Updated Shared Assessments Program Tools Are Powerful Weapons Against Third-Party Risk in 2015

The industry is in a state of high alert concerning third party risk in 2015. In fact, Booz Allen Hamilton moved third party risk to the top of the list of cyber security trends for financial services to “guard against” this coming year. also cited third party breaches as one of the six biggest security threats of 2015.

Steve Durbin, managing director of the Information Security Forum, named third party threats as one of five dominant information security trends in 2015. “Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability,” Durbin told CIO magazine. “Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations.”

Because of these threats, doing business in an outsourced economy requires organizations to implement robust, tested strategies and processes, with tools to evaluate vendor risk and manage the security of sensitive data that is accessed or used by third parties. Newly updated for 2015, the Shared Assessments Program Tools—the Standardized Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, and the Vendor Risk Management Maturity Model (VRMMM)—help companies ensure their vendors’ data management security controls and practices are rigorously tested and are in line with data security practices and standards. These Tools allow risk professionals to rigorously assess and manage third party controls to evaluate IT, privacy, and data security risks, including software application security, Cloud, mobile, and fourth parties.

Collaborative Efficiencies in Today’s High Risk Environment
Our Tools empower risk professionals to move from risk management to risk assurance. We know that our members are faced with complex oversight of third parties and look to the Shared Assessments collective community for innovative and tested approaches and best practices to create efficiencies and cost savings in vendor risk management. With these updates, the Shared Assessments Program Tools now offer greater assessment depth; can be leveraged by competent internal staff or independent assessment firms; and can be used internationally.

Durbin applauds this type of strategic approach. “A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components,” he said. “This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise.”

2015 Program Tools Meet the Needs of Risk Managers
The Shared Assessments Program Tools are designed for risk management leaders to effectively manage the critical elements of the vendor risk management lifecycle. Together, the SIG and AUP offer a “trust, but verify” approach to conducting third party assessments. The Tools are based on international, federal, and industry standards in order to ensure sensitive outsourced data—such as personally identifiable information (PII) and protected health information (PHI), intellectual property, and financial information—is protected.

The following updates are included in the 2015 release:

  • The Standardized Information Gathering (SIG) Questionnaire uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to SIG 2015 include alignment with OCC Guidance 2013-29; updates and consistency with the new ISO-27001/27002, and PCI DSS v.3.0; layering with the NIST Cybersecurity Framework, and updated questions to stay abreast with all current federal and industry regulations, standards, and guidance. Additionally, for organizations looking to become PCI or ISO compliant, the SIG 2015 provides users with the capability to perform self-assessments to help ensure the necessary requirements to become certified are met.
  • The Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. It provides objective and consistent procedures to evaluate key controls, reducing or eliminating the need for onsite assessments. For 2015, updates to the AUP include extensive sections on Cloud Security implementations and Software Application Security; tighter integration with the SIG, including the addition of Employees Agreements, and Business Insurance.
  • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the VRMMM include updates to align with the OCC-2013-29 guidance and improved scoring.

Shared Assessment Tools Boost Confidence in Assessing Third Party Risk

In a Deloitte Touche Tohmatsu Limited (DTTL)/Forbes Insights survey, “2014 Global Survey on Reputation Risk – Reputation@Risk,” organizations are “least confident dealing with risks assessed as ‘beyond their control’ which includes risks from third party/extended enterprise issues (47 percent of respondents).” The Shared Assessment Program Tools put that control in the hands of third party risk managers—which will be vital going forward.

As Tom Garrubba, senior director, the Santa Fe Group and Shared Assessments Program, sums up, “The Shared Assessments Program will continue to help companies stay on top of emerging third party risk trends and regulatory requirements; and help foster internal and board-level conversations on the importance of managing third party risk.”

To learn more about the 2015 Shared Assessments Program Tools, visit

Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.