July 2014 Newsletter
This Month's Focus: 
Third Party Software Security

Accessing a Third Party's Software Security

During the Shared Assessments July Member Forum call, Shared Assessments Vice Chair, Jonathan Dambrot, CEO and Co-Founder, Prevalent Networks; and, Mike Falk, Vice President Vendor Relations, The Clearing House Payments Company, provided an in-depth look into the process used by the Shared Assessments Program to develop new risk areas to be covered by the Shared Assessments Program Tools.  In doing so, they also provided an overview of the importance of assessing the security of the environment used by your vendors to develop and maintain software. This month's feature article discusses how Shared Assessments approached the need to address the growing issue of assessing a third party's software security. 


Click here to read the feature article.

Key Findings*
  • 91% increase in targeted attack campaigns in 2013
  • 62% increase in the number of breaches in 2013
  • Over 552M identities were exposed via breaches in 2013
  • 23 zero-day vulnerabilities discovered
  • 38% of mobile users have experienced mobile cybercrime in past 12 months
  • Spam volume dropped to 66% of all email traffic
  • 1 in 392 emails contain a phishing attacks
  • Web-based attacks are up 23%
  • 1 in 8 legitimate websites have a critical vulnerability
The following article can be found on Authorities on Risk Assurance, the Shared Assessments blog:
Hear from Shared Assessments Members at these upcoming events:
Shared Assessments Steering Committee Member, Rocco Grillo, Managing Director, Protiviti: 
MIS Audit Leadership Institute - August 18-22, 2014
Boston, MA  Learn More
PCI Community Meeting - September 9-11, 2014
Lake Buena Vista, FL  
Members Only
To promote your upcoming speaking events here, please send details to Kelly Wagner, Project Manager, The Santa Fe Group.
Commonly asked questions asked and answered


I have created a SIG specifically for third party vendors who provide my company with data center services. However, even after vendor consolidation efforts I still have over 20 vendors who receive this specific SIG. Being able to use one questionnaire for 20+ vendors is a definite plus, but the manual effort to evaluate all of the response is very time consuming. This situation is repeated with other SIG responses. Is there any way I can automate this effort?  



Absolutely. The SIG Management Tool (SMT) along with certain SIG functionality was specifically designed to address this issue.

Whenever a SIG has been scoped for a specific set of third party services it is always advisable to create a Master SIG. This is done by navigating to the "Formula Notes" tab of the SIG and selecting "Master" in the drop down box. Doing this converts the SIG into a Master SIG. The purpose of a Master SIG is to use it as a template for assessing SIG responses. Once you have created the Master SIG by clicking the drop down selection, you complete the process by answering all of the SIG questions relevant to the type of services provided in the manner you want them answered based on the services provided and the level of security you require for those services. This gives you a completed Master SIG which contains answers to the questions to evaluate the responses received by your vendors.


Here's where the SMT becomes so valuable. By using the "Compare" function in the SMT you are able to automatically compare all of the answers in the SIG received from a vendor to the "correct" answers you have already defined in the Master SIG. By using the SMT to perform this comparison a report will be generated by the SMT showing every instance where your answer and the answer provided by your vendor differ.


There are additional ways to filter and create comparison reports, but they go beyond the scope of this column. However, a full detailed description of how to use the SMT to conduct automated comparisons of SIG responses to Master SIG's is detailed in the SIG Issuers Guide provided with every SIG. In addition to explaining the comparison functionality of the SMT, the SIG Issuers Guide includes many other useful tips on how to use the SMT and scope the SIG.


If you're not already familiar with the SMT, I strongly suggest that you review the SIG Issuers Guide.


During discussions in 2013 to determine the next risk areas that should be addressed by the Shared Assessments Program Tools, the focus rapidly turned to software security. As we polled our members we found that many of them were concerned with the security of the software being provided by their vendors, and more importantly what could they do to determine if the software was developed and maintained in a secure environment.

...Read more

Interested in Becoming a Shared Assessments Member?

Contact Julie Lebo, VP Member Relations, at
(703) 533-7256 or by Email

Shared Assessments would like to welcome our newest Members and Partners:
OCC Guidance 2013-29
Federal Reserve Guidance on Managing Outsourcing Risk
ISO/IEC 27001:2013
NIST: Framework for Improving Critical Infrastructure Cybersecurity
Future Topic Suggestions
Do you have a topic you'd like to see covered in an upcoming newsletter or presented on a future monthly Member Forum call? 
Send your ideas to Kelly Wagner, Project Manager for Shared Assessments.
Guest Bloggers
Interested in serving as a guest blogger on the Shared Assessments Authorities on Risk Assurance blog? Contact  Kelly Wagner, Project Manager for Shared Assessments.

Copyright � 2014. All Rights Reserved.