Vice President of Communications
Santa Fe, NM — November 29, 2016 — The Shared Assessments Program, the member-driven trusted source in third party risk assurance, announces the release of our updated 2017 Program Tools. The Tools serve organizations, regardless of size and industry, helping them meet the surge in regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities posed by the use of third party service providers. This concern is very real. A study of global data breach investigations showed that 63% of breaches were linked to a third party component (Trustware, 2013). And the likelihood of a material data breach involving 10,000 lost or stolen records in the next two years is 26% (Ponemon, 2016).
The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and through termination. The Tools embody a “trust, but verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.
The Shared Assessments Program Tools are:
- Standardized Information Gathering (SIG) questionnaire remote assessment;
- Agreed Upon Procedures (AUP) for performing onsite assessments; and
- Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices.
Creating Sustainable Efficiencies in Today’s High Risk, Cyber-Based Environment
While each Tool may be used independently, the combined value of the Tools provides maximum protection from third party risks, allowing risk management professionals to respond to the relentless pace and shifting nature of cybersecurity threats and vulnerabilities associated with rapidly changing outsourcing, Cloud, mobile and fourth party security issues.
Martin Freeman, Information Security Manager at Dealogic LTD and a Shared Assessments Steering Committee Member, comments that “because of its alignment with such a wide range of industry and regulatory standards, Dealogic has been able to use the Shared Assessments toolkit not only to provide our customer-base with a comprehensive portrait of our security programs but also to thoroughly assess our global portfolio of third-party service providers. It has also enabled us to perform a gap analysis against our established information security baseline when assessing potential business initiatives or implementing new products and services.”
The Tools are designed to be tailored to an organization’s unique application of regulations, divisional needs and risk appetites. Shared Assessments keeps a close eye on emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent, such as: the proposed changes to the U.S. Cyber Consequences Unit (CCU) Free Cybersecurity Matrix Tool; New York State’s proposed requirements for banks, insurance companies, and other financial services institutions; and the OCC’s request for comments on its proposed Enhanced Cyber Risk Management Standards and its request for comments on Responsible Innovation in Banking.
Accordingly, the Shared Assessments Program Tools are designed in alignment with a wide body of the most updated domestic and international regulatory guidance and industry standards, including:
U.S. Domestic Industry Standards, Regulations and Guidance:
- American Institute of Certified Public Accountants (AICPA) – Incident Response Procedures, 2004
- FFIEC Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
- FFIEC Cybersecurity Assessment Tool (CAT), June 2015
- FFIEC Examination Handbook Management Booklet, November 2015
- Health Insurance Portability and Accountability Act (HIPAA) Final Rule Modifications, March 2013
- NIST Cybersecurity Framework (CSF), February 2014
- NIST Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations, April 2013
- NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide, August 2012
- U.S. Computer Emergency Readiness Team (CERT) – Federal Incident Notification Guidelines, October 2014
- U.S. Cyber Consequences Unit (CCU) Free Cybersecurity Matrix Tool, 2009
- U.S. Food and Drug Administration (FDA) Title 21 of the Code of Federal Regulations (CFR) Part 11 (Electronic Records) Section 11.1(a), April 2016
- U.S. Department of Treasury, Office of the Comptroller (OCC) Bulletin 2013-29 – Third-Party Relationships, October 2013
International Industry Standards, Regulations and Guidance:
- Asia-Pacific Economic Cooperation (APEC), February 2014
- Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines, June 2015
- Australian Prudential Regulatory Authority (APRA), May 2013
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1, 2014
- EU General Data Protection Directive (GDPR), April 2016
- Hong Kong Monetary Authority (HKMA), December 2001
- International Standards Organization (ISO) 27001/27002, 2013
- Monitory Authority of Singapore (MAS), March 2013
- Payment Card Industry (PCI) PCI DSS v.3.2, April 2016
- UK regulation – SYSC 8.1 Outsourcing, May 2016
- UK Guidance – CPNI SICS Managing Third Party Risk, May 2015
- UK Cyber Essentials Scheme, January 2015
Updated 2017 Program Tools
These updated tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.
The Standardized Information Gathering (SIG) questionnaire and SIG Lite:
- Uses industry best practices to gather and assess cybersecurity, IT, privacy, data security and business resiliency in an information technology environment to provide a complete picture of service provider controls, with scoring capability for response analysis and reporting.
- Enhancements to the 2017 SIG include:
- Addition of a Cybersecurity Guidance overview to provide users with instruction on which questionnaire tabs they complete to have a view of their cybersecurity preparedness, in keeping with FFIEC’s Cybersecurity Assessment Tool (CAT) and the NIST’s Cybersecurity Framework (CSF).
- Reduction in tool size and enhanced scoring capabilities based on user feedback and findings from Shared Assessment’s briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.
- Changes related to industry and regulations guidance that reflect: HIPAA final rules modifications; NIST’s Cybersecurity Framework (CSF) and companion roadmap; FFIEC IT Handbook reference updates; and PCI DSS version 3.2 standards revisions.
- Uses a substantiation-based, standardized, efficient methodology for onsite assessments by companies to evaluate their own controls, as well as those their service providers have in place for cybersecurity, IT, privacy, data security and business resiliency, in alignment with the content of the SIG.
- The 2017 AUP:
- Allows for execution of a Collaborative Onsite Assessments (COA), a unique and pilot-tested capability, with benefits that include consistency, rigor and efficiency.
- All sections of the AUP have been amended with language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.
- Industry updates, including: HIPAA final ruling modifications; PCI DSS version 3.2 updates; FFIEC Cybersecurity Assessment Tool (CAT); and the NIST Cybersecurity Framework.
- Provides third party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices to identify specific areas for improvement and help manage provider-related risks efficiently and effectively.
- Enhancements to the 2017 VRMMM include:
- Modifications to Maturity Level definitions and improved guidance that simplify and clarify Maturity ranking.
- Addition of an Accountability Tab to assist organizations in assigning responsibility for completion of the VRMMM, allowing users to identify the resources responsible by risk area category.
The Shared Assessments Agreed Upon Procedures (AUP):
The Vendor Risk Management Maturity Model (VRMMM):
About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third party risk management, with more than a decade of developing program resources. Shared Assessments helps organizations effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments member-driven Program Tools offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. The Shared Assessments Program is managed by The Santa Fe Group (http://www.santa-fe-group.com), a strategic advisory company providing unparalleled expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities and other critical infrastructure organizations. The core of The Santa Fe Group’s belief system is that, despite how complicated the world of commerce might be, business can—and should—be a good citizen. Corporations should be built on a foundation to provide greater good to society. For more information on Shared Assessments, please visit: https://sharedassessments.org.