Member Projects and Activities
Shared Assessments members are national and international organizations of all sizes that understand the value of leveraging the knowledge of their risk management peers in the development and management of best-in-class third party risk management programs. They are leaders in their industries and members of a global community of risk management professionals working together to keep the Shared Assessments Program Tools at the forefront of third party risk management practices.
One of the primary reasons the Shared Assessments Program Tools have been able to maintain their status as the industry standard for third party risk assurance is that they are maintained by the very risk professionals who specialize in third party risk management issues. Shared Assessments offers opportunities for members to address global risk management challenges through its committees, Awareness Groups and special projects/interest groups.
All of the Shared Assessments Development Committees are conducted under the direction and oversight of the Shared Assessments Steering Committee. The Steering Committee, with input from each Development Committee Chair, establishes the annual initiatives and helps prioritize their efforts. The primary mission of the Development Committees is to ensure that the Shared Assessments Program standardized tools (SIG, AUP, and VRMMM) are relevant and thorough and responding to a range of new and emerging US and international guidelines for privacy, information and data security and business resiliency.
Who Serves on the Development Committee?
All Shared Assessment members are eligible to serve on a development committee or awareness group. Development committee members are risk management leaders from a range of industries. They are information security officers, privacy officers and other subject matter experts who are motivated to help build and sustain Shared Assessments’ rigorous standards. Participants include experts from the Big 4 accounting firms, which serve as technical advisors to the Shared Assessments Program.
Development committee members play an important leadership role in the Shared Assessments Program. Development committee membership offers:
- Participation in a global community of risk management and information technology professionals.
- Professional development opportunities.
- Collaboration with industry peers on challenging issues in information and data security, privacy and business resiliency.
The SIG Committee is responsible for the content of the SIG Tool. Their goal is to always ensure the SIG content is relevant and current with latest industry regulations, standards and best practices as it relates to information security. In 2017 the SIG Committee will further work on reducing the number of questions as well as work to create a mechanism within the tool to assist users with scoping the completion process. The Committee will also begin to review any gaps identified during the mapping process of the most critical regulations and standards that have been included in the 2017 SIG.
The Privacy Committee provides input on privacy issues to the SIG and AUP Committees based on new regulations, standards and guidance. Privacy professionals meet monthly to evaluate the need to update the privacy content included in the SIG and AUP, identifying and track changes in domestic and international privacy regulations, and then consider the development of briefing papers on privacy topics of interest. For the 2017 work year, the Privacy Committee will expand thought leadership on Privacy/Third Party Assurance to educate/inform on key privacy topics based on new regulations, as well as update and enhance Privacy Tools for the Shared Assessments Program.
Among the industry standards, regulations and guidance the Program Tools currently align to include:
- US financial services and healthcare regulations and standards and guidance, including: FFIEC Appendix J and OCC-2013-29; Merchant Processing Handbook; and Healthcare Regulatory Guidance and Standards: HIPAA Incident Response Reporting Procedures.
- Other pertinent US governmental guidance and standards in all industries for federal and/or state agencies, including: NIST Cybersecurity Framework (CSF); Computer Security Incident Handling Guide (NIST.SP.800-61r2); Title 21 of the Code of Federal Regulations (CFR) Part 11 Section 11.1 (a); DOJ Breach Procedures; and US CERT – Federal Incident Notification Guidelines.
- US-based national and international standards: AICPA Incident Response Procedures; COBIT; Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); ISO 27001, 27002; and PCI-DSS.
- International standards, including UK Cyber Essentials Scheme and EU Data Protection Directive.
Mapping is underway to ensure we further align to:
- Asia – Pacific – Japan (APJ): Asia-Pacific Economic Cooperation (APEC): Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines; Australian Prudential Regulatory Authority (APRA); Hong Kong Monetary Authority (HKMA); and Monitory Authority of Singapore (MAS).
- Europe: EU – European Central Bank (ECB); Germany – Bundesbank/Central Bank of Germany (BuBA), German Federal Financial Supervisory Authority (BaFIN); Luxembourg – Commission de Surveillance du Secteur Financier (CSSF); Switzerland – Financial Market Supervision Act (FINMA); UK – Financial Conduct Authority (FCA); Financial Services Authority (FSA); and Prudential Regulation Authority (PRA) Rulebook.
The AUP Committee is responsible for ensuring the content of the AUP is relevant and accurate by examining and discussing federal regulations, industry standards and guidelines and updating AUP content as needed. For the 2017 work year, the AUP Committee will work to further enhance the AUP by aligning the Practitioner Notes within the body of the AUP verses them being in an appendix at the end of the document. They will also work to ensure 100% alignment with the SIG Tool. Additionally, the Committee will review any gaps identified during the mapping efforts performed in 2016 to determine if new sections/procedures are needed to address them.
Vendor Risk Management Maturity Model (VRMMM) Committee
The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program while helping companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. In 2017, the VRMMM Committee will consider developing a detailed How To Guide for utilizing the VRMMM as well as discuss and review the concept of incorporating Cybersecurity into the VRMMM.
Certified Third Party Risk Professional (CTPRP) Committee
OPEN TO CTPRP HOLDERS ONLY
Doing business in an outsourced economy requires special strategies, processes, and practices when evaluating and managing vendor risk and overseeing the security of sensitive data once it’s in the hands of third parties. Risk management professionals with the specialized skills and training required to manage third party risk have a significant advantage in the workplace. The Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments Program validates that expertise, providing professional credibility, recognition, and marketability. Join other CTPRP holders in the ongoing development and improvement of the CTPRP program, including improving existing workshops, testing and developing additional distribution methodologies, and study materials. In return you will earn CPE credits for your participation, which can be used to maintain your certification.
Best Practices for Third Party Risk Management & Assurance Awareness Group
The focus of this awareness group is to discuss challenges organizations face in managing third party risk, and to identify existing best practices in use today for implementation and effective execution of their third party risk management programs, or to develop new best practices to address those challenges. Examples of topics include internal and external implementation issues, procurement/sourcing processes and procedures, and assessment scoping. This Group coordinates with the Shared Assessments Development Committees when changes to the Program Tools are identified through research and discussion. Examples of deliverables developed by the Awareness Group include checklists, briefing papers, and other suggestions to enhance the Program Tools.
Regulatory Compliance Audits Awareness Group
A steady stream of new third party risk related regulations during the last few years has required both organizations and their service providers to regularly update third party oversight programs. With a new administration in place, the 2017 regulatory climate may change in ways that are hard to predict. In times of regulatory uncertainty, it is more important than ever for Shared Assessments Program members to come together to assess changes in the regulatory landscape and communicate their compliance consequences. As thought leaders, the group publishes white papers on specific topics, and on occasion may create content designed to identify pain points and address specific needs in focus areas determined by the group. The group regularly reviews and discusses draft and final third party regulatory guidance and rules, and – on occasion and when appropriate – has responded to regulatory requests for comments and feedback.
The Regulatory Compliance Audit Awareness Group will identify emerging trends and needs for third party assessment tools for consumer protection, operational risk and regulatory compliance monitoring to identify recommendations for enhancements to Shared Assessments Program content, and suggest other needed deliverables. This year, the group is creating a financial services subcommittee to focus on possible changes to regulation in that sector.
In 2017, the group will complete work that expand upon the previously released It Takes In-Tune Tone at the Top to Shape an Effective Risk Management Culture white paper with a follow-up tool designed to enable Boards of Directors to measure and improve the risk culture both on the Board and at the most senior management levels of an organization.
In this period of regulatory uncertainty please join the dialog with peer companies and help to build a better understanding of how you can optimize your compliance programs. Understand what it takes to create and maintain a more risk sensitive environment during a period when regulations may change in unexpected ways.
To participate in any of these committees or awareness groups, please send us an email at firstname.lastname@example.org.