August 2014 Newsletter
This Month's Focus: 
Vendor Classification
Coherent Approach to Vendor Classification

During the Shared Assessments August Member Forum call, Donald Williams, Senior Consultant, Churchill & Harrimandiscussed a coherent approach for categorizing vendors for the purpose of determining what type of, if any, risk assessment to conduct.  The role of risk assessments within an overall vendor management program to include additional vendor risk components was provided. The presentation concluded with some pertinent thoughts on logical next steps to take once vendors have been categorized.  This month's feature article discusses drivers and an approach for the categorization of vendors for risk assessment purposes within the context of an overall vendor risk management program congruent with the current regulatory environment.


Click here to read the feature article.

2015 Shared Assessments Summit

Join us for the 2015 Shared Assessments Summit 

Schedule of Events:
April 27: SIG 101 & AUP 101 Pre-Conference Workshop(s)
April 28: TBD Pre-Conference Workshop(s)
April 29: Shared Assessments Summit (full day session)
April 30: Shared Assessments Summit (morning session)
May 1: TBD-Certification Workshop & Exam

More information, including Member and Early Bird discount offers, will be provided in the near future. 

Hear from Shared Assessments Members at these upcoming events:
Prevalent, Inc. Presents:
Incident Response and Third Party Risk Online Panel Discussion - September 18, 2014

Prevalent Inc. will be participating at the following event.
Information Security Executive Summit - September 11, 2014
Lake Buena Vista, FL    

Protiviti and Prevalent, Inc. will be participating at the following event.
PCI Community Meeting - September 9-11, 2014
Lake Buena Vista, FL  
Members Only
To promote your upcoming speaking events here, please send details to Kelly Wagner, Project Manager, The Santa Fe Group.
Commonly asked questions asked and answered


I send out a substantial numbers of SIG questionnaires to service providers. It is very time consuming to review all of the responses to determine if they meet our company's requirements. Is there a more efficient or automated way for me to evaluate their responses and determine if their answers meet my requirements for IT security and data protection?



We developed the SIG Management Tool (SMT) to specifically address this issue. The SMT provides and efficient and effective way to evaluate SIG responses from service providers.


The first step in using the SMT is to create a Master SIG. When creating a Master SIG you complete a SIG by answering the questions to satisfy your corporate IT security and data privacy requirements. Once you have created a Master SIG it can be used by the SMT to compare the SIG provided by your service providers to the answers in your Master SIG.  The SMT compares the answers from your service provider and generates a report showing where the answers don't match. The report also provides the evaluator the ability to leave comments and recommendations on how these issues should be addressed. Thus, the SMT comparison report provides an efficient means of generating management reports on assessment activity and results.


Additional information on how to customize the comparison report and other uses of the SMT can be found in the SIG Issuers Guide.  




By Donald Williams
Senior Consultant, Churchill & Harriman

With the publication of OCC Bulletin 2013-29 as well as numerous recent breaches involving vendors, a perfect storm of awareness has arisen not only in the financial services industry but many others as well.  The inevitable result will be emphasis within organizations on better management of the inherent risk realized from utilizing services from third parties.  With regards to the axiom that no organization has unlimited resources a critical question arises - How do I categorize my vendors so as to maximize existing resources while identifying and minimizing the greatest risks. 

...Read more

Interested in Becoming a Shared Assessments Member?

Contact Julie Lebo, VP Member Relations, at
(703) 533-7256 or by Email

Shared Assessments would like to welcome our newest Members and Partners:
OCC Guidance 2013-29
Federal Reserve Guidance on Managing Outsourcing Risk
ISO/IEC 27001:2013
NIST: Framework for Improving Critical Infrastructure Cybersecurity
Future Topic Suggestions
Do you have a topic you'd like to see covered in an upcoming newsletter or presented on a future monthly Member Forum call? 
Send your ideas to Kelly Wagner, Project Manager for Shared Assessments.
Guest Bloggers
Interested in serving as a guest blogger on the Shared Assessments Authorities on Risk Assurance blog? Contact  Kelly Wagner, Project Manager for Shared Assessments.

Copyright � 2014. All Rights Reserved.