PRESS RELEASE
Contact:
Marya Roddis
Vice President of Communications
marya@santa-fe-group.com
505-466-6434
Santa Fe, NM — November 29, 2016 — The Shared Assessments Program, the member-driven trusted source in third party risk assurance, announces the release of our updated 2017 Program Tools. The Tools serve organizations, regardless of size and industry, helping them meet the surge in regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities posed by the use of third party service providers. This concern is very real. A study of global data breach investigations showed that 63% of breaches were linked to a third party component (Trustware, 2013). And the likelihood of a material data breach involving 10,000 lost or stolen records in the next two years is 26% (Ponemon, 2016).
The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and through termination. The Tools embody a “trust, but verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.
The Shared Assessments Program Tools are:
Creating Sustainable Efficiencies in Today’s High Risk, Cyber-Based Environment
While each Tool may be used independently, the combined value of the Tools provides maximum protection from third party risks, allowing risk management professionals to respond to the relentless pace and shifting nature of cybersecurity threats and vulnerabilities associated with rapidly changing outsourcing, Cloud, mobile and fourth party security issues.
Martin Freeman, Information Security Manager at Dealogic LTD and a Shared Assessments Steering Committee Member, comments that “because of its alignment with such a wide range of industry and regulatory standards, Dealogic has been able to use the Shared Assessments toolkit not only to provide our customer-base with a comprehensive portrait of our security programs but also to thoroughly assess our global portfolio of third-party service providers. It has also enabled us to perform a gap analysis against our established information security baseline when assessing potential business initiatives or implementing new products and services.”
The Tools are designed to be tailored to an organization’s unique application of regulations, divisional needs and risk appetites. Shared Assessments keeps a close eye on emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent, such as: the proposed changes to the U.S. Cyber Consequences Unit (CCU) Free Cybersecurity Matrix Tool; New York State’s proposed requirements for banks, insurance companies, and other financial services institutions; and the OCC’s request for comments on its proposed Enhanced Cyber Risk Management Standards and its request for comments on Responsible Innovation in Banking.
Accordingly, the Shared Assessments Program Tools are designed in alignment with a wide body of the most updated domestic and international regulatory guidance and industry standards, including:
U.S. Domestic Industry Standards, Regulations and Guidance:
International Industry Standards, Regulations and Guidance:
Updated 2017 Program Tools
These updated tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.
The Standardized Information Gathering (SIG) questionnaire and SIG Lite:
The Shared Assessments Agreed Upon Procedures (AUP):
The Vendor Risk Management Maturity Model (VRMMM):
About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third party risk management, with more than a decade of developing program resources. Shared Assessments helps organizations effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments member-driven Program Tools offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. The Shared Assessments Program is managed by The Santa Fe Group (http://www.santa-fe-group.com), a strategic advisory company providing unparalleled expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities and other critical infrastructure organizations. The core of The Santa Fe Group’s belief system is that, despite how complicated the world of commerce might be, business can—and should—be a good citizen. Corporations should be built on a foundation to provide greater good to society. For more information on Shared Assessments, please visit: https://sharedassessments.org.