Product Support Center

What's New and Product Tips

11/16/2022 SIG 2023.03 Version Release Notes
  • Corrected SIG manager worksheet protection issues in Windows and MAC due to Microsoft Office Updates
  • Corrected an issue where external links were asking to be updated on a newly created SIG
  • Added a checkmark to worksheet to indicate the SIG worksheet has been digitally signed
  • Download the new 2023.03 Version from the Product Download Page or the Member Portal
  • 2023 Launch It’s Here! 2023 Shared Assessments Third-Party Risk Management Product Suite: Content Refresh Based on New Regulations and Standards
    SIG Training Course Self-paced training that reviews the basics of the SIG assessment questionnaire Learn More
    SIG The SIG demonstrates how a service provider secures information and services. Accepting the SIG
    SIG Learn how to scope the SIG to suit your TPRM needs Which SIG to Use

    Frequently Asked Questions

    Standardized Information Gathering (SIG)

    What is SIG Manager?

    SIG Manager is the engine that creates and manages the Standardized Information Gathering (SIG) Questionnaires (templates). The SIG Manager allows organizations to build, customize, analyze, store, and recall third-party assessments. See page 2 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.

    What is a SIG Questionnaire?

    The SIG Questionnaire is the template produced by SIG Manager (electronic questionnaire)—quickly, simply and out-of-the-box, or with as much specificity and detail as you need. See page 2 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.

    The SIG Manager was downloaded, so how do I get started?

    SIG Manager operates within Excel. Make sure you have Excel open, enable content, and enable editing if prompted. Start with page 3 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide for complete instructions.

    Why do I need to enter my company name?

    Access to the SIG is licensed to Product Subscribers and Members. See the Copyright tab on the SIG Manager for more information, and page 3 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.

    After creating a SIG scoping template, can I rename it?

    The Recall/Modify function allows you to save a template under the same or a different name. See page 23 in the 2023 SIG Manager/SIG Questionnaires User Procedure Guide.

    Standardized Control Assessment (SCA)

    Can I use the Documentation and Artifacts Request Checklist outside of an onsite assessment?

    Yes. Members and Product purchasers that receive the Standardized Control Assessment (SCA) Procedures will receive a stand-alone Documentation and Artifacts Checklist that can be used as a template or artifact in any due diligence process to provide efficiency in the due diligence process. The SCA Best Practices Checklist will refer to this product in the planning phase of a risk assessment.

    Are there multiple ways to use the SCA Control Assessment Procedures?

    Yes. The SCA Procedures provide a library of test procedures that can be used for onsite or virtual assessments. The SCA Procedures can be used by internal audit or assurance teams to conduct readiness or control assessment reviews. The procedures can be used internally for gap analysis, self-assessment, or in any process such as M&A, where control assessments are indicated.

    Are there any guidelines I should follow when utilizing the SCA?

    Yes. The Shared Assessments Program has developed a set of SCA Guidelines that are included in the bundle. The SCA Procedures provide risk professionals a set of resources (products, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments. This is the “verify” portion of a third-party risk program and was created leveraging the collective intelligence and experience of our vast member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

    Do I have to use every procedure when conducting a SCA?

    No. The SCA is a library of best practice assessment procedures and should be scoped based on risk factors determined by the organization.

    Are there multiple ways the SCA can be used?

    Yes. The SCA can be used to provide independent testing of controls. It can be used by outsourcers and service providers in the due diligence process, and it can be used as an internal self-assessment.

    Data Governance (Target Data Tracker – TDT)

    Can the Target Data Tracker be used for CCPA/CPRA initiatives?

    The Target Data Tracker product is designed to be used for project management and supports the SIG and SCA in the “Trust But Verify” model. The TDT can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance product assists with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. These functions can support CCPA/CPRA readiness and planning efforts, and can be utilized as a due diligence artifact to respond to client requests for service providers.

    Can the Target Data Tracker be used for Standard Contractual Clauses (SCCs) readiness initiatives?

    Yes. This product can assist organizations to track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhanced Data Governance product assists with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships. The sections of the Target Data Tracker (TDT) provide a data collection mechanism for information required to address the contract Annex requirements in the GDPR/EU SCCs. Refer to the TDT User Procedure Guide for details.

    Can the Data Governance product assist with Data Protection Impact Assessments (DPIAs)?

    The updated Data Governance products are designed to assist with pre-scoping activities prior to conducting a complete third-party review. The standalone SIG and SCA Templates can be used as artifacts for conducting a DPIA assessment. The Data Governance products focus on the core privacy obligations and should be used in conjunction with the completed Target Data Tracker or completed SIG for an enterprise view of the Information Technology and Security risks.

    As a service provider, can the Target Data Tracker be used as a record of my processing activities under GDPR General Data Protection Regulation (EU)?

    The Target Data Tracker product was constructed as a due diligence artifact to be used across many privacy jurisdictions. It contains relevant topics and attributes for records of processing and authorized use, including GDPR obligations for records of processing or as evidence of the implementation of Standard Contractual Clauses (SCCs). Each set of services may require different levels of detail to meet records of processing artifacts, but it can be used to supplement or enhance these documentation efforts. Refer to the TDT User Procedure Guide for detailed information on it's use.

    Vendor Risk Management Maturity Model (VRMMM)

    What is Target Maturity and how do I use it?

    Target Maturity is an optional field to display in the Vendor Risk Management Maturity Model VRMMM Dashboard to establish the desired state of maturity for each element in a TPRM program. Target Maturity is typically not displayed to users during initial self-assessment to prevent skewing of results but is used to quantify and prioritize areas of improvement. The VRMMM User Procedure Guide provides an overview on how to utilize the Target Maturity Feature.

    Is there an updated VRMMM Benchmarking Study?

    The latest data from the 2022 VRMMM benchmarking study is included in the VRMMM 2023 product. The research focuses on the 48 VRMMM Program Attributes, including new TPRM program elements such as Environmental Social Governance (ESG), M&A, and Nth Party Management.

    How do I share the results of the VRMMM self-assessment?

    The VRMMM enables an organization to assess the maturity of over 250 detailed program criteria. The VRMMM organizes TPRM Program structures into Categories and Attributes to streamline the identification of areas of process improvement. The VRMMM Executive Summary Data Tables and Reporting Templates provide formatting templates and charts to share TPRM results and action plans to include in enterprise risk management reporting.

    How do I use the VRMMM Accountability Matrix?

    The VRMMM is designed to capture the process maturity across cross-functional areas of a TPRM Program. The VRMMM Accountability Matrix enables the TPRM program owner to capture the names and resources for the individual(s) who provided inputs to the self-evaluation process. The Matrix also enables the identification of the TPRM Program Owners who approved setting Target Maturity levels for the TPRM program in the organization.

    Video Resources