Agreed Upon Procedures (AUP)

The Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security, and business resiliency controls.

The content aligns with the Shared Assessments Standardized Information Gathering (SIG) questionnaire, and the AUP facilitates onsite verification of SIG responses. The AUP is customizable to an individual organization’s needs and defines 17 critical risk control areas, procedures, and an onsite assessment reporting template, all of which enhance the efficiency of the assessment process.

The AUP uses a standardized, efficient, substantiation-based protocol for onsite assessments that allows companies to evaluate their own controls, as well as those of their third-party service providers. Robust third-party risk management is achieved through continuous re-evaluation of content and frequent updates, ensuring that the AUP remains relevant in terms of both current and emerging best practices.

 

The AUP evaluates key controls in the following domains of risk management:

  • Risk assessment and treatment
  • Security policy
  • Organizational security
  • Asset and information management
  • Human resources security
  • Physical and environmental security
  • Operations management
  • Access control
  • Application security

  • Incident event and communications management
  • Business resiliency
  • Compliance
  • Network security
  • Privacy
  • treatment management
  • Server security
  • Cloud security

 

Some of the enhancements to the 2017 AUP include:

Execution of a Collaborative Onsite Assessment (COA), a unique and pilot-tested capability
with benefits that include consistency, rigor, and efficiency.

All sections of the AUP have been amended with language that is in alignment with
AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.

Industry updates, including HIPAA final ruling modifications and PCI-DSS version 3.2 updates.

Standardized Information Gathering (SIG)

The Standardized Information Gathering (SIG) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. The SIG, which is presented in Excel format, is composed of comprehensive, risk-tiered questions.

The SIG is reviewed, revised, and updated annually based on referenced industry regulations, guidelines, and standards, including NIST, FFIEC, ISO, HIPAA, and PCI. New risk areas are added on a regular basis, with recent additions including End User Device Security, Threat Management, and Server Security.

Enhancements to the 2017 SIG include:

Addition of a Cybersecurity Guidance overview which provides users with instruction on which questionnaire tabs to complete in order to gain a view of their cybersecurity preparedness, in keeping with FFIEC’s Cybersecurity Assessment Tool (CAT) and the NIST’s Cybersecurity Framework (CSF).

Reduction in tool size and enhanced scoring capabilities based on user feedback and findings from Shared Assessment’s briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.

Changes related to industry and regulatory guidance that reflect HIPAA final rules modifications, NIST’s Cybersecurity Framework (CSF) and companion roadmap, FFIEC IT Handbook reference updates, and PCI-DSS version 3.2 standards revisions.

In addition to general information questions about the service provider, the SIG consists of seventeen (17) risk areas in which to gather detailed information appropriate to the nature of the services being provided.


These risk areas include:

 
  • Risk assessment and treatment
  • Security policy
  • Organizational security
  • Asset and information management
  • Human resources security
  • Physical and environmental security
  • Operations management
  • Access control
  • Application security

  • Incident event and communications management
  • Business resiliency
  • Compliance
  • Network security
  • Privacy
  • treatment management
  • Server security
  • Cloud security

2017 SGI Lite

The SIG Lite is generally used for third-party service providers (the “assessees”) who offer lower-risk services, but can also be used as a starting point for conducting an initial assessment of all service providers. Because it is a compilation of all of the
high-level questions from the detail tabs of the full SIG, the SIG Lite provides the user with an initial assessment of the service provider’s risk controls.

Users have the ability to follow up with the full SIG if additional details about risk controls are required. The full SIG contains top-level assessment questions followed by additional detailed sub-questions that allow the user to obtain more information about desired risk control areas when appropriate. However, there are many occasions where the high-level overview of a particular risk control area given by the SIG Lite is sufficient.

Vendor Risk Management Maturity Model (VRMMM)

The Vendor Risk Management Maturity Model (VRMMM) is a holistic tool for evaluating maturity of third-party risk programs including cybersecurity, IT, privacy, data security, and business resiliency controls. The focus of the VRMMM is to provide
third-party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices.

The VRMMM’s ability to identify specific areas for improvement allows companies to make well-informed decisions that drive efficient resource allocation and use, and help manage vendor-related risks effectively. Using governance as the foundational element, the model identifies the framework elements critical to a successful program. High-level categories are broken down into components in a manner that makes the model adaptable across a wide spectrum of industry groups.

Enhancements to the 2017 VRMMM include:

Modifications to Maturity Level definitions and improved guidance that simplify and clarify Maturity ranking.

Addition of an Accountability Tab to assist organizations in assigning responsibility for completion of
sections of the VRMMM, allowing users to identify the resources responsible by risk area category.