2017 SIG Bundle

Price: $6,000.00

2017 SIG

The Standardized Information Gathering (SIG) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. The robust set of questions within the SIG are reviewed annually with updates and revisions, and are based on referenced industry regulations, guidelines and standards, including NIST, FFIEC, ISO, HIPAA and PCI. New risk areas are added on a regular basis, with End User Device Security, Threat Management and Server Security, as examples of some of the more recent additions. The SIG is in Excel format, which should be familiar to most users.

Enhancements to the 2017 SIG include:

  • Addition of a Cybersecurity Guidance overview to provide users with instruction on which questionnaire tabs they would complete to have a view of their cybersecurity preparedness, in keeping with FFIEC’s Cybersecurity Assessment Tool (CAT) and the NIST’s Cybersecurity Framework (CSF).
  • Reduction in tool size and enhanced scoring capabilities based on user feedback and findings from Shared Assessment’s briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.
  • Changes related to industry and regulatory guidance that reflect: HIPAA final rules modifications; NIST’s Cybersecurity Framework (CSF) and companion roadmap; FFIEC IT Handbook reference updates; and PCI DSS version 3.2 standards revisions.

In addition to questions about general information on the service provider, the SIG consists of seventeen (17) risk areas to gather detailed information appropriate to the nature of the services being provided. These risk areas include:

  • Risk assessment and treatment.
  • Security policy.
  • Organizational security.
  • Asset and information management.
  • Human resources security.
  • Physical and environmental security.
  • Operations management.
  • Access control.
  • Application security.
  • Incident event and communications management.
  • Business resiliency.
  • End user device security.
  • Network security.
  • Privacy.
  • Treat management.
  • Server security.

2017 SIG Lite

The SIG Lite is generally used for third party service providers (the “assessees”) who offer lower risk services, but can also be used as a starting point to conduct an initial assessment of all service providers. Because it is a compilation of all of the high level questions from the detail tabs of the full SIG, the SIG Lite allows a user to get an initial assessment of the service provider’s risk controls. Users have the ability to follow up with the full SIG if additional details about risk controls are required. The Standardized Information Gathering (SIG) questionnaire is developed using top-level questions followed by additional detailed sub-questions that can be used when appropriate. This allows the user of the SIG to obtain detailed information about certain risk control areas. However, there are many occasions where a “high level” assessment of a particular risk control area is sufficient.

2017 SIG AND SIG LITE Management Tools

A SIG Management Tool (SMT), included with both the SIG and SIG Lite, has been updated to be compatible with version 2017. The SMT is “backward compatible” and will work with any earlier version of the SIG. The real power behind the SIG and SIG Lite is unleashed when they are used with the SIG Management Tool. The SMT is a Microsoft Excel, macro-based spreadsheet that leverages the power of the SIG. The tool serves two primary functions:

  • COMPARISON FUNCTION: The SMT will compare a Master SIG, prepared by the issuer/outsourcer, to a SIG provided by the assessee. When executed, the SMT will perform a comparison and provide a report of all responses that did not match. In addition to identifying responses that did not match, the report also includes the value in the Optional Scoring column on the Master, to assist in the prioritization of any responses that require remediation. The report is in Excel format.
  • TRANSFER FUNCTION: The SMT allows either an issuer/outsourcer or an assessee to transfer responses between SIG versions. Older versions may be transferred to newer versions and newer versions may be transferred to older versions. This function allows the issuer/outsourcer to transfer responses from a Master SIG when a new version is released, and allows assessees to transfer responses from a previously completed SIG when a new version is released. In addition, if an issuer/outsourcer receives a SIG that is a different version than that of the Master, the SMT transfer function allows the issuer/outsourcer to transfer the responses from their Master to match the version received from the assessee.

Using the SIG Management Tool to compare responses

Using the SIG Management Tool to transfer responses

2017 SIG How To Guides

Included with the SIG is a How To Guide, which provides a comprehensive overview of how to get the most out of the SIG and the SIG companion documents, providing best practices on how to approach third party risk assessments. The How To Guide provides useful information on all of the different program components and instructions on navigating the SIG, as well as detailed instructions on how to use the SIG Management Tool (SMT). Familiarizing yourself with the How to Guide and following the steps outlined within the Guide will pay substantial benefits when you begin the task of scoping the SIG and preparing your Master SIG(s).

Sample SIG Scoping Template

Because the SIG represents questions for a wide variety of products and services, it is necessary to refine the scope of the SIG based upon the services provided by a specific service provider (or under a specific contract). Prior to using the SIG, it’s important to perform a scoping exercise to determine the services provided by the third party and the risk control areas that pertain to those services. Depending on the outcome of your scoping exercise and your risk appetite, your third party may perform either a subset of the SIG or complete the entire tool. The Sample SIG Scoping Template provides a methodology to map third party risk factors to specific tabs of the SIG, and the company’s risk tolerance and corporate requirements. An example of the scoping exercise is included. Users may utilize the sample provided by inserting into the document their company’s own risk tolerances. The 2017 SIG Bundle includes the 2017 SIG, 2017 SIG Lite, the 2017 SIG and SIG Lite Management Tool, SIG Overview, SIG Lite Overview, SIG How To Guide and Sample SIG Scoping Template

Become a Shared Assessments Program Member

Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.

They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.

Member benefits include:
  • Free access to the Shared Assessments Program Tools.
  • Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
  • Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
  • Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
  • Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
  • Access to third party risk management training and education, white papers, project documents, and case studies.
  • Discounts on registration for Shared Assessments events and educational workshops.

Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.

Learn more »

Shared Assessments Logo usbank
MetricStream logo
Shared Assessments Licensee Power Advocate
Shared Assessments Licensee Lockpath
Shared Assessments Logo first data
Shared Assessments Licensee Bank of the West
Shared Assessments Logo Deloitte
Shared Assessments Logo Iron Mountain
Shared Assessments Licensee ControlCase
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee TD Ameritrade
Viewpoint Logo
Shared Assessments Logo Ernst & Young
Shared Assessments Logo radian
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Logo pwc
Shared Assessments Licensee Protiviti
Shared Assessments Licensee ZS logo
Shared Assessments Logo Bank Of New York Mellon
Shared Assessments Licensee Rsam
Shared Assessments Licensee Pivot Point Security
Shared Assessments Logo sei
Shared Assessments Logo dtcc