September 2014 Newsletter
This Month's Focus: 
Obligations of HIPAA Business Associates
HIPAA Business Associates

Business associates are subject to a variety of reporting requirements, including breaches of unsecured protected health information, impermissible uses and disclosures that do not rise to the level of a breach, security incidents, and state law requirements. This months feature article addresses the differences between the varying incident reporting requirements and identifies options for operationalizing the requirements and addressing incident reporting in contracts. Without understanding and strategically addressing these various requirements, HIPAA business associates may find themselves agreeing to whatever terms the covered entity seeks and ending up in a quagmire of hundreds of varying customer breach notification obligations that may not be achievable in practice.


Click here to read more on this subject.

2015 Shared Assessments Summit

Join us for the 2015 Shared Assessments Summit 

Schedule of Events:
April 27: SIG 101 & AUP 101 Pre-Conference Workshop(s)
April 28: TBD Pre-Conference Workshop(s)
April 29: Shared Assessments Summit (full day session)
April 30: Shared Assessments Summit (morning session)
May 1: *CTPRP Certification Workshop & Exam

*The Shared Assessments Program is pleased to announce the launch of the Certified Third Party Risk Professional (CTPRP) program in January 2015. Individuals who pass the CTPRP examination and successfully comply with the requirements to earn and maintain the certification have a thorough working knowledge of third party risk management concepts and principles.  More information and a formal announcement will be released in the near future.  


Registration, including Member and early bird discounts, will be provided soon. To learn more about sponsorship opportunities, contact us at

Hear from Shared Assessments Members at these upcoming events:
Shared Assessments Steering Committee Member, Rocco Grillo, Managing Director, Protiviti, Inc.
  • IEF Cybersecurity  in the Global Energy Sector
    October 9, 2014 - Washington, DC  Learn more
  • CLM Cyber Liability Summit 
    October 15, 2014 - New York, NY   Learn more
Shared Assessments Vice Chair, Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc.
Members Only
To promote your upcoming speaking events here, please send details to Kelly Wagner, Project Manager, The Santa Fe Group.
Presentation on Demand
Watch Shared Assessments Program Director, Brad Keller, The Santa Fe Group, and Shared Assessments Vice-Chair, Jonathan Dambrot, Prevalent, Inc., discuss Incident Response and Third Party Risk.

Commonly asked questions asked and answered


My company annually completes 30+ questionnaires from financial services companies,  healthcare organizations and to various other sector clients. Questions to most extent are repetitive. I was wondering if there is a service that Shared Assessments provides to vendors who fill out questionnaires.



The Shared Assessments Standard Information Gathering (SIG) questionnaire was designed to address your situation. The SIG is used by companies wishing to conduct risk management vendor due diligence.   It was also designed to provide service providers with an easy to use questionnaire that can be completed and provided to their clients.  The SIG is currently used by service providers across the globe to respond to customer questionnaires.  In this way, rather than completing a substantial number of different proprietary questionnaires from client's, a service provider can complete the SIG once and provide it to multiple clients.  Many service providers also use the SIG to respond to requests for proposals (RFP's) to help identify the breadth of their IT and data security practices.


By Adam Greene
J.D., M.P.H., Partner,

Davis Wright Tremaine LLP

Once upon a time, privacy and information security were an afterthought during contract negotiations. But breach notification has fundamentally changed the process, causing organizations to become increasingly concerned with their service providers' privacy and security practices. Breach reporting time periods and breach indemnification costs can be the most hotly contested provisions in a contract negotiation. 

...Read more

Interested in Becoming a Shared Assessments Member?

Contact Julie Lebo, VP Member Relations, at
(703) 533-7256 or by Email

Shared Assessments would like to welcome our newest Members and Partners:
OCC Guidance 2013-29
Federal Reserve Guidance on Managing Outsourcing Risk
ISO/IEC 27001:2013
NIST: Framework for Improving Critical Infrastructure Cybersecurity
Future Topic Suggestions
Do you have a topic you'd like to see covered in an upcoming newsletter or presented on a future monthly Member Forum call? 
Send your ideas to Kelly Wagner, Project Manager for Shared Assessments.
Guest Bloggers
Interested in serving as a guest blogger on the Shared Assessments Authorities on Risk Assurance blog? Contact  Kelly Wagner, Project Manager for Shared Assessments.
Career Opportunities
To learn more about possible career opportunities with The Santa Fe Group and Shared Assessments Program, send your inquires to

Copyright � 2014. All Rights Reserved.