May 13, 2020

Last Updated on January 19, 2024

The Shared Assessments Program offers multiple tools to assess third-party information security risk. Probably the best-known of these tools is the Standardized Information Gathering (SIG) questionnaire. A growing number of outsourcer organizations use the SIG to gather information from their vendors on 18 risk control “domains,” among other SIG use cases.
A recent episode of The Virtual CISO Podcast covered another Shared Assessments tool: the Standardized Control Assessment (SCA). This episode featured Tom Garrubba, VP and CISO for the Shared Assessments Program, considering the SCA from all angles along with host John Verry, Pivot Point Security’s CISO and Managing Partner.
One of the topics Tom and John covered was the relationship between the SIG and the SCA, and the value of combining them. Among the top use cases for the SIG/SCA combination is to help SMBs efficiently assess the security postures of their high-risk vendors, such as critical SaaS providers or other service providers that handle sensitive data.

In this context, the SIG is the “trust” (self-report) portion of the third-party risk management (TPRM) program, while the SCA is the “verify” (audit) portion of the program.

John introduces the subject: “When you think about the SCA, do you see it as being something that after you’ve received a SIG back—and let’s say they’re either a high-risk vendor you don’t like the answers to the SIG—then you would schedule an SCA? … How do you see people using [the SCA]?”
Tom replies: “I see people using it in multiple fashions. For their critical vendors, they may want to execute certain test steps [via the SCA] right off the bat. For other organizations, if they’re not satisfied with the results [of the SIG], or suspect of the answers they’re getting, they might say, ‘… I’m going to execute these test steps to really see if they’re doing what they say.”
Using the SIG, an outsourcer can gather the data needed to conduct an initial assessment of a vendor’s controls in relation to the products and/or services they provide. Then, for vendors that pose higher risk and/or if there are concerns about the SIG results, the outsourcer can use the SCA either on their own or through a third party, to validate the SIG findings.
Of course, the SCA can also be used on its own as a comprehensive set of procedures for an onsite control assessment. In fact, a growing number of companies use it to proactively assess their own environments, as a way to attest to clients, partners and other stakeholders that they can be trusted with sensitive data.
To find out more about the SCA and how it can help your business, click here to listen to the podcast episode with Tom Garrubba in its entirety. If you don’t use Apple Podcasts, you can access the growing number of episodes from The Virtual CISO Podcast here.