Product Support Center

What's New and Product Tips

2024 Updates for SIG V2 and SCA V2 are now available. Please download the new version. View Changes Here
2024 Launch It’s Here! 2024 Shared Assessments Third-Party Risk Management Product Family: Content Refresh Based on New Risks and Regulations
Accepting The SIG The SIG demonstrates how a service provider secures information and services. Learn More
Which SIG Should I Use? Learn how to scope the SIG to suit your TPRM needs Learn More
SIG Training Course Self-paced training that reviews the basics of the SIG assessment questionnaire Learn More

Frequently Asked Questions

Standardized Information Gathering (SIG)

What is SIG Manager?

The SIG Manager is the engine of the Product with the functionality to perform Standardized Information Gathering (SIG) Questionnaires operations. Built within the MS Excel spreadsheet application, it allows users to create, customize, store, compare, and recall customized templates as well as manage SIG data. See page 2 in the 2024 SIG Manager and Questionnaires User Guide.

What is a SIG Questionnaire?

The SIG Questionnaire is the Excel document created by the SIG Manager from the stored template. You may create a Questionnaire from a Standard SIG Scoping Template or customize your own Template (Custom SIG Scoping Template) and create a Questionnaire. See page 2 in the 2024 SIG Manager and Questionnaires User Guide.

The SIG Manager was downloaded, so how do I get started?

Since SIG Manager operates within Excel, there may be security measures in your organization’s shared environment. Move the Product to a local environment. When you open the SIG Manager, enable content and editing when prompted. Start with page 3 in the 2024 SIG Manager/SIG Questionnaires User Guide for complete instructions.

Why do I need to enter my company name?

Access to the SIG Manager Product is licensed to Product Subscribers and Members. Entering a company name enables the functionality of the Product. Moreover, it is the company name you enter that will transfer to each worksheet within the SIG Manager, and each document you output. See the Copyright tab on the SIG Manager for more information, and page 3 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Can I change my company name?

Yes. There is a button to “Change Company Name” on the Common Options worksheet in Column B. Save appropriately. See page 25 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Standardized Control Assessment (SCA)

Can I use the Documentation and Artifacts Request Checklist outside of an onsite assessment?

Yes. Clients who buy the SCA product can access the Documentation Request List. This list can be used as a template or artifact in any due diligence process to make the process more efficient. The SCA Best Practices Checklist refers to this product during the planning phase of a risk assessment.

Are there multiple ways to use the SCA Control Assessment Procedures?

Yes. The SCA Procedures provide a library of test procedures that can be used for onsite or virtual assessments. Internal audit or assurance teams can use the SCA Procedures to conduct readiness or control assessment reviews. The procedures can be used internally for gap analysis, self-assessment, or in any process such as M&A, where control assessments are indicated.

Are there any guidelines I should follow when utilizing the SCA?

Yes. The Shared Assessments Program has developed a set of SCA Guidelines that are included in the bundle. The SCA Procedures provide risk professionals a set of resources (products, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments. This is the “verify” portion of a third-party risk program and was created leveraging the collective intelligence and experience of our vast member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Do I have to use every procedure when conducting a SCA?

No. The SCA is a library of best practice assessment procedures and should be scoped based on risk factors determined by the organization.

Are there multiple ways the SCA can be used?

Yes. The SCA can be used to provide independent testing of controls. It can be used by outsourcers and service providers in the due diligence process, and it can be used as an internal self-assessment.

Data Governance (Target Data Tracker – TDT)

Can the Target Data Tracker be used for CCPA/CPRA initiatives?

The Target Data Tracker product is designed to be used for project management and supports the SIG and SCA in the “Trust But Verify” model. The TDT can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance product assists with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. These functions can support CCPA/CPRA readiness and planning efforts, and can be utilized as a due diligence artifact to respond to client requests for service providers.

Can the Target Data Tracker be used for Standard Contractual Clauses (SCCs) readiness initiatives?

Yes. The Product can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance Products assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. The sections of the Target Data Tracker provide a data collection mechanism for information required to address the contract Annex requirements in the GDPR/EU SCCs. Refer to the Data Governance User Procedure Guide for details.

Can the Data Governance product assist with Data Protection Impact Assessments (DPIAs)?

The updated Data Governance Products are designed to assist with pre-scoping activities before conducting a complete third-party review. The standalone SIG and SCA Templates can be used as artifacts for conducting a DPIA assessment. The Data Governance Products focus on the core privacy obligations and should be used in conjunction with the completed Target Data Tracker or completed SIG for an enterprise view of the Information Technology and Security risks.

As a service provider, can the Target Data Tracker be used as a record of my processing activities under GDPR General Data Protection Regulation (EU)?

The Target Data Tracker Product was constructed as a due diligence artifact to be used across many privacy jurisdictions. It contains relevant topics and attributes for records of processing and authorized use, including GDPR obligations for records of processing or as evidence of the implementation of Standard Contractual Clauses (SCCs). Each set of services may require different levels of detail to meet records of processing artifacts, but it can be used to supplement or enhance these documentation efforts. Refer to the Data Governance User Procedure Guide for detailed information on how to use the Product.

Vendor Risk Management Maturity Model (VRMMM)

What is Target Maturity and how do I use it?

Target Maturity is an optional field to display in the Vendor Risk Management Maturity Model VRMMM Dashboard to establish the desired state of maturity for each element in a TPRM program. Target Maturity is typically not displayed to users during initial self-assessment to prevent skewing of results but is used to quantify and prioritize areas of improvement. The VRMMM User Procedure Guide provides an overview on how to utilize the Target Maturity Feature.

Is there an updated VRMMM Benchmarking Study?

The last published study was released in 2022. The next iteration of the VRMMM benchmarking study is under review.

How do I share the results of the VRMMM self-assessment?

The VRMMM product enables an organization to assess the maturity of over 290 detailed program criteria. The VRMMM organizes TPRM Program structures into Categories and Attributes to streamline the identification of areas of process improvement. The VRMMM Executive Summary Data Tables and Reporting Templates provide formatting templates and charts to share TPRM results and action plans to include in enterprise risk management reporting.

How do I use the VRMMM Accountability Matrix?

The VRMMM product is designed to capture the process maturity across cross-functional areas of a TPRM Program. The VRMMM Accountability Matrix enables the TPRM program owner to capture the names and resources of the individual(s) who provided inputs to the self-evaluation process. The Matrix also enables the identification of the TPRM Program Owners who approved setting Target Maturity levels for the TPRM program in the organization.

Third-Party Service Inherent Risk Rating (TPSIRR)

Where did the scores come from? Are they just made up or approximations?

The TPSIRR scoring system was developed by Shared Assessments after conducting over six months of research and testing against a diverse range of assessments completed using other methods. The design working group, comprising member organizations of Shared Assessments, performed these comparative assessments. The existing use cases were tested using the TPSIRR pilot and compared with scores generated by professionally conducted assessments in the field.

If the scoring is 0-5, it doesn’t add up to 81.

It was discovered that different risk categories had a significant impact on the final assessment. Therefore, scores were adjusted accordingly for various responses. It should be noted that there are exceptions to this rule. For instance, the responses to question 16 are algorithmically weighted and depend on the Data Classification values established by the organization's Admin. Additionally, the scores for question 17 are skewed higher for responses that suggest an increased level of risk.

Why can’t the Administrator change the question weighting?

The administrator can establish thresholds for different tiers, such as when 'LOW' becomes 'MEDIUM' and when 'MEDIUM' becomes 'HIGH'. Additionally, the administrator can create up to six data classifications, although it is not mandatory to use all six. Shared Assessments has decided not to permit administrators to customize the weighting of questions for the sake of consistency and standardization. Allowing configurable weighting would also make it challenging to suggest a consistent level of SIG questionnaire to utilize with the third-party being evaluated by the TPSIRR. Please refer to Table 2 on page 20 of the TPSIRR Admin User Guide to view a list of scoring factors that can be modified.

Video Resources