Shared Assessments 2019 Toolkit: Comprehensive Customization, Flexibility, Efficiency for Third-Party Risk Management

Featured article by Peter Kelley, the Kelley Group Two

Third party vulnerabilities and leaks hit historic levels in 2018. Among noteworthy third party exposures of consumer and business data: the Adhar breach exposed the data of 1.1 billion users, the Marriott Starwood Hotels exposed an estimated 3 to 5 million, Quora exposed some details on 100 million, Exactis surfaced the data of 340 million, and the list goes on…

“Third party IT security risks can cause millions of dollars in loss and damage, and possibly irreparable harm to an organization’s reputation,” said Glen Sgambati, risk management expert with Early Warning Services.

Trusted third parties are the increasingly preferred route for cybercriminals targeting an organization.

“Diligence obligates that the C-Suite ensure that their organizational risk management strategies and practices anticipate and manage the full spectrum of risks that result from interactions with physical and digital ecosystem partners, while sustaining the agility to adapt to the ever-changing threat landscape,” said Santa Fe Group CEO and Chairman Catherine A. Allen.

Catherine A. Allen, CEO & Chairman, Santa Fe Group, managing agent for the Shared Assessments Program

The 2019 Shared Assessments Third Party Risk Management Toolkit seeks to provide organizations with the full range of tools, best practices, knowledge to manage the full vendor assessment relationship lifecycle. The Toolkit is informed by Shared Assessments members worldwide – an “intelligence ecosystem.” It guides risk management practitioners at all phases, from planning a third party risk management program, to building and capturing assessments, to benchmarking and ongoing evaluation of a program.

Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools:

The VRMMM evaluates third party risk assessment programs against a comprehensive set of best practices. The VRMMM has always been the go-to place to understand the major building blocks of any vendor risk management program. Broken into eight categories the model explores more than 200 program elements that should form the basis of a well-run third party risk management program. The VRMMM’s eight categories are: Program Governance; Policies Standards, and Procedures; Contract Development, Adherence, and Management; Vendor Risk Assessment Process; Skills and Expertise; Communications and Information Sharing; Tools, Measurement, and Analysis; and Monitoring and Review. The VRMMM Benchmark Tools are free at: www.sharedassessments.org/vrmmm.

Standardized Information Gathering (SIG) Questionnaire Tools: 

The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency and data security risks. It helps outsourcers gather “trust” components on third parties, in the form of succinct, scoped initial assessment information on a third party’s controls.

Standardized Control Assessment (SCA) Procedure Tools: 

The SCA assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” component of a third party risk program. It mirrors the 18 critical risk domains from the SIG, and can be scoped to an individual organization’s needs.

GDPR Privacy Tools: 

Timely and immediately useful components that help organizations meet regulatory requirements on “controllers” (i.e., the organization who outsources services, data, etc. to third parties), who must appoint and monitor Data Processors (i.e., third parties/vendors).

Lighter Architecture, Custom Scoping, Assessment Streamlining

The toolkit’s lighter architecture is designed to enable rapid, flexible creation of risk assessments, and offers a content library of reusable, customizable assets. Other updates include:

– Custom Scoping allowing organizations to scope by Domain, by Category, by Authority Document, by Tiered Scoping or by Individual Question Scoping.

– SIG and SCA Integration enabling outsourcers to create a Standardized Control Assessment (SCA) Procedure Tool for onsite or virtual assessments.

– Constant Regulatory and Privacy Legislation Updates: The Toolkit is constantly updated with the most relevant and current US and International regulatory and privacy content such as NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool, the EU GDPR and PCI 3.2.1.

“With the growing need of a risk-based approach to Third Party Risk Assessments, the 2019 Shared Assessments Risk Management Toolkit makes it so much easier to be able to demonstrate that concept, no matter what industry the user is in,” said Angela Davis Dogan, Director of Vendor Risk & Compliance Services, Lynx Technology Partners. “The Shared Assessments Standard Information Gathering (SIG) Questionnaire Tool and the Standardized Control Assessment (SCA) Procedure Tool have been a library of best practice questions and assessment processes. With the 2019 Toolkit, they are presented in a way that makes facts even clearer to all users of the tools.”