2017 SIG Bundle
The Standardized Information Gathering (SIG) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. The robust set of questions within the SIG are reviewed annually with updates and revisions, and are based on referenced industry regulations, guidelines and standards, including NIST, FFIEC, ISO, HIPAA and PCI. New risk areas are added on a regular basis, with End User Device Security, Threat Management and Server Security, as examples of some of the more recent additions. The SIG is in Excel format, which should be familiar to most users.
Enhancements to the 2017 SIG include:
- Addition of a Cybersecurity Guidance overview to provide users with instruction on which questionnaire tabs they would complete to have a view of their cybersecurity preparedness, in keeping with FFIEC’s Cybersecurity Assessment Tool (CAT) and the NIST’s Cybersecurity Framework (CSF).
- Reduction in tool size and enhanced scoring capabilities based on user feedback and findings from Shared Assessment’s briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.
- Changes related to industry and regulatory guidance that reflect: HIPAA final rules modifications; NIST’s Cybersecurity Framework (CSF) and companion roadmap; FFIEC IT Handbook reference updates; and PCI DSS version 3.2 standards revisions.
In addition to questions about general information on the service provider, the SIG consists of seventeen (17) risk areas to gather detailed information appropriate to the nature of the services being provided. These risk areas include:
- Risk assessment and treatment.
- Security policy.
- Organizational security.
- Asset and information management.
- Human resources security.
- Physical and environmental security.
- Operations management.
- Access control.
- Application security.
- Incident event and communications management.
- Business resiliency.
- End user device security.
- Network security.
- Treat management.
- Server security.
2017 SIG Lite
The SIG Lite is generally used for third party service providers (the “assessees”) who offer lower risk services, but can also be used as a starting point to conduct an initial assessment of all service providers. Because it is a compilation of all of the high level questions from the detail tabs of the full SIG, the SIG Lite allows a user to get an initial assessment of the service provider’s risk controls. Users have the ability to follow up with the full SIG if additional details about risk controls are required. The Standardized Information Gathering (SIG) questionnaire is developed using top-level questions followed by additional detailed sub-questions that can be used when appropriate. This allows the user of the SIG to obtain detailed information about certain risk control areas. However, there are many occasions where a “high level” assessment of a particular risk control area is sufficient.
2017 SIG AND SIG LITE Management Tools
A SIG Management Tool (SMT), included with both the SIG and SIG Lite, has been updated to be compatible with version 2017. The SMT is “backward compatible” and will work with any earlier version of the SIG. The real power behind the SIG and SIG Lite is unleashed when they are used with the SIG Management Tool. The SMT is a Microsoft Excel, macro-based spreadsheet that leverages the power of the SIG. The tool serves two primary functions:
- COMPARISON FUNCTION: The SMT will compare a Master SIG, prepared by the issuer/outsourcer, to a SIG provided by the assessee. When executed, the SMT will perform a comparison and provide a report of all responses that did not match. In addition to identifying responses that did not match, the report also includes the value in the Optional Scoring column on the Master, to assist in the prioritization of any responses that require remediation. The report is in Excel format.
- TRANSFER FUNCTION: The SMT allows either an issuer/outsourcer or an assessee to transfer responses between SIG versions. Older versions may be transferred to newer versions and newer versions may be transferred to older versions. This function allows the issuer/outsourcer to transfer responses from a Master SIG when a new version is released, and allows assessees to transfer responses from a previously completed SIG when a new version is released. In addition, if an issuer/outsourcer receives a SIG that is a different version than that of the Master, the SMT transfer function allows the issuer/outsourcer to transfer the responses from their Master to match the version received from the assessee.
Using the SIG Management Tool to compare responses
Using the SIG Management Tool to transfer responses
2017 SIG How To Guides
Included with the SIG is a How To Guide, which provides a comprehensive overview of how to get the most out of the SIG and the SIG companion documents, providing best practices on how to approach third party risk assessments. The How To Guide provides useful information on all of the different program components and instructions on navigating the SIG, as well as detailed instructions on how to use the SIG Management Tool (SMT). Familiarizing yourself with the How to Guide and following the steps outlined within the Guide will pay substantial benefits when you begin the task of scoping the SIG and preparing your Master SIG(s).
Sample SIG Scoping Template
Because the SIG represents questions for a wide variety of products and services, it is necessary to refine the scope of the SIG based upon the services provided by a specific service provider (or under a specific contract). Prior to using the SIG, it’s important to perform a scoping exercise to determine the services provided by the third party and the risk control areas that pertain to those services. Depending on the outcome of your scoping exercise and your risk appetite, your third party may perform either a subset of the SIG or complete the entire tool. The Sample SIG Scoping Template provides a methodology to map third party risk factors to specific tabs of the SIG, and the company’s risk tolerance and corporate requirements. An example of the scoping exercise is included. Users may utilize the sample provided by inserting into the document their company’s own risk tolerances. The 2017 SIG Bundle includes the 2017 SIG, 2017 SIG Lite, the 2017 SIG and SIG Lite Management Tool, SIG Overview, SIG Lite Overview, SIG How To Guide and Sample SIG Scoping Template
Become a Shared Assessments Program Member
Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.
They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.
- Free access to the Shared Assessments Program Tools.
- Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
- Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
- Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
- Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
- Access to third party risk management training and education, white papers, project documents, and case studies.
- Discounts on registration for Shared Assessments events and educational workshops.
Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.