The industry is in a state of high alert concerning third party risk in 2015. In fact, Booz Allen Hamilton moved third party risk to the top of the list of cyber security trends for financial services to “guard against” this coming year. WIRED.com also cited third party breaches as one of the six biggest security threats of 2015.
Steve Durbin, managing director of the Information Security Forum, named third party threats as one of five dominant information security trends in 2015. “Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability,” Durbin told CIO magazine. “Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations.”
Because of these threats, doing business in an outsourced economy requires organizations to implement robust, tested strategies and processes, with tools to evaluate vendor risk and manage the security of sensitive data that is accessed or used by third parties. Newly updated for 2015, the Shared Assessments Program Tools—the Standardized Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, and the Vendor Risk Management Maturity Model (VRMMM)—help companies ensure their vendors’ data management security controls and practices are rigorously tested and are in line with data security practices and standards. These Tools allow risk professionals to rigorously assess and manage third party controls to evaluate IT, privacy, and data security risks, including software application security, Cloud, mobile, and fourth parties.
Collaborative Efficiencies in Today’s High Risk Environment
Our Tools empower risk professionals to move from risk management to risk assurance. We know that our members are faced with complex oversight of third parties and look to the Shared Assessments collective community for innovative and tested approaches and best practices to create efficiencies and cost savings in vendor risk management. With these updates, the Shared Assessments Program Tools now offer greater assessment depth; can be leveraged by competent internal staff or independent assessment firms; and can be used internationally.
Durbin applauds this type of strategic approach. “A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components,” he said. “This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise.”
2015 Program Tools Meet the Needs of Risk Managers
The Shared Assessments Program Tools are designed for risk management leaders to effectively manage the critical elements of the vendor risk management lifecycle. Together, the SIG and AUP offer a “trust, but verify” approach to conducting third party assessments. The Tools are based on international, federal, and industry standards in order to ensure sensitive outsourced data—such as personally identifiable information (PII) and protected health information (PHI), intellectual property, and financial information—is protected.
The following updates are included in the 2015 release:
Shared Assessment Tools Boost Confidence in Assessing Third Party Risk
In a Deloitte Touche Tohmatsu Limited (DTTL)/Forbes Insights survey, “2014 Global Survey on Reputation Risk – Reputation@Risk,” organizations are “least confident dealing with risks assessed as ‘beyond their control’ which includes risks from third party/extended enterprise issues (47 percent of respondents).” The Shared Assessment Program Tools put that control in the hands of third party risk managers—which will be vital going forward.
As Tom Garrubba, senior director, the Santa Fe Group and Shared Assessments Program, sums up, “The Shared Assessments Program will continue to help companies stay on top of emerging third party risk trends and regulatory requirements; and help foster internal and board-level conversations on the importance of managing third party risk.”
To learn more about the 2015 Shared Assessments Program Tools, visit www.sharedassessments.org.
Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.