New Leaner Shared Assessments Questionnaire Offers Risk Scoring

October 28, 2010 Santa Fe, NM – Today the Shared Assessments Program announced the launch of Version 6.0 of its Standardized Information Gathering (SIG) questionnaire. The new, leaner SIG offers a customizable scoring option, allowing a shorthand way for outsourcers to communicate service provider risk.

Managed by The Santa Fe Group, the Shared Assessments Technical Development Committee (TDC) produced the new SIG. TDC members are information security, risk and privacy experts from global companies.

The SIG’s new scoring option allows users to assign a value to individual questions. Once the SIG is complete, it produces a score that can be used by outsourcers to measure provider risk against corporate risk tolerances. Service providers can use the score as a shorthand method of communicating risk to clients.

TDC members were committed to creating a leaner SIG without compromising the questionnaire’s comprehensiveness. “Version 6 eliminates the redundancies without sacrificing the comprehensiveness people have come to expect from Shared Assessments,” said Glen Sgambati, Chief Risk and Security officer with Early Warning Services, LLC. Early Warning Services participated in the drafting of the new SIG.

“Version 6 of the SIG eliminates redundancies across the domains while allowing the user to capture the information necessary to efficiently make the initial evaluations of the respondents as well as identify areas of further investigation important to them,” said SIG contributor Brian J. Costello, Director of Information Security with Yodlee Inc.

The SIG and its companion onsite reporting tool (the Agreed Upon Procedures or “AUP”) are used by outsourcers and technology service providers around the globe to assess technology risk. Together the AUP and SIG comprise a rigorous toolkit for service provider audits that is used across industries to evaluate cloud computing and software-as-a-service (SaaS) environments as well as traditional outsourcing engagements.

The Shared Assessments AUP and SIG are available for download on the Shared Assessments website. Created for use by financial services organizations, healthcare companies, telecommunications corporations, retailer and others, the voluntary standards correspond to a host of laws, regulations and industry best practices, including Payment Card Industry (PCI) standards for financial institutions and requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA). Information security updates correspond with National Institute for Standards in Technology (NIST) SP 800-53 standards (Recommended Security Controls for Federal Information Systems and Organizations) and current Federal Financial Institutions Examination Council (FFIEC) guidelines.

Nearly 60 companies are Shared Assessments members. These organizations participate in a global community of outsourcing and risk management professionals who work together to create industry-standard tools that ensure risk management rigor. A number of software providers have incorporated the standards into their technologies.

“Participation in the Shared Assessments Program allows our global company to contribute to the ongoing development of a global standard for risk management of third-party service providers, saves our company from increased expenses by utilizing a common questionnaire, and allows our program to develop a risk assessment framework consistent with accepted industry standards,” said Susan Koski, Managing Director, Risk Assessments with Shared Assessments member company The Bank of New York Mellon.

About the Shared Assessments Program
The Shared Assessments Program was created to inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process. Through membership in the Shared Assessments Member Forum and use of the Shared Assessments tools (the Agreed Upon Procedures and the Standardized Information Gathering questionnaire), Shared Assessments offers outsourcers and their service providers a faster, more efficient and less costly means of conducting rigorous assessments for security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group, a strategic consulting company based in Santa Fe, New Mexico.