Shared Assessments released its Standard Information Gathering (SIG) questionnaire updates for 2024 last week. The SIG questionnaire is a unified standard for assessing vendor risk across a multitude of topical domains. There are two versions of the survey: SIG Core and SIG Lite, with substantially different numbers of questions between these two surveys and distinct levels of detail.
SIG Core is a large assessment with over 600 questions covering 21 risk categories. SIG Lite is smaller in scope and is typically used for vendors that require less due diligence or are not as critical. Prevalent is a licensee for these SIG questionnaires and includes both in the Prevalent Third-Party Risk Management Platform.
This post examines the new risk domains available in the 2024 SIG and reviews updates to compliance mandates included in the new survey.
SIG 2023 covered 19 risk domains in its questionnaire. With the new revision, Shared Assessments added two additional risk domains and revised the names of two others. The two revisions changed “Application Security” to “Application Management” and “Cloud Hosting Services” to “Cloud Services.”
The update to “Application Management” makes clear the broader scope of application risk. Securing applications can mean a lot of different things, but application management extends to the entire software development lifecycle. This includes secure coding, best practices around risk, and communicating standards to the rest of the organization.
Similarly, the evolution of “Cloud Hosting Services” to “Cloud Services” recognizes a broader market shift. Cloud hosting can mean the underlying security of cloud infrastructure like AWS and Azure, but it doesn’t necessarily connect to best practices around risk reduction of cloud-based databases and other activities occurring in the cloud.
The two net-new risk domains are “Supply Chain Risk Management” and “Artificial Intelligence,” which Shared Assessments defines as:
Adding these two new risk domains reflects the changing reality that third-party risk managers exist in. Supply chain risk management is gaining focus in the TPRM space as procurement teams become involved in managing the third-party risk lifecycle. This reflects the increasing need for cybersecurity risk management in the supply chain.
As Shared Assessments describes in its risk domain guide, “Organizations should establish Cybersecurity Supply Chain Risk Management (C-SCRM) program standards that encompass the entire life cycle, from development to maintenance. These program standards can be achieved through research, resource provision, and stakeholder collaboration and will help organizations effectively manage cybersecurity risks in their supply chains.”
In terms of Artificial Intelligence, the goal of the new risk domain included in the SIG questionnaire is to ascertain and reduce the risk of AI
tools to individuals, organizations, society, and the environment. The big concerns here are privacy, reliability, accuracy, resilience, safety, and fairness without harmful biases, among others. Shared Assessments wants organizations to help developers and others craft standards around AI to reduce the associated risks.
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Along with adding the two net-new risk domains, the latest update to the SIG questionnaire added new content related to distinct compliance standards.
With the addition of the new artificial intelligence risk domain, Shared Assessments also added the National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework (NIST AI 100-1) to its compliance standards.
NIST introduced the AI RMF in January 2023 in recognition of the growing enterprise usage of AI tools and the lack of guidance on how to manage the risks. Check out our post where we took a deep dive into the AI RMF to understand its implications on third-party risk management. Shared Assessments adding the framework to the SIG questionnaire is a solid acceptance of the value of the guidance overall.
The addition of supply chain risk management to its list of risk domains also led to adding NIST SP 800-161r1, an updated guidance for cybersecurity risk management related to the supply chain. The NIST guidance itself was released in May 2022 and outlines best practices for Cybersecurity Supply Chain Risk Management (C-SCRM). The supply chain component of the SIG questionnaire emphasizes cybersecurity, so the addition of NIST 800-161 r1 is indicative of this focus.
In terms of environmental, social, and governance (ESG) compliance mandates, Shared Assessments added two new regulations:
Shared Assessments also added The Interagency Guidance on Third-Party Relationships: Risk Management, released by the Board of Governors of the Federal Reserve System (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), to its questionnaire.
The goal of the Interagency Guidance is to bring uniformity and consistency to how banking organizations develop and enforce risk management principles as they relate to third-party relationships. According to the document, “the final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.”
Lastly, Shared Assessments added version 8 of the CIS Critical Security Controls and will add SEC Cybersecurity Rule 206(4)-9 questions into the Content Library. These additions will help with greater accuracy in determining cybersecurity risk within your suppliers.
These updates include:
Companies exist in a highly complex regulatory environment. These changes are indicative of that.
The updates to the SIG questionnaire for 2024 reflect a more nuanced and riskier environment for third-party risk managers. ChatGPT was publicly released only 12 months ago, setting off a generative AI “arms race” in the technology industry. The addition of AI to the SIG questionnaire reflects the need for companies to understand the risk AI tools pose to them and put guardrails around the technology’s usage.
Furthermore, the addition of supply chain risk management to the questionnaire reflects the emphasis on the cybersecurity supply chain risks that are permeating the modern business landscape. Organizations are seeing more third-party data breaches, necessitating a full understanding of the cybersecurity supply chain. The SIG questionnaire endeavors to answer some of these concerns, while also providing some peace of mind from understanding the controls built into your suppliers’ defenses.
Prevalent offers both the SIG Core and SIG Lite questionnaires as part of our Third-Party Risk Management Platform, along with over 600 other standards-based assessment templates. This library of templates allows Prevalent customers to leverage shared data and streamline the risk questionnaire process.
Along with these assessments, we add process automations, reporting, compliance mapping, and built-in remediation guidance to streamline third-party risk management. Part of the problem with TPRM is understanding how to resolve issues that arise. With Prevalent’s remediation guidance, getting to issue resolution is no longer as much of a challenge.
We also layer on continuous monitoring intelligence to make it easier to keep track of ongoing risks in your third-party ecosystem. It’s next to impossible for any TPRM program manager to keep up with all possible risks themselves, which is why the Prevalent platform does it for you. Request a demo today to discover how Prevalent can power your TPRM program.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024