Learn more about Whistic’s response to Apache Log4j and what we’re doing to help our customers with this vulnerability. Read more

Replacing the FULL SIG with the New CORE SIG

October 01, 2018

No two businesses are equal, which means the way vendor assessments are conducted should also vary based on your organization’s unique needs and the specific types of vendors that you conduct business with on a regular basis. That’s why developing a vendor risk assessment process tailored specifically to the risk level of your vendors is vital to ensuring your organization’s data remains secure and uncompromised by outside vendors.

But with so many vendor assessment questionnaires to choose from, the path to choosing the right one for your business or for each specific vendor can cause challenges. In a previous post, we shared a few of the top vendor risk assessments available to your organization, including:

  1. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
  2. Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)
  3. National Institute of Standards and Technology — NIST (800–171)
  4. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
  5. Vendor Security Alliance — VSA Questionnaire (VSAQ)

We’ve previously examined each of these assessments in greater detail, including the SIG / SIG-Lite questionnaire mentioned above. In 2018, Shared Assessments introduced the next iteration of the SIG questionnaire called “CORE SIG”, which we’ll explore in this article.

A Refresher on the Types of Shared Assessments’ Questionnaires

Before we explain the SIG CORE questionnaire, let’s do a quick refresher on the general SIG (which you can read all about here). The SIG, developed by Shared Assessments, stands for “Standard Information Gathering”, and is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.

The SIG assessments evaluate vendors based on 18 individual “risk controls”. The SIG assessment works to gather pertinent information to determine how security risks are managed across a spectrum of those 18 risk control areas, or “domains”, within a vendor’s environment, as they are called.

Depending on your organization’s needs paired with the type or category of vendor that you’re assessing, the SIG questionnaire can be used in a handful of ways:

  • Used by an outsourcer to evaluate their service providers’ risk controls.
  • Completed by a service provider and used proactively as part of a request for proposal (RFP) response.
  • Completed by a service provider and sent to their client(s) in lieu of completing one or multiple proprietary questionnaires.
  • Used by an organization for self-assessment.

Unlike many of the other assessments available, Shared Assessments offers several versions of its questionnaire, including:

  • LITE: Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review.
  • CORE: Designed for assessing service providers that store or manage highly sensitive or regulated information, such as consumer information or trade secrets. This level is meant to provide a deeper level of understanding about how a service provider secures information and services. It is meant to meet the needs of almost all assessments, based on industry standards.
  • FULL: This includes all of the questions in the SIG and is intended be used as a library of potential situation-specific additions to a CORE or LITE SIG that address best practices and industry or service-specific requirements.

If you sent the FULL SIG to a high-risk Assessee in the past, the recommendation is to now use the CORE SIG.

  • MASTER: A Master SIG documents what the Outsourcer feels should be the correct answer for each question. All of the SIG questions are displayed and two additional columns for Optional Scoring and Question Level information are provided. The Outsourcer can define their scoring in any way, such as a numerical score from 1–3 or 0–9, or qualitatively such as in a High-Moderate-Low manner. The score can represent risk if the control is missing (a higher value on a failed answer is worse) or assurance if the control is present (a higher value on a correct answer is better).

What is the CORE SIG Questionnaire and Why Was It Created?

According to Shared Assessments, CORE SIG was designed for organizations that run business critical functions, data and/or systems and was released in early 2018. The Risk Control focus of the SIG CORE has stringent controls to address internal vulnerabilities and external threats. While the FULL SIG will continue to expand as a library of all available questions year-over-year, the CORE SIG is meant to stay roughly the same size (~850 questions or less) each year — while staying up-to-date with the latest third party risk factors.

Shared Assessments (SA) outlines several example function and system types, including:

  • Business critical systems
  • Business critical data
  • Business critical functions

Each of the SA’s questionnaires were created to serve a unique purpose for organizations. While the LITE version is best used for data such as web site hosting public information and obfuscated data, the CORE questionnaire focuses on a level deeper, surfacing issues in data types like:

  • Personally identifiable information (PII)
  • Email
  • Customer Relationship Management (CRM)
  • Credit Card Data (PCI)
  • Protected Health Information (PHI)
  • Merger/Acquisition Information

As you can see, each level of the SIG questionnaire addresses different (more or less aggressive) risk levels that various vendors expose to organizations. The CORE questionnaire strikes a balance of exposing issues with PII and other sensitive data without moving into a super-custom SIG questionnaire. Many organizations find that the CORE SIG meets their cybersecurity, IT, privacy, data security and business needs.

Using the CORE SIG Questionnaire Within Whistic’s Vendor Assessment Platform

Whistic’s vendor assessment platform enables your InfoSec team to save countless hours manually developing questionnaires. SIG assessments are already held to the highest industry standards, which is why so many organizations use these questionnaires on a regular basis. The CORE SIG contains most (if not all) the questions your organization should be asking third party vendors. Whistic licenses the latest CORE SIG content from Shared Assessments and makes this questionnaire available to Whistic customers who have the questionnaire as part of their service package.

Additionally, your InfoSec team can efficiently and securely respond to any SIG CORE questionnaires that you receive by using your Whistic Security Profile, which allows teams to intelligently allocate limited resources and assigning questions to specific subject matter experts across the organization and provide due dates and reminders along the way.

Thanks to Shared Assessments’ questionnaires, your InfoSec team can be prepared to not only send the proper questionnaire, but respond to assessments that are sent your way. Don’t let security issues slip through the cracks — address them proactively!

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

eBooks:

Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security risk assessment vendor risk management third party risk sig

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close