Cyber security

What’s the SIG Questionnaire? TPRM Simplified – Insta News Hub

What’s the SIG Questionnaire? TPRM Simplified – Insta News Hub

The Standardized Data Gathering Questionnaire is a vendor evaluation mapping to the necessities of many cyber laws and frameworks.

The aim of a SIG safety evaluation is to assist handle operational dangers, enterprise resiliency, safety insurance policies, cybersecurity dangers, and third-party dangers as a part of a broader Third-Party Risk Management (TPRM) program.

The 19 threat domains evaluated by the SIG embrace:

  • Enterprise Danger Administration
  • Safety Coverage
  • Organizational Safety
  • Asset and Data Administration
  • Human Assets Safety
  • Environmental, Social, Governance (ESG)
  • IT Operations Administration
  • Entry Management
  • Utility Safety
  • Cybersecurity Incident Administration
  • Operational Resilience
  • Compliance and Operational Danger
  • Endpoint Machine Safety
  • Community Safety
  • Privateness
  • Menace Administration
  • Server Safety
  • Cloud Internet hosting Providers

Learn how UpGuard can simplify your Vendor Risk Management program >

Who Created the SIG Questionnaire?

The SIG questionnaire was created by Shared Assessments. Shared Assessments offers finest practices, options, and instruments serving to third-party threat administration groups create an atmosphere of assurance for outsourcers and their distributors.

Shared Assessments’ basis is in regulatory and compliance-driven monetary providers however has grown to incorporate the growing variety of industries that deal with good Vendor Risk Management as customary working apply, similar to HIPAA-regulated entities.

Learn how UpGuard streamlines the security questionnaire process >

Why Was the SIG Questionnaire Created?

The SIG questionnaire was created to handle cybersecurity risk, notably third-party risk, and fourth-party risk.

Because the Santa Fe Group CEO and Chairman Catherine A. Allen mentioned, “it’s more and more understood that third celebration IT safety dangers may cause tens of millions of {dollars} in loss and injury, and sometimes unmeasurable hurt to a company’s popularity, the very best practices for efficient third celebration threat administration are definitely much less properly understood.”

Read more about the average cost of data breaches involving third-parties >

When doing enterprise with third-parties, it is not protected to imagine that you’re solely doing enterprise with the celebration underneath contract.

Simply as your group could outsource to a service supplier or exterior supplier, your distributors possible do too. So whether or not you understand it or not, you’re relying in your distributors, and more and more their distributors utilizing sound safety controls.

This implies you need to apply the identical customary data gathering course of for testing all events.  

The SIG questionnaire goals to offer standardize assets for managing the entire third-party relationship lifecycle.

Standardization is vital for advancing efficient, safe third-party controls and threat administration threat assessments. The Shared Assessments Program created a collection of third-party threat administration instruments that intention to create efficiencies and decrease prices whereas sustaining compliance with laws, business requirements, and pointers throughout data expertise environments.

Learn how to choose security questionnaire automation software >

What are the Varieties of SIG Questionnaires?

There are three sorts of SIG questionnaire:

  • SIG Core: The SIG Core questionnaire is a library of 855 questions, together with intensive questions on particular controls and definitions. SIG Core covers 19 threat domains that decide how safety dangers are managed in a vendor atmosphere.
  • SIG Lite: The SIG Lite questionnaire is a streamlined model of the SIG with 126 questions for program-level evaluation. SIG Lite distills the ideas and questions from SIG Core for lower-risk third events.
  • Customized SIG: A customized SIG questionnaire will be personalized from the SIG Lite and Core variations based mostly in your group’s wants. Customized SIG questionnaires will be tailor-made in response to enterprise wants for due diligence necessities.

The SIG Lite questionnniare is on the market on the UpGuard platform.

Learn More >

How Can the SIG Questionnaire Be Used?

The SIG questionnaire can be utilized in a handful of how, relying in your group’s wants and the kind of vendor you’re assessing, together with:

  • To guage a service supplier’s information security controls.
  • Accomplished by third-party vendors and used proactively as a part of due diligence or a request for proposal (RFP) response.
  • Accomplished by a service supplier and despatched to their purchasers as an alternative of finishing one or a number of third-party threat assessments.
  • Utilized by a company as a part of the self-assessment course of

Learn about the top Third-Party Risk Management solutions on the market >

How Typically Is the SIG Questionnaire Up to date?

The SIG questionnaire is up to date on a yearly foundation to adjust to new business requirements and to account for modifications within the cybersecurity panorama.

The 2020 Shared Assessments Third-Occasion Danger Administration Toolkit was launched on November 20, 2019, to allow organizations world wide to satisfy new and evolving regulatory compliance calls for and deal with evolving bodily and cyber dangers.

New for 2020 is expanded third-party privateness instruments for GDPR and the California Consumer Privacy Act (CCPA), new operational threat content material on rising and increasing third-party threat situations similar to cash laundering, trafficking, anti-trust, anti-bribery, worldwide compliance, call center security, funds compliance, moral sourcing, and human trafficking threat within the provide chain.

New usability options and expanded operational content material embrace:

  • Expanded operational/enterprise threat: Content material for the excellent however customizable query library addresses company governance features of anti-trust, anti-bribery, worldwide compliance, name heart safety, funds compliance, moral sourcing, and human trafficking threat within the provide chain. Enterprise threat governance, data safety threat, and privateness knowledge safety questions have expanded based mostly on new laws, together with CCPA and GDPR.
  • Danger and regulatory compliance content material: New content material throughout instruments helps threat professionals shut regulatory compliance gaps in third-party relationships with strict knowledge safety requirements such as PCI DSS.
  • Information governance: Privateness laws similar to PIPEDA, CCPA, FIPA, The SHIELD Act, , and GDPR mandate that organizations diligently observe knowledge collected by or disclosed to 3rd events, how that knowledge is used, and the place it’s accessed. The enhancements help with the identification, monitoring, and upkeep of personal information that’s utilized inside particular third-party relationships, together with fourth-party administration.
  • Service supplier configuration and response administration: New agility within the Standardized Data Gathering (SIG) Administration Instrument permits service suppliers to make it simpler to construct, configure, and preserve a number of accomplished questionnaires, decreasing the hassle and complexity concerned in responding to due diligence requests.
  • Exterior content material automation: Shared Evaluation members, outsourcers, and licenses can extract and combine SIG content material into their platforms by way of JSON.

How is the SIG Questionnaire Completely different From Different Vendor Danger Evaluation Questionnaires?

The SIG Administration Instrument is a Microsoft Excel workbook that permits assessors to attract from the financial institution of questions within the SIG Content material Library to create personalized questionnaire templates based mostly on their wants.

That is completely different to different safety questionnaires, similar to HEVCAT and the Vendor Security Alliance Questionnaire, the SIG questionnaire evaluates third-party vendors and service providers based mostly on their very own 18 particular person threat management areas.

Read our full guide on the top vendor questionnaires >

SIG is an efficient choice for a broad vary of vendor threat administration use instances as a result of its controls map to a big number of cybersecurity frameworks and pointers, together with:

Indexing throughout a number of safety assessments makes the SIG questionnaire a good selection for evaluating the safety postures throughout the prospecting and onboarding phases of Vendor Danger Administration.

Different well-known and revered safety questionnaires embrace:

Get our free vendor risk assessment questionnaire template >

What’s within the Standardized Data Gathering (SIG) Questionnaire Toolkit?

The elements of the 2020 Standardized Data Gathering (SIG) Questionnaire Toolkit are:

  • Third-party Privateness Instruments: This set on instruments was constructed from the demand pushed by 2019’s GDPR Privateness Instruments, with an expanded scope to satisfy necessities for numerous privateness laws and framework updates. These instruments present templates for pre-assessment scoping or readiness assessments that allow privacy-centric assessments, incorporating privateness controls and obligations based mostly on particular jurisdictions.
  • Vendor Danger Administration Maturity Mannequin (VRMMM) Benchmark Instruments: SIG’s VRMMM is without doubt one of the longest-running third-party threat maturity fashions. The 2020 VRMMM Benchmark Instruments’ improved maturity monitoring and performance lets managers set extra granular maturity degree rankings and ship better reporting readability. VRMMM Benchmark Instruments are free to use and available here.
  • Standardized data gathering (SIG) Questionnaire Instruments: The SIG employs a holistic set of questions based mostly on business finest practices for gathering and assessing 18 vital threat domains and corresponding controls, together with data expertise, cybersecurity, privateness, resiliency, and knowledge safety threat.
  • Standardized Management Evaluation (SCA) Process Instruments: The SCA assists threat professionals in performing onsite or digital assessments of distributors, offering the verification or attestation element of third-party threat packages.

Why You Ought to Think about Utilizing Safety Rankings Alongside the SIG Questionnaire

Security ratings present threat administration and safety groups with the power to repeatedly monitor the security posture of their distributors.

The good thing about safety rankings alongside safety questionnaires is they’re mechanically generated, up to date often, and so they present a standard language for technical and non-technical stakeholders.

Learn why security ratings are important >

Safety rankings fill the assault floor gaps left by conventional point-in-time evaluation strategies just like the SIG questionnaire to offer steady assault floor consciousness.

What’s the SIG Questionnaire? TPRM Simplified – Insta News Hub
Safety rankings mixed with point-in-time assessments create real-time assault floor consciousness.

Safety rankings can complement and supply assurance of remediation efforts and the outcomes reported in safety questionnaires as a result of they’re externally verifiable, at all times up-to-date, and offered by an impartial group.

In line with Gartner, cybersecurity rankings will turn out to be as essential as credit score rankings when assessing the chance of present and new enterprise relationships.

Security rating calculation on the UpGuard platform
Safety ranking calculation on the UpGuard platform.

Learn how UpGuard calculates its security ratings >

UpGuard is without doubt one of the hottest safety rankings suppliers. We generate our rankings by way of proprietary algorithms that soak up and analyze trusted industrial and open-source menace feeds, and non-intrusive knowledge assortment strategies to quantitatively evaluate cyber risk.

UpGuard foundation its rankings on the evaluation of 70+ vectors, together with:

In case you are curious concerning the efficiency of different safety ranking providers, see our information on SecurityScorecard vs. BitSight here.

How UpGuard Can Assist You Automate Safety Questionnaires

UpGuard streamlines your safety questionnaire workflows with options suited to an environment friendly Vendor Danger Administration program, together with the Shared Assessments’ SIG Lite Questionnaire.

In October 2023, UpGuard launched the SIG Lite questionnaire to assist prospects assess and mitigate vendor threat by way of the SIG framework with planning underway for a future launch of the SIG Core questionnaire.

With the SIG Lite questionnaire, you may standardize data assortment and simplify vendor evaluation aligned to the SIG framework. UpGuard helps you save time and assets by automating data gathering in compliance with business requirements. Pair the SIG Lite questionnaire with UpGuard’s sturdy safety rankings and streamlined workflows for an elevated vendor threat administration course of.