New Shared Assessments Questionnaire Offers New Section for Assessing Cloud Computing Risk Program Standards Map to HIPAA, GLBA, PCI, NIST, Others

Share Article

Today, The Shared Assessments Program released to the general public Version 7.0 of the Standard Information Gathering (“SIG”) questionnaire. The SIG contains a robust yet easy to use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment. The SIG questions are based on referenced industry standards (including, but not limited to, FFIEC, ISO, COBIT and PCI), and in addition to assessing a third-party’s environment, can be used by a company to self-assess its own control environment.

The SIG contains a robust yet easy to use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment.

Today, The Shared Assessments Program released to the general public Version 7.0 of the Standard Information Gathering (“SIG”) questionnaire. The SIG contains a robust yet easy to use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment. The SIG questions are based on referenced industry standards (including, but not limited to, FFIEC, ISO, COBIT and PCI), and in addition to assessing a third-party’s environment, can be used by a company to self-assess its own control environment.

Among the enhancements to Version 7.0 is an entirely new section for assessing Cloud Computing risk. The inclusion of the Cloud section in the SIG makes it the first vendor risk assessment tool to provide a comprehensive assessment of all current IT service provider risks. Adding to the value of the SIG’s Cloud section is the fact that it is cross referenced to the Shared Assessment Cloud Computing White paper which provides an expansive review of Cloud risks and controls. Cross referencing these two documents substantially enhances the ability to understand how the questions in this section were developed, and how they fit into the evaluation of overall vendor cloud risk.
In addition to the Cloud section in the full version of the SIG, cloud risks have also been added to the SIG Lite for those companies who may not require a comprehensive assessment of vendor risk in this area. A new version of the SIG Management Tool continues to be included with SIG and has been updated to be compatible with version 7.0 (it continues to be compatible with earlier versions as well).

Enhancements where also made to the Privacy section in order to provide a closer focus on the vendor’s privacy responsibilities relative to their contractual obligations. Privacy questions have also been expanded to include HIPAA/HITECH and cross-border issues.
Responding to the need to provide companies with assistance in defining the scope of their vendor risk assessments, A “How to Guide” was developed to accompany the SIG. The primary purpose of the Guide is to provide a comprehensive understanding of how to use the SIG from both the issuer’s and respondent’s perspective. In addition, the Guide includes a thorough explanation of all of the benefits of the SIG Management Tool and how to maximize that Tool within your organization.

A new version of the Agreed Upon Procedures (“AUP”) v 6.0 is also being released at this time. The AUP is used by companies to evaluate the controls their service providers have in place for security, privacy and business continuity. Both the AUP and the SIG are aligned with ISO 27002:2005, PCI DSS, COBIT, and NIST as well as FFIEC Guidance, the AICPA/CICA Privacy Framework, and a host of privacy regulatory guidance. Version 6.0 was primarily updated to incorporate the new privacy section of the SIG 7.0. It will be further updated to include the SIG’s new Cloud section later this year.

Corresponding with the release of new versions of the Shared Assessments Tools, the Program launched a new web site (http://www.sharedassessments.org) to better serve the needs of its members. The new site offers improved navigation and graphics, and a member’s only section where members can access Program tools, resources and discuss issues/trends in a private Discussion Forum.

About the Shared Assessments Program
The Shared Assessments Program was created by leading financial institutions, the Big Four accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the vendor risk assessment process. Through membership and use of the Shared Assessments tools (the Agreed Upon Procedures and the Standardized Information Gathering questionnaire), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (http://www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Joyce Crawshaw
joyce@santa-fe-group.com
505-466-6434
Email >
Visit website