Third-Party Risk Management

Vendors are a common element in today’s business environment.  Outsourcing services and processes to vendors provides flexibility, convenience and cost savings.  However, these outsourcing arrangements don’t come without increased risk.  Data breaches stemming from third parties have been increasing year over year.  When identities are stolen or sensitive information is made public, your customers won’t care that is was the vendor’s fault.  Regulators and examiners alike are also taking note, and it can be seen in recent legislation and guidance related to managing third parties.  You can always outsource a business process, but you can never outsource the risk and responsibility.  Implementing a robust third-party risk management framework is essential in identifying and managing the risk in the vendor lifecycle.  Schneider Downs personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results.  Schneider Downs also has the tools necessary to help your organization effectively achieve new vendor risk management heights.

Standards Based Assessments: Standard Information Gathering Questionnaire (SIG and SIG Lite)

Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance.  The SIG questionnaire uses a standardized framework built by the Shared Assessments Group and its member organizations to provide an objective vendor management assessment methodology that assists outsourcers in meeting regulatory and vendor risk management requirements.  Schneider Downs successfully leverages tools such as the SIG and SIG Lite to provide third-party risk management services to our clients.  Our team of assessors has the knowledge and credentials to effectively assess the critical security controls at vendor organizations of all sizes and types.

SIG process

Vendor Risk Management Maturity Model (VRMMM)

Schneider Downs can help assess the maturity of your organization’s third-party risk management processes and benchmark the results against other organizations.  Schneider Downs will evaluate and score your organization’s level of maturity for each critical component in a third-party risk management program:

• Program governance
• Policies, standards and procedures
• Contracts
• Vendor risk identification and analysis
• Skills and expertise
• Communication and information sharing
• Tools, measurements and analysis
• Monitor and review

Shared Assessments Agreed Upon Procedures (AUP)

Schneider Downs uses the Shared Assessments AUP to help vendor organizations evaluate the controls that they have in place for IT security, data protection, privacy, business continuity and other risk areas. The AUP consists of an objective test of controls, validation of vendor self-assessments, and standardized reporting requirements.  The AUP allows companies to view assessment results in the context of their vendor risk management requirements.  The AUP provides objective and consistent procedures that validate key controls in the following domains of risk management:

• Information security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
• Compliance
• Management of privacy programs
• Software application security
• Fourth-party management
• Cloud security