4 Changes to Know for the SIG 2022 Questionnaire

Amanda: Hello. Amanda: I’m hoping Scott is the first thing that everyone sees. Amanda: He’s full screen. Amanda: For me, at least. Amanda: Um, this is great. Amanda: Welcome everybody. Amanda: Oh, the numbers are skyrocketing very quickly. Amanda: I think it’s because we have the dashing Thomas Humphre on the line, all blazered up, hair sllicked back, and then us Americans are just in, you know, whatever this is. Amanda: But we’re glad everyone’s here. Amanda: This is a big topic and I’m going to throw up a poll question and I always like to wonder while we’re waiting, why are you here? Amanda: What prompted you to join us? Amanda: Do you have something going on? Amanda: Do you have a project? Amanda: Do you have um you know, are you a customer of ours? Amanda: Do you have no idea what you’re doing here? Amanda: Are you purely here for education? Amanda: Also great. Amanda: You know, we always like to learn something new every day. Amanda: But today we are talking about four changes to know for the SIG 2020. Amanda: questionnaire. Amanda: This is a hot topic. Amanda: We’re all excited. Amanda: 2022 big year. Amanda: We have Scott Lang, our very own prevalent product marketing BP. Amanda: Thomas Humphre, also our very own. Amanda: What does Thomas Humphre do? Amanda: What do you do, Thomas? Amanda: Introduce yourself. Amanda: You’re muted. Thomas: Not helping the situation. Thomas: I am the I’m the content manager at Prevalent. Amanda: That’s exactly right. Amanda: You passed the test. Amanda: Yes, that is who he is and he is full of information and knowledge. Amanda: I’m going to end this poll here. Amanda: We have two people in the chat. Amanda: Are you talking? Amanda: You guys already know what you need to do. Amanda: We want to do the Q&A. Amanda: We’re going to wait till the end for the Q&A, but please participate. Amanda: We would love to see some questions asked. Amanda: Fire them away at Thomas. Amanda: Really quiz him on his SIG knowledge. Amanda: I think that’s a good idea. Amanda: Um, this is recording. Amanda: It’ll be in your inbox later today by me. Amanda: I will be personally emailing you guys, especially if you answer in the poll question um or if you said anything during your registration, I’m going to be reaching out to you. Amanda: So, definitely be honest in these uh poll questions as well when you answer them. Amanda: Um I think that’s about it for me. Amanda: I’m Amanda, your host. Amanda: I’ll come back in towards the end. Amanda: Scott will be before me um for a couple bits of knowledge and we’ll let you take it away, Thomas. Amanda: You want unmute yourself for this for this role that you’re in. Thomas: Let me just uh load up the uh slide deck. Amanda: We’re excited. Thomas: Um yes. Thomas: Um hello, good afternoon, good evening, good morning everyone. Thomas: My name is Thomas Humphrey’s. Thomas: Um uh as some of you may have just heard, I am the content manager at at Prevalent. Thomas: So um I help to build uh new assessments, surveys, frameworks based on uh some new and emerging standards and of course updates to to to critical standards as well such as SIG 2022. Thomas: Uh, prior to my time at Prevalent, um, I’ve been involved quite heavily in ISO standards, not least in in information security 27,0001 and business continuity 22301 as well. Thomas: Um, I work for various certification bodies both in the United Kingdom and in Singapore and obviously conducting uh local and uh global assessments. Thomas: So alo we’re here today to go through SIG 22. Thomas: Um, it’s an assessment that’s just been released. Thomas: Um, and alo I’ll be going through what’s new, the key obviously the key aspect here and obviously how to prepare for this as well. Thomas: Um, as I believe Amanda mentioned uh if you have any questions um there will be a Q&A um uh time permitting at the end minimize this piece. Thomas: Good. Thomas: So the agenda um so certainly I’m going to be giving a high level uh introduction to SIG uh SIG as an assessment um and also touching on generally how uh changes are formed uh as well as going into a bit more depth um around the specifics of the 22 uh format uh before doing a deeper dive specifically into the SIG light and SIG course the two key assessments and and some of the updates uh that have been made there. Thomas: Um before touching on perhaps two of the large changes firstly around standard regulatory mapping and standard regulatory updates um and categories and domains for that for that matter and I’ll be explaining what domains and what categories means and and certainly with regards to the standards regatory mapping and categories obviously what it means in practice and how they can be used to add value to SIG assessments and and when using the SIG platform um or framework to to engage with vendors with parties and then finally be wrapping this up with next steps. Thomas: So thinking about when you next go into the office um uh or if you go into the office today and speak with your colleagues involved in third party risk management, what are some of the key takeaways and things that we need to be considering um right now as we venture into uh SIG 2022? Thomas: So um let’s have an introduction into SIG 22 and perhaps wider thought around around found the SIG standard. Thomas: So in a similar vein to uh other large bodies such as the ISO um CIS, the clouds uh uh cloud assessment um bodies as well. Thomas: Uh SIG uh is obviously a framework that gets reviewed on a regular basis. Thomas: In this case, it gets reviewed on an annual basis. Thomas: Um uh the SIG questionnaire obviously provides organizations with detailed framework for assessing third parties um across quite a broad range of subjects. Thomas: Again, thinking of um perhaps some of those other well-known frameworks such as ISO and NIST. Thomas: Uh SIG covers quite a quite a depth of of security and privacy based control groups. Thomas: So asset control, access management, people or human resource security, uh resilience and business continuity and of course third party or supply management as well. Thomas: And of course a part of these reviews and part of these annual reviews there’s a lot of work that goes into determining What do we need to do this next year around? Thomas: Are there areas of the framework that don’t need to change because they’re still sufficient and fit for purpose given today’s uh uh changes in sector, technology, industry and and and generally um or are there new and emerging areas that we haven’t considered before that we need to implement and build into the new framework and always forward planning and thinking ahead. Thomas: Um and of course there’ll always be through through membership of the organization who created SIG shared assessments um obviously membership opinion and and commentary that they receive from the previous year based on the way the SIG framework is being used. Thomas: So there’s a lot of areas and a lot of thought process that goes into helping develop and and and build these frameworks. Thomas: Um but obviously the key key area is always looking to address gaps where there are gaps but also enhancing existing controls and also enhancing the value um and and and use of the framework. Thomas: as well. Thomas: Um, apologies I wasn’t in full screen mode. Thomas: Um, so let’s have a perhaps a wider discussion now into what the actual 2022 framework is all about. Thomas: Um, so I’ve already explained obviously there’s a lot of different areas um that changed and thought process into updating different aspects of a framework. Thomas: Um, in some cases there’s little to no change in some cases is purely um uh adding clarity to text and to formatting and some cases it’s a significant change and jump. Thomas: Um I think it’s fair to say and hopefully as you can see throughout today’s um um uh discussion um and webinar the SIG2 has actually gone through a significant update um including updated question sets for both SIG light and SIG core um um assessments. Thomas: For those you perhaps who are perhaps new to SIG, um there there are two versions of the framework. Thomas: Core, as perhaps the name suggests, covers all the core content and is quite a large and expansive assessment versus light, which is taking many of the aspects and mandatory aspieces of of the S core but at in a condensed level. Thomas: So a much smaller assessment. Thomas: So there are updated question sets for both SIG light and core. Thomas: Uh there are new and updated mappings to standards and regulations. Thomas: Um now I’ll go through some of these in a bit more detail. Thomas: Uh there are many mappings that the SIG from 1920 21 that have remained in place. Thomas: Um in some cases we’ve seen that uh the mappings have expanded. Thomas: Um and in some cases there are brand new frameworks or updates that frameworks have made to themselves that have warranted um these adjustments. Thomas: And obviously to bring in line with some of these updated question sets um uh to both SIG light and core and updates to domains and categories. Thomas: So there’s two aspects to consider here. Thomas: Um I’ll go through both of them in a bit more detail, but widely obviously domains we’re looking at access control, asset management, server security, privacy. Thomas: So the wider topic areas and categories focusing more in depth under some specifics. Thomas: So access reviews, access management, uh asset inventory control for example. Thomas: What does this mean in practice? Thomas: In terms of the updated question sets for SIG, light and core, we’re looking at reordered and in some cases reduced question sets for both. Thomas: Um we’re looking at four new mappings to frameworks and 13 updated mappings to standards and regulations. Thomas: So quite a lot. Thomas: large volume of of of updates and lot of reviews being made uh to the standards and regulations already in place. Thomas: And there’s more than 30 new categories um that have been included into the into the SIG2 framework, which I believe makes it quite an exciting time to do a deeper dive into SIG and and and if you haven’t already, but start to consider looking at SIG 22 as a as a framework for for assessing and managing third parties. Thomas: Um Unfortunately, I won’t have time to go through obviously all 30 new categories today, but I will be providing a wider context here and doing some some some deeper dive and exploratory into um both some of the standards and regulations uh but also the categories as well. Thomas: So, I mentioned first off that there’s an update to both the SIG light and the SIG core assessments. Thomas: So, as based on the results and the the review Over the past 12 to 18 months into what’s gone into creating the new 22 assessment, there have been many structural changes to the questionnaires themselves. Thomas: So what do I mean by this? Thomas: Firstly, and perhaps most obviously, there’s a lot of question text changes, which commonly happens where there’s a need for greater clarity, a great a need for for better definition of questions, which could be a case of just rewarding um and and reordering some of the text to make it clearer. Thomas: It could be splitting out a question into a couple of questions to help the topic area um and and certainly the responders, those vendors, those people who will be completing assessments um have more confidence to obly complete those questions. Thomas: Reorder questions um uh is is an interesting area that’s that’s happened and I think there’s even even more so here. Thomas: Uh what do we mean by this? Thomas: We’re looking at improved logic flow um of the question topics. Thomas: So, So where in the past um a question may have been labeled under one domain um uh for example the use of Windows subsystems um Windowsbased servers um previously in SIG 21 was under threat management it’s now been moved over to server security where it’s under a wider remit of server management whether it’s Unix based Windowsbased or or or something else. Thomas: So there’s been a there’s been a reordering to make sure that the flow of the questions and the question topics um obviously flow uh in in a better format but obviously questions are where they’re supposed to be. Thomas: Um in other cases it’s it’s been a a change uh uh to ensure that if you’re talking about one overall topic for example access control policy or asset management policy and procedure that all of the associated questions and the child questions under that are all about that same topic. Thomas: So you’re not faced with covering question questions or asking questions over access control an access control policy for example um in one section and then coming back to access control later on in another section or further down um in that domain. Thomas: So it’s it’s it’s reordering and obviously tidying up and and providing that clarity of of the questions and the question types as you expect obviously year on year there’s always going to be new questions uh where there’s perhaps the the gaps um uh particular topics that need to be expanded they’ve appeared in in the past, but there’s more depth that could be added to them. Thomas: Or literally brand new questions, topic areas that have not been covered, but through new and emerging threats, interests, technology, and trends, um, as we’ve discussed, um, have warranted the need for additional aspects. Thomas: Um, and as you’d expect in a similar vein to new questions, there will always be an occasion where questions are retired as well. Thomas: Um, and again through this process, um, where where assessment has talked about say a particular technology. Thomas: Um but then again through through this discussion through this review uh that’s actually been retired and replaced with something else that better explains the subject area potentially or because the topic itself um um is is is not used anymore. Thomas: So perhaps it’s talking about an aged piece of technology for example. Thomas: Um and just finally a note about control validations. Thomas: So although of course this webinar is focused very much on CI22 and and and the changes uh that that that have been brought about. Thomas: Um some of you or many of you may know of another uh shared assessment uh uh uh uh tool called the SCA uh which is a tool that enables um uh validation of SIG controls. Thomas: So when you think about from an auditing aspect from a verification validation and taking samples of controls um in in a similar vein to when the SIG 22 was updated naturally this SCA was updated as well to reflect those changes um so where there may have been an increase in uh different control validations for example or the need to ask for new samples so this is something that’s occurred as I say um um not in the SIG but in this this this other tool called the SCA so let’s talk about framework mappings. Thomas: Now, um as I say, there’s been an increase in in in standards as I mentioned uh four uh new update, sorry, sorry, four new mappings and 13 updated mappings. Thomas: Um I’ve identified those um uh 17 uh uh changes here u with the new ones focused on the new revision five to the NIST uh 853 framework uh which was a change that NIST made um the back end of 2020 uh two changes from the cloud security alliance one for their cloud control matrix and one for their CIQ or I think it’s a cloud assessment initiative questionnaire um and then the IAS industrial automation and control systems guidance particularly for use for um those companies involved in operational technology and IT technology and then as you can see there’s 13 updates there um I guess it’s quite obvious hopefully from from from those areas being covered. Thomas: There’s obviously a theme here of predominantly info stroke cyber security and then obviously some privacy based ones here. Thomas: Um and obviously it’s not to say that some of these weren’t covered in the past such as ISO 27,0001 or some of the NIST areas. Thomas: It’s just that with the advent of the new questions and the new question sets there’s also been a need to review and to say well um our ISO 27,000 annexa controls for example um have we mapped the full 113 and going need to be Vmapped. Thomas: Um and then the same for some of the other frameworks you can see there 27701 or the ISOs uh privacy framework PCIDSS for K payment card data cyber security frameworks and privacy from NIST uh NYDFS obviously very pertinent um from US um based framework um a few from the FFIC um Federal Financial Institutions Examination Council And you got a various obviously handbooks particularly around information security, information technology, cyber security as well. Thomas: Um HIPPA from a health perspective. Thomas: Uh the shared assessments SCA which was the uh procedure I was just referencing um just there. Thomas: Um the sea um being the control uh uh tool that enables that validation and and um um sampling um of of SIG assessments. Thomas: Uh the EBA, the European Banking Authority and of course EU GDPR uh regulation as well. Thomas: And I think it’s also just reflective of the fact that every year this is this is continually looked at. Thomas: There will always be um I guess potential growth from more and more framework mappings particularly if there’s a uh a substantial growth in certain areas. Thomas: Um so privacy for example as as as you may be aware obviously looking at more and more privacy based frameworks um um particularly um some of the localized state side uh frameworks in the US. Thomas: What I’d like to do now, however, is is is is take a look at some of these um in in a bit more detail. Thomas: So, I’ve pulled out the NIST 853 and I’ve pulled out the ISO 27,0001 and hopefully through that we’ll start to see um um uh some of the changes um um um that have been made. Thomas: Um just before however if I go on to those two just just a final piece generally on the of framework mappings. Thomas: So what does this mean in practice? Thomas: So when we’re looking at the SIG uh light and the SIG core assessments it means that each individual um update or new framework has been that um clause for clause back into the SIG. Thomas: This obviously can be incredibly useful not just for those um obviously companies who are looking at um uh you know measuring the compliance of um say a vendor’s completion of a SIG but if there’s uh either pressure or increasing pressure from uh the industry from regulators you know there’s more emphasis on we’re expecting uh as best practice for example 27,0001 controls we’re expecting by default that GDPR should be followed as as as as default in the best practice being able to say we’ve we’ve completed and submitted a SIG light or SI core assessment But we can also demonstrate through the mapping that we align to the relevant articles of the of the GDPR regulation or these aspects of the 27,01 or list 853 framework. Thomas: So being able to have that level of um um I guess awareness, validation and also comfort for businesses that not only are vendors completing a SIG framework and obviously presented with with a series of risks if if if uh if required or if if necessary. Thomas: but also that they’re being mapped and they’re also aligning to some of these other best practices. Thomas: So, let’s take a look at um uh the NIST uh 853 um as as a starting point. Thomas: And I’ve put that particular control here. Thomas: I think this is this is a good way to sort of demonstrate particularly as we move on to domains and and categories um how these how these standards are being mapped. Thomas: So, pulled out SR controls which is the supply chain risk management. Thomas: This is one of the new updates that NIST SK853 made for their revision 5. Thomas: And this is a control that has 12 elements to it. Thomas: Um, and they’ve been split across five dom domains and 25 different questions, individual questions within SIG 22. Thomas: Now, these questions across these five domains which are on this, as you can see on the screen, enterprise risk management, asset and information management, ation security, operational resilience and threat management. Thomas: So when we think about those 12 controls to under the SR control group in list, um you’ll find that link with those 25 questions fitting under each of those five five individual domains. Thomas: So when you think about obviously risk management and enterprise risk management, we’re looking at questions associated with um uh doing third party risk assessment. Thomas: managing contracts with third parties. Thomas: When thinking about asset and information management, how does this align to the NIST 853 SR control? Thomas: We’re looking at where there’s a need for uh asset destruction uh destruction or disposal use of tamper evident containers. Thomas: So if you’re looking at uh using vendors who you who you use for the maintenance and disposal of equipment for example or as part of their delivery of service um they’re holding um PII maybe PII sensitive personal information or any other information deemed sensitive. Thomas: Have they got proper controls in place um um that protects that information such as um tamper um um tamper containers if they’re physically moving kit from from from location to location. Thomas: Of course, application security is very important when considering supply chain risk management particularly when there’s a need to obviously outsource software development. Thomas: So need to look at uh uh secure test testing um building in security in the development life cycle um and even being aware of changes and development changes. Thomas: So these are all aspects of the application security that SIG asks for but also that NIST asks for and so we have that mapping between the two and of course if a vendor answers them correctly we can see that there’s a clear um um uh some positive steps and some some actions and activity that’s being taken from an application security standard and and and perspective. Thomas: Um we know that from a NIST perspective, they’re following um um the NIST best practice as well. Thomas: And then finally, we have operational resilience and threat management. Thomas: Operational resilience. Thomas: Uh so we’re looking at continuity, continuity planning and continuity testing. Thomas: So again, being involved uh from a SIG perspective um you are you involving third parties in continuity testing if there’s a heavy reliance on a on a vendor to help supply your end product and service. Thomas: Um um I uh is is that something you’re planning for from a business continuity and disaster perspective? Thomas: Um and then obviously likewise considering the NIST framework and NIST SR control around operational resilience, we’re looking at our contract our contracts um for supply management. Thomas: Do they include the need to report on disasters and incidents? Thomas: Do they need to report on recovery processes? Thomas: So you can start to see where the link between what Nest says and then what SIG says around operational resilience. Thomas: And then finally threat management um uh in a similar vein to risk management of enterprise risk management. Thomas: Have you identified threats associated with your supply chain and then almost in a cyclical cyclical approach feeding that back into the higher level risk assessment and risk um approach that enterprise risk management calls out. Thomas: So hopefully this gives just one short view of how the SIG uh 22 has taken uh I say quite a large framework and at an individual control level in this case SR controls has mapped it um calls for cause back into C and so in a similar vein if you look at ISO 27,0001 as well so um I’ve taken a particular aspect of the 27,0001 framework work clause A14 or I think specifically 14.2 um around secure development or system development. Thomas: What I’ve done this time is pulled out an example of a the volume of questions again but now focusing on categories obviously as explained I’ll be coming on to domains and categories in a short while. Thomas: So there’s 23 questions across six categories. Thomas: Those six categories uh which are the six um uh bullet points you see there um are split across applic security and with regards to the last one on privacy as well. Thomas: Um this actually is a a complete onetoone mapping. Thomas: So every clause um in in uh ISO 27,0001 Alex a.14 is captured across those 23 questions and six categories. Thomas: So we have access control secure devops secure architectural design standards. Thomas: So SDLC or system development life cycle or secure development life cycle web server security and then also with regards to privacy uh data protection safeguards. Thomas: So when considering the requirements of ISO 27,0001 in terms of do you have a secure development life cycle do you have secure engineering principles and design principles um do you manage and control access from a development perspective um particularly in terms of development um you know production testing u and various environments um and do you have safeguards to manage uh data particularly from a development perspective or from a privacy perspective. Thomas: So we can now see where each of these aspects um is is now captured um within uh SIG uh 22. Thomas: And so I said this this hopefully what this gives you is is is a good idea of how you can use uh a SIG 22 light or core assessment but also where there is a business need as I say whether it’s through um industry whether it’s through uh regul or just as a business if you know that for example your critical vendors there’s an expectation that they should be aligned or certified to ISO 27,0001 or aligned to NIST or aligned to NYDFS or that you know that for example there’s that you have many vendors who operate across Europe and so the GDPR regulation very much applies to them um only ICI giving them um the sigital core to get a view of their information cyber security privacy based controls and where there are risks but we can now have that alignment to the articles of GDPR as well to to add extra depth to the assessments and to give that extra confidence from a compliance perspective. Thomas: Um and the compliance piece is is quite important as well because it could be that we we’re receiving assessments back SIG light sig core assessments and receiving a very high compliance. Thomas: We’ve completed a light um and the overwhelming of majority of questions have been answered positively. Thomas: That is to say there is no risk. Thomas: Then when we look at say ISO 27,0001 or NIST or NYDFS or GDPR perhaps there’s a lower compliance rating and perhaps there’s a compliance uh failure or a lower rating in some specific aspects such as development as we can see here. Thomas: So it can really help you sort of to trim down and to really focus particular when you’re looking at the back end of the whole process and looking to to to engage with vendors to to remediate risks um um particularly if there are obvious trends that are appearing um where a consistent set of controls um um are coming up with risks attached to them. Thomas: So then we move on to domain and category updates. Thomas: Um so I said this is the next uh I guess major change or another major change that you can consider in in um uh in in the SIG 22. Thomas: If we start with domain, so what do we mean by domain? Thomas: So as I mentioned each core topic area, risk management, uh access control, people security um um still remain uh but there have been changes um to to a third of the uh of the domains but only by by naming convention. Thomas: I I I’ll explain what this means in practice. Thomas: So as you can see here in SIG 21, we had risk management, business resiliency and physical security. Thomas: So we now have enterprise risk management, operational resilience and physical and environmental security. Thomas: So why have done this? Thomas: I say it appears it’s just a title change, but actually this is is wider than this. Thomas: It actually reflects not only the type of questions asked and the topic areas, but that adds an expansion element to it as well. Thomas: So, we’re not just focusing on the physical security aspects of the business. Thomas: We need to include any environmental controls that are being considered as well. Thomas: Not just looking at one narrow angle angle of uh security risk management. Thomas: We’re looking at at a wider business and enterprise risk management and we’re capturing more aspects to the risk framework whether it’s security, privacy, supply chain, third party, fourth party um and and other uh compliance risk and other other risks as well. Thomas: Um so by expanding the the domain names um we’re hopefully getting a lot more again clarity um that that reflects the types of questions that being asked across the respective areas. Thomas: Category updates for me this is one of the most significant updates and and it’s been not only refreshing but really interesting to see the type of categories that that are coming up. Thomas: If I just back up slightly, we can see some of the categories in here. Thomas: Access control as a category, secure development ops, SDLC, web server security. Thomas: What these mean are is is that when you’re looking at the set of controls in SIG light and SIG core, um there may be one category that’s tied to one question or it could be many questions. Thomas: So there could be five questions all under the banner of access control and it’s a way of grouping these questions together and also helping to group risks together as well. Thomas: Um again thinking about if there’s business needs for uh certain categories because these are hot topics, these are board level topics, these are topics that are key to the industry. Thomas: Um so for example the use of internet of things technology, uh the use of mobile working um uh the use of penetration testing. Thomas: Being able to group these topics and these risks together and these these questions together again allows for that extra level of analysis um particularly if there are trends that are appearing across um across vendors across third parties. Thomas: So it’s definitely a much expanded scope of controls. Thomas: Um as say we’re now looking at more than 30 new categories on top of those that already existed. Thomas: Um And I say it’s really reviewing from emerging technologies and topics. Thomas: So what are some of these new categories? Thomas: So ESG, environmental, social, and governance um very hot topic at the moment and something that’s um only going to be increasing over the next 12 to 24 months. Thomas: Moving away from not just third party but fourth and even nth party management. Thomas: So controls and questions and categories now that help understand more about well we’re not just talking about a product or service being supplied by you as a vendor. Thomas: We’re asking questions that are more focused around the wider fourth party the wider supply chain uh expansion in incident management base categories financial services privacy and data governance business impact analysis penetration testing for the first time. Thomas: So now got penetration testing Amongst the other threat and vulnerability based assessments and you know vulnerability scanning and so forth, internet of things IoT security is now a dedicated category and there are larger grouped categories around uh data so data governance, data protection um data management, data backup as well as privacy um um privacy regarding um personal data, children’s data, health data uh privacy notices um privacy reviews um breach of privacy. Thomas: Um so hopefully this gives you just a very small but but an understanding that there’s actually been a significant increase in the volume of categories but the types of categories that are now in place um uh have been identified based on your reflection of um um some of the airs that we’re seeing um crop up um time and time again. Thomas: Some that are very new such as obviously ESG and some that are increasing um um as a result of activities we’ve seen over the past 12 to 18 months. Thomas: So when you think about instant management for example, one of the top areas that comes to mind are um is ransomware and certainly think about the volume of ransomware and particularly some of the target attacks we’ve seen on some quite large organizations over the past 12 to 18 months to some of the solar winds the Microsoftbased attacks um the back end of 2020 the beginning of 1 um and and and and more threats um of a similar nature. Thomas: So the fact that instant management is now increased I think is a good reflection of that. Thomas: Um I think what’s important now however is to start to do in a similar vein to um uh to to to the standards and frameworks have a have a closer look at um some of these topics and I’ll I’ve picked out ESG fourth and party uh and incident management as as I guess three good ones to to hopefully um um understand more about a what it means but b practically how that can be used uh when you’re assessing your your your vendors your third parties. Thomas: So top of many businesses lists at the moment and discussion points is ESG environmental social and governance requirements. Thomas: So that’s been expanded particularly around the compliance and operational section of SIG 22. Thomas: There’s already an existing compliance section in SIG 21 looking at quite a wide range of of compliance. Thomas: You know, it’s a visibility of laws and regulations um um pointing to certain um certain laws and the review of of of what those laws mean for US business. Thomas: Um but there’s now a wider question being asked in C22. Thomas: Um does the organization have a formalized environmental, social and corporate governance program or set of policies and procedures approved by management and then under that uh a category of ESG that’s split across um uh multiple questions in the compliance and operational risk domain. Thomas: Broadly speaking, we’re looking at more questions around ethical sourcing, different codes of conduct. Thomas: We’re thinking obviously of anti-bribery, modern slave slavery um and and other similar um uh s of social and governance based uh uh rules and regulations that ESG asks for environmental risk management as well. Thomas: Um so it’s been interesting to see that not only have we now got a new category that highlights around the areas of compliance and operational security or or or compliance and operations um that’s that’s pertinent to to an ESG program but there’s now dedicated to ask that do you have a formal program? Thomas: Do you have a set of policies, procedures, has it been approved by management? Thomas: Is there management oversight in running this program? Thomas: And is it being aligned to uh these areas of of of ethics um of of of law and regulation, of due diligence, and of course from an environmental perspective as well. Thomas: Fourth and nth party management um So I mentioned obviously before um like many of these frameworks including ISO and NIST uh there’s been a lot of focus on generally supplier management and third party management. Thomas: Well now there’s a new category from SIG around fourth and nth party. Thomas: So it’s broadening that requirement for managing third parties um with a drive to include the wider supply chain um and what this means in practice contractual requirements risk assessments operational resilience and personal data management. Thomas: So actually very similar and it mirrors quite nicely some of the changes that we saw NIST addressing in this SR control group. Thomas: So the need for not only do you have a contractual requirement and contracts established with um an immediate vender um but are there other suppliers in the in the chain where you also have contractual agreements or terms of agreement um and if not are risk assessments being performed? Thomas: How confident are are you of where that initial data or product that’s being supplied to us as a customer, how far down the line does that go. Thomas: So thinking again about some of the NIST requirements around provenence, around traceability, around around um continuity. Thomas: Of course, operational resilience again as we discussed from a N perspective again calls up and is categorized within the fourth party and end party management uh context. Thomas: Um then personal data management. Thomas: So again thinking about PII, SPII, health data, medical data, um uh payment data, whatever the case may be. Thomas: And again, controls um and questions around um how that’s managed from a third party, from a fourth party, and even fifth party if if necessary. Thomas: Uh what does some of this mean in practice? Thomas: Well, now that we’ve have have dedicated and now expanded categories in the similar vein to how uh the standards mapping can be used, to say compliance against SIG and compliance against ISO 27,000 for example, we can now see compliance against dedicated categories. Thomas: So if we know that there are 15 questions in the SIG all related to fourth and end party management or there are 12 questions in the compliance section all related to ESG and ESG practices. Thomas: Again, when receiving risks, when receiving the results of light or core assessments, we can now get a feel for from a compliance perspective regarding ESG or fourth and nth party or penetration testing how are they performing so again it allows organization to have bigger a closer focus and perhaps scrutiny let’s say with those categories that are deemed critical to the business um and then is and IT incident management so again there’s there’s an expansion of uh three areas of IS and incident management. Thomas: Uh so three new categories, incident management detection, incident management documentation or incident documentation and incident management eradication. Thomas: So I mentioned the example there of the ransomware and the volume of obviously increased ransomware attacks that we’ve seen over the past 12 to 18 months. Thomas: So by expanding this category of the full end toend process of incident management, not only are they how they’re being detected and reported, how they’re being captured and the necessary forensic investigation and analysis, but the steps to eradicate and even communicate out. Thomas: So, if we’re thinking about some of the questions we would immediately asking vendors um if there was a ransomware or other threat from an incident management, incident containment and reporting perspective, again, having this new category or expansion of categories around the incident uh um process or processes allows for that extra level of scrutiny if this is an area that’s obviously important to yourselves as a business and I say how that works in practice uh when when developing this when taking a SIG assessment when capturing it within your your assessment survey tagging those individual categories against the relevant controls um and questions allows you to focus on those and have that as an extra level of scrutiny if you so wish. Thomas: So hopefully that’s given a good indication of of of different types of categories. Thomas: As say there’s more than 30 of these, but as hopefully as you can see from earlier, there’s a lot of very interesting topics are now coming out here. Thomas: IoT, ESG, uh incident management, um business resilience, um as well as wider focus around things, uh such as um uh uh privacy management, whether it’s uh dealing with privacy data, financial data, health data. Thomas: Um so, giving a lot more flexibility to to really focus these assessments on um uh the the areas the topics that are that are relevant and important to yourselves as business as businesses. Thomas: So having said all that and having putting all that into consideration, we’ve taken obviously a look at um various changes that the SIG light and core made both to the question and the question sets. Thomas: New questions, change questions. Thomas: Uh uh uh increases in some areas, overall decreases in the volume of questions. Thomas: Um but then expansions in terms of uh uh standard regulatory mapping, domain names, categorization of of of content as well. Thomas: So what do we need to start thinking about if we want to embed and and and build upon SIG 22. Thomas: Firstly, if you haven’t already, is that identification of course of the of your third parties, of your suppliers. Thomas: That tiering and profiling based on the criticality to the business, the nature of what they’re doing, what they’re supplying to your business, hopefully gets you to a stage where you can identify those, let’s say, tier ones, twos, or threes or highs, medium, low priority vendors. Thomas: Um, taking that into the wider context, obviously determining the need core. Thomas: Do we go see light or do we go see core? Thomas: As the name suggests, core is all-encompassing. Thomas: Seek light is a subset of the core. Thomas: Um, so there are many aspects of the core that are touched on in light where core obviously expands in those areas. Thomas: Um, so again on privacy for example or access control where sig light will ask some of the pertent areas around having an access policy, an access program. Thomas: Um, uh, authentication or the use or consideration of multiffactor authentication then obviously core will take that to the next level and expand on um the fine detail around those access policies and and the use and type of of of authentication and remote access for example. Thomas: So the first piece is obviously then once you’ve established your your third parties um and your group of third parties are you using sig light are you using sore are you using a blend based on the complexity of your your your your third party based on the taring. Thomas: Um that’s often a very common and very popular approach. Thomas: Um so that we know that you’re asking the right questions and the right complexity of questions obviously to the right vendors at the right time of course. Thomas: Um and then of course determining the complexity of the assessments. Thomas: Um so are there focus points based on what we’ve just discussed based on the range of domains the range of categories um um based on the type of frameworks um are there that we need to focus on more than others? Thomas: And again, that should help to frame a the use of core and light, but also that level of complexity that you’re going out to your vendors with. Thomas: Then of course assessing additional business requirements. Thomas: So we identify those those categories. Thomas: We know that we’re interested in ESG for example um um in in business and operational resilience and uh isit in of management. Thomas: Um, are there areas that you want to increase the the the the risk rating for? Thomas: Are there areas that you want to flag up so that once an assessment is filled out of SIG light or core? Thomas: Um, if there are risks around incident management or ESG, you want them flagged. Thomas: You want them highlighted in such a way that again they can be properly scrutinized because for yourself as a business, ESG is mission critical. Thomas: It’s very important. Thomas: And in the similar vein to standards and regulations, we know that we’re getting pressure um from regulators or from industry that everyone should be 27,000 certified or aligned at the very least. Thomas: So we want to press that and where the risks are coming out uh where there’s a tagging against ISO controls we want to make that visible. Thomas: Um so it’s having that thinking about we now know the type of vendors and the type of assessments without going into the fine detail on do we want to adjust them so that we can make sure we’re prioritizing the right standards regul ations if appropriate. Thomas: Uh the right categories and areas that we would deem to be mandatory based on the type of lenders that we’re engaged with. Thomas: Um and then obviously finally the need for risk validation and risk response as well. Thomas: And can we use the framework? Thomas: Can we use the categories to help drive um um risk remediation, risk treatment? Thomas: We know that ESG is that mission critical aspect for us as a business. Thomas: So where are risks coming up around ESG? Thomas: um because we can a we we’re able to flag them because of the way they’ve now been categorized. Thomas: Um um we can press upon our vendors that these need to be remediated um in a timely manner. Thomas: These are these are what we determine to be mission critical to the business and to the operation or to delivery to the organization. Thomas: Um so hope that’s given um a good um overview and indication of of of many of the changes that SIG 20 to has has uh included um I I think in summary I can say that although uh the main topics um by and large haven’t changed so we’re still looking at as say access control asset management people security business continuity privacy so on and so forth it’s the fine detail that that that that expands those topic areas through the categorization through the domain and then of course as say through the through the mappings as well um that we’re that we’re finding that um that we’re experiencing. Thomas: So um with that I will um hand over to back to yourself Amanda or potentially Scott. Amanda: It would be Scott. Amanda: Scott, take it away. Scott: Yeah. Scott: Thanks. Scott: And Thomas, I’ll just uh give you a shout when I want you to change the um uh the slides from here. Scott: Yeah. Scott: So you know everything you can build this one out a little bit. Scott: Everything you heard Thomas talk about today was about um you know identifying the right questions, the right sub set of questions whether it’s from the core or the light or whatever to assess your third parties. Scott: And we know from experience that you know moving from maybe a spreadsheet based approach or sending spreadsheets and emails to your vendors and then going to a more automated approach maybe founded on the sake can be quite daunting. Scott: So that’s in particular where uh we really help um you know we’re certified licency of of the SIG questionnaire we have that imported both the core and the light version into our platform and the whole objective of what we offer then is to automate that process for you enable you to you know give you a you know a central platform by which your vendors can go in and answer those questions uh that the answers can then be elevated as risks if they’re out of the bounds of your risk thresholds your accepted risk thresholds and they give you some ive remediation guidance to resolve some of those risks that you know are uh revealed during that assessment process. Scott: And all you know from start to finish the whole point of that is to you know automate it, make it easier and to add levels of you know a programmatic process and uh some prescription uh to help you know see your way way through the process. Scott: Next step please Thomas or next slide rather sorry. Scott: Um you know our outcome that we’re aiming for for you is exactly that, you know, in leveraging prevalent to help you um you know, host and manage and assess against uh you know, the the SIG content is to make it much more smarter for you. Scott: Um to use as much datadriven analytics and uh you know, a risk matrix that is customizable to your environment uh based on what those answers are. Scott: Um to be very comprehensive and to add a lot of context and by context, I mean, you know, we’re adding not just the assessment results, but we’re also layering the results maybe of some continuous monitoring, cyber security, reputational scanning, and more to help you prioritize and, you know, triage your your your risk response. Scott: Bring it all together and then be very prescriptive um you know with support of our team whether it’s managed services or uh professional services or whatever uh to you know design the right program to automate it to to to see it through. Scott: Next slide please Thomas. Scott: um that prescriptive path you know I mentioned is is a fairly simple and straightforward process uh for prevalent um you know what’s important to note here is you know once you’ve kind of decided on maybe standardizing on the SIG or SIG light assessment um and you’ve decided to you know automate it you know through you know a platform like prevalent is that it just doesn’t happen one and done. Scott: Uh there’s a whole set of vendor life cycle management um you know considerations that have to be made from the point at which you are sourcing and selecting a vendor um performing some level of intake and onboarding scoring inherent risks and then at that point you’re really doing your your deep level SIG assessment doing some validation and monitoring measuring SLAs’s and then you know executing some sort of offboarding and termination once the cycle of that that relationship has has expired so when you think of thirdparty risk it isn’t just about automating uh questionnaires and getting answers back and doing reports It’s also looking at it more holistically from the beginning of the relationship to the end of the relationship and we can help from an onboarding and assessment and management perspective. Scott: Next slide please Thomas. Scott: You know we’ve completed uh a lot of those mappings for you from uh some of the regulation not regulations but some of the frameworks that uh Thomas mentioned in uh the webinar today whether it’s you know from um uh you know whether it’s from Siga ISO or SIG NIST or even from from SIG to our own uh prevalent compliance framework or PCF questionnaire. Scott: Uh we have those mappings complete so you you can kill multiple birds with one stone if you will uh in executing those assessments using a single piece of content. Scott: And at the end of the day what we’re helping you achieve is to get the data you need to make better decisions in a single platform where everybody’s singing from the same himnil in terms of uh you know all their risk data. Scott: Uh knock down the silos that that get in between you know organizations ‘s uh departments as they’re trying to solve their vendor risk challenge and ultimately partner with us. Scott: You know, we we’re an expert in thirdparty risk. Scott: We’ve been doing this quite a while. Scott: We’ve been part of uh the shared assessments organization from the very beginning. Scott: Uh and you know, you can trust that you know, we have the processes and the tools in place uh to help you um you know, reduce your overall risk over time. Scott: So, I think that’s about all I had to share with you today. Scott: Uh just a little bit of an addendum there on on you know, why Premley can help address some of the things that that uh that Thomas talked about today. Scott: So now at this point, I’ll shoot it back over to Amanda. Amanda: Thank you, Scott. Amanda: I’m going to throw up another poll question. Amanda: We’re just wanting to solidify in case we missed it the first time. Amanda: Are you guys looking to augment or establish a third party risk management program in the next coming months? Amanda: We know this is a big need. Amanda: Um it’s not a matter of if, but it’s a matter of when. Amanda: Something can happen with your third parties, and we know that this has been a huge priority for a lot of people, especially coming into 2022. Amanda: So, uh let’s be honest about that answer because once again, I’m the one that’s going to follow up. Amanda: So, just to be clear, I do have a couple of questions. Amanda: We’ll get to as much as we can because we are kind of we have four minutes. Amanda: Um, but here at random, I’m going to just ask, looks like someone wrote anonymously. Amanda: As someone who is relatively new to the SIG, do you often see thirdparty risk management teams request evidence to validate the SIG questions? Amanda: If so, to what level of evidence do teams often request? Thomas: Um, ev in terms of validate. Thomas: Yeah. Thomas: Yes, we do. Thomas: Um it’s an interesting question of the evidence-based approach. Thomas: We do we do see that often um with with organizations, you know, so the need for uh whether it’s mandatory documentation um or or you know some mandatory notes giving further evidence. Thomas: Um it it does vary. Thomas: Obviously there are challenges with that. Thomas: Um not least if asking for a particular document that is deemed highly sensitive. Thomas: Um risk registers for example. Thomas: Um but um there are lots of opportunities within the SIG platform um given given the volume of questions that ask for uh either dedicated policies or processes uh such as you know business continuity plan, an access control policy, asset management policy um in in terms of what’s relevant. Thomas: Um, the ideal scenario will always be um the full the full policy. Thomas: More often than not, that’s not practical or not desired by by the respondees. Thomas: Um, and so anything to at least confirm that there is an active live document in place. Thomas: Uh, so uh headings, contents pages, um, um, revision sheets that can show that we have a formal policy in place and and and that is up to date and relevant. Thomas: But it can depend um on obviously the type of records. Thomas: But but from my aspect, yes, um it can be it can be a huge help um um you know to to bridge the gap between what the the questionnaire said and what they’re actually doing in practice. Amanda: Okay, perfect. Amanda: I have two questions that are relative to comparison. Amanda: One of which they’re un they want to know if there’s any sort of comparison between I think you kind of did cover this um between 2021 and 2022 SIG and then someone in the beginning of this session asked if there was any comparison or contrast between the SIG to the PCF um as well and that was specifically during this presentation but if you can touch on maybe some highlights of of comparing. Thomas: Yeah. Thomas: So 21 and 22 I guess that’s that’s the the easiest one first. Thomas: So who um as I said at the beginning um obviously every year uh shared assessments the company who develops SIG um obviously do look at the previous version and that’s the basis before updating um uh there are delta documents that that that shared assessments produced for us to enable us to help build build out the assessments in obviously in our platform and so yes there’s actually a lot of good um uh you know mapping um and and and actually close comparison between many of the areas. Thomas: So I mentioned the domains for example um although there were um a third of domain names have changed um um the purpose of each of the domain is is is is the same essentially. Thomas: So so risk management versus enterprise risk management so 22 for example has expanded the different types of risk for consideration but the purpose of um the risk management domain for example between 21 and even actually take 2020 to 21 to 22, you know, remains the same in terms of do you have a risk policy, a risk process, um do you have ownership of risk, for example. Thomas: Um so there’s a lot of good um uh uh uh controls and validation in the in the older SIGs that carries through to the newer SIGs. Thomas: Uh with relation relating to the PCF p specifically, sorry, prevalent compliance framework. Thomas: Um again, there’s a very close mapping. Thomas: Um the PCF for those you perhaps unaware um is is a framework that is developed using ISO 27,0001 and NIST as a baseline. Thomas: Um but that now maps to SIG 22 21 but specifically to the 22 framework as well. Thomas: And so again yes there’s a very there’s a very close relationship between I guess the purpose of the PCF um from a from an information cyber security perspective and angle and the SIGs um sort of view of of information and cyber security. Thomas: You know, so the need for governance, the need to define controls based on risk and risk assessments um um and you know and the need for some of the technical components around operational security uh data security um um you know business resiliency and business continuity. Amanda: Okay. Amanda: Well, that’s a super thorough answer. Amanda: I hope that helps whoever asked that. Amanda: Well, I think that’s all the time that we have today. Amanda: I I did see a question that came through from um a couple of people that left me their names. Amanda: So, I’m happy to reach out to you guys and and just take those offline. Amanda: Other people were anonymous. Amanda: So, please utilize my email. Amanda: I put it in the chat if you guys have any other questions. Amanda: We’ll try to get to to them, you know, offline, but we’re happy to help in any ways. Amanda: But want to keep everyone’s time um squirted away within this hour. Amanda: So, we’ll let you all go. Amanda: But Thomas and Scott, thank you all so much for joining. Amanda: We always love to see our own faces here to help everybody. Amanda: And that’s all for now. Amanda: Thanks again everyone and save my email and please reach out if you have any other questions. Thomas: Bye. Scott: Thanks.