discussed in the recently released regulatory guidance’s and industry standards are already addressed by the Program’s Tools, Shared Assessment’s Working and Special Project Groups are currently working to insure that no gaps exist the risk controls and areas covered by our Tools. As soon as this effort is concluded revised versions of the Tools will be released should updates to the Tools be necessary.
In the interim, check our blog – Authorities on Risk Assurance – for timely discussions on third party risk management practices, threats and trends, and visit our website often for newly released articles, case studies and other information to help you manage third party risk.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad.