SIG 2024: What’s New & How It Will Impact Your TPRM Program

Ashley: Today we are joined with some very special guests. Our very own project manager, Thomas Humphre. Hey Thomas. Thomas: Hey Ashley. Ashley: And our very own product marketing manager, Matt Delman. How’s it going Matt? Matt: Hi Ashley. Happy to be here today. Ashley: Um just a quick reminder, this webinar is being recorded and we will be sending out this recording along with the presentation slides shortly after the webinar. Uh you’re all currently muted but we encourage particip So, please put any questions in our Q&A box so we can go over them at the end of the webinar. Uh, looks like today Thomas will be discussing the SIG 2024 questionnaire. So, Thomas, I’ll go ahead and pitch things over to you. Thomas: Thank you very much, Ashley. And, um, is the screen okay? Can we see the screen, Ashley? Matthew? Ashley: Yes. Thomas: Yep. Fantastic. So, yes, good morning, good afternoon, good evening, ladies and gentlemen. My name is Thomas Humphre and I’ll be taking you through uh today webinar um doing a deeper dive into SIG 2024 and and taking apart some of the bigger changes and and how we can use them when thinking about existing or or upcoming or new TPRM uh programs and activities. Um just a very quick big bit of background about myself. So uh I’ve been with Pent for just over five years now. Um principally involved in developing uh assessments and and content uh using the likes of the SIG um and other notable uh uh standards and and best practice frameworks out there. Um I was previously an auditor for the better part of 10 years working in certification bodies in the UK and in Singapore and dealing with organizations um on a on a global scale both large and small. Um as indicated um throughout today um we’re aiming for about 50 50 minutes 55 minutes or so for the presentation. Um following which we should have time for some Q&A. So any questions come to mind feel free to place them into the uh relevant Q&A window. So let’s make a start and take a look at some of the key uh areas that we’ll be covering today. So we’ll start um as always with an introduction um particularly those who may be new to to SIG um as as as an assessment as a framework um before doing uh a quick comparison between what happened and some of the notable changes in 2023 version and uh comparing that to what’s happened in 2024. Um we’ll then look at a deeper dive into two of the more notable um and uh perhaps more sort of farreaching impact areas in artificial intelligence and supply chain. Um we’ll take a wider look at some other areas around around controls, control groups and control attributes and what they mean for turning our attention then to how we can use the existing SIG uh uh in your as either existing or or or new TPR and program and then looking at some last minute sort of steps and and where do we go from here. So let’s start with an introduction. So the SIG is a framework developed by a company called shared assessments. Thomas: Um and uh this is assessment that that’s that’s that’s conducted uh or or built um on a on a yearly basis and there’s a yearly cycle of review. Um and it’s been going for many many years. Um essentially it’s it’s a framework that helps organizations um regardless of uh industry, regardless of sector um It it has a database of of of controls um um and and uh control requirements to assess organizations whether it’s their own internal organization or um certainly for the purposes of this webinar for third parties and for for for third party organizations and vendors. Um and it’s a very comprehensive suite of practices and control requirements that the SIG covers. Um as of uh currently we’re looking at uh a total of 21 different control groups. And in a short while, I’ll go through uh exactly what those control groups are and what they look like. Um the SIG offers various different scoping levels. Um so whether you’re looking at uh very small concentrators assessments, uh very large in-depth and detailed assessments, um SIG has different levels and capabilities for scoping out um um across what it calls its core and light range of assessments. And again, we can go into a bit more detail later on in terms of perhaps some of the key differences between what we call a core and what we call a light assessment. Um and I say it covers a range of best practices um including cyber and information security uh information and data privacy uh governance and management control points uh and compliance control points as as well. So there’s a range of different topics. Um uh some of these uh um are relative new looking over the last 12 months. Um so the likes of ESG which came into play uh uh last year and some of them are longunning ongoing topics um such as uh access management or incident management for example or risk risk management and risk assessment um and which are seen as as regular best practices. which are adjusted um and reviewed on on a yearly basis. So, a lot of different topics, a lot of different um uh uh areas for organizations to get their teeth into. Thomas: Um the key thing to state at this stage is the SIG provides you with that almost library if you will or database of lots of different touch points with which you can then assess a third party against. Again, as I say, across these uh 21 uh individual control groups. So we’re looking at 2024 now. Um and as I say every year 23, 22, 21 um there there’s always a yearly iteration uh of the assessment. So I guess we need to understand well why is it reviewed on a yearly basis? What’s the purpose of going through such an annual review? Not too dissimilar to other organizations who review sometimes annually, sometimes um less frequently. Um, ultimately we’re looking at or or the purpose of these reviews that shared assessments go through is to look at what did we write last year based on feedback from our members looking at how the assessment is used across as say a variety of industries and sectors um and looking at new and emerging topics. What do we need to adjust to make the SIG or maintain the relevancy of the SIG? So there’s an opportunity to address and identify by weaknesses or areas for improvement are the topics that are uh identified from previous years. They’ve been going for several years that are now surplus to requirement because again new and emerging technologies or other key topics have come to the fore and and they have replaced perhaps what was previously written. Are there brand new topics and areas of interest? Again, looking at a broad range of of industries and sectors. Um we’ll be covering two of the key areas today in terms of artificial intelligence uh and supply chain or STRM and then looking at the standards and regulations and the best practice frameworks that can be mapped against the SIG and it’s whether we’re aligning or there’s a need to align to a new standard or to a new uh law or regulation or whether there’s need to realign because a standard and regulation has been updated. Um so for example the new ISO 27,01 2022 not so new anymore more um but sometimes there’s a need to to make necessary adjustments to make sure we’re in line with um the terminologies, the terms of reference um and and and new controls as well. Thomas: And so to improve that language and align that language to best practices. So there’s various different steps that go through in terms of standards development and and it’s it’s a long uh detailed process that shared assessments get involved with um and spreads to its wider uh membership base. Um, so it reaches a point as we are now where we have a a a new and updated version of the framework which hopefully adds that same uh uh value relevant touch points based on new and emerging topics um and in some cases uh brand new uh uh standards law and regulatory mappings as well. So there’s a lot of activity that gets involved um throughout this whole process. So let’s take a quick look back at what happened in 2023. So see 2023 built on the improvements of 2022 and in some cases turned some critical topics into some standalone domains. So areas such as fourth and nth party management um and ESG for the first time um became uh uh individual sections individual control domains or control areas. with which organizations could could could use and could assess um businesses against. And as you can see here, there are 19 or there were 19 individual domains. Um overall there is an increased focus around some governance and management um uh level areas. So areas such as enterprise risk management which expanded this emphasis on we’re not just focused on risk from a say cyber and information security perspective. We’re looking at the business and operations as a whole. Um and so we and so the uh the controls and even the names the of the domains uh reflected that and reflected that direction as well. Um I mentioned earlier obviously the the need to to to align to new and emerging standards and and best practices and so there are a few new uh areas added um last year. Um so Fed Ramp FIC outsourcing NERC and ESG. Um you’ll notice with a lot of these frameworks. There’s a lot of different terminologies and buzzwords and acronyms we use. Um just a quick quick uh review of some of these obly ESG environmental, social and governance um uh requirements. Uh NERC um which is a security guideline for vendorish management life cycle. Thomas: It’s very much a US critical infrastructure focused framework um and and um FFIC outsourcing which is more focus focused around financial institutions or federal financial institutions in the US. Um and so it gives gives an indication of of of where standards are bought in as I say although uh the sigen itself can be applied regardless of industry and sector um and and and size and complexity of organization um naturally as we see more and more uh uh industry bodies and and and regulatory bodies um take note of uh supply chain management, third party risk management, cyber security um and and and privacy uh management. Naturally, we’ll see a need for more mappings for some sector specific um uh uh standards and regulations as well as more wider reaching um uh some of industry sector agnostic um regulations or standards such as ISO um or NIST um or CIQ from a cloud perspective as well. So that’s what happened at the back end of or at the end of 2020 uh 222 um for the new standard um and an assessment for the uh for the current year we’re in. So what’s changed in 2024? So one of the areas that does occur each year is um uh look at this the the volume of of of questions that are on offer. Uh the SIG core and the SIG light I mentioned there’s two variants. Um typically we’re seeing there is a slight reduction in question in question volumes um over the years. Um to give an indication the SIG light is looking at around the 125 mark in terms of 125 individual questions. Uh the core is around the 620 mark or thereabouts. So it gives an indication of the level of depth that say a core um set of questions or the core library goes to as opposed to the types library in uh within the sig. Um one of the key areas to note is uh if we look at the right hand side of the screen and in bold um I’ve already touched on them at the beginning uh there’s two new uh domain areas and uh AI and supply chain risk management. So it’s increased your overall volume of domains to 21 now. Um but when you look across at the other areas um there are some slight name changes but generally the key topics uh remain. Thomas: So from risk and party management to asset HR and operational controls, technical capabilities such as instance and resilience um and endpoint and network security to more compliance areas around general compliance management um broadly speaking to again ESG um and information and data privacy as well. So an expansion of control areas is the first notable change and as I say we’ll go into detail on those two involved uh later on. There’s also been a significant focus on controls, control families, and particularly control attributes um and where control categories and particularly attributes appear across multiple domains and questions. And this is is for me one of the most interesting areas and could prove to be the most useful particularly when we’re we’re using the SIG 24 moving forward in terms of assessing um not only um our our range of parties and vendors, but particularly where we’re starting to to provide more focus around say tiered or tiering of vendors for example or to deal with different size and complexities um of of vendors as well. Um increased standards mapping as well particularly around cyber and third party management um as we’ll see uh uh later on. Um some of the I guess you could say usual suspects around such as the new the new 27,0001 framework and and PCIDSS for payment cards. Uh they they’ve been updated over the past uh 12 to 18 months. Um so it’s only natural that they were those changes were reflected in the new SIG. Um but also some brand new um control areas not least uh standards mappings not least around NIST 800161 which is the cyber security supply chain risk management standard from NIST. Um and with the same organization the AI RMF or artificial intelligence risk management framework which forms the core and the basis for the new uh AI component as well. Thomas: So lots of different standards mappings and regulations some of which we’ll see in a bit more detail um um um later um and AI and supply chain risk management captured as new if you want standalone control domains um and a lot of this I think is is quite reflective of certainly what we’re seeing against outside of um any particular industry but across the board both interest um uh certainly in the use and the speed with which AI is being used or is being asked and companies are developing systems around the concept of AI but also this this this this need to have greater focus and accountability around supply chain and supply chain risk management. So this is very timely that shared assessments have have added these into into the SIG into 2024. Um, and I think it is good because it helps to represent those changing views, concerns, and expectations. Um, as say regardless of uh industry or sector. So, let’s take a look firstly at uh two of the new control groups starting with artificial intelligence. So, a massive topic as as I’m sure we’re all very familiar, not least with the advent of tools such as chat GPT um and many others that are are actively in development. And I mentioned with when we look at the SIG 2024, it’s it focuses on or or uses the NIST AIRMF um as the baseline um uh standard in terms of standards mapping. And this is really one of the first formal standards that’s been least around AI naturally there are a lot more coming up and we can see moving into next year whether it’s the likes of ISO whether it’s um country specific regulation or or more global regulations um EU AI act for example um or or or other consolidated um um best practice f standards there will be a lot that’s coming out over the next 12 months certainly but certainly the NIST AI RMF is an excellent starting point and it’s is certainly seen as one of the uh drivers in terms of trying to establish some best practice or at least some clear guidance. Um and what does this look like in practice in terms of controls? Well, again using the the IMF as the baseline, the SIG 24 is split controls into three key areas. Um what they call govern or governancebased controls, map or mapping based controls, and measurement based controls. Thomas: Uh what does this mean? What does this look like. Um so as we can see from a governance perspect based perspective um the focus is very much around development of a risk culture an AI risk culture developing policy and process. So developing controls to help manage awareness of legal regulatory considerations for example um when using AI this concept of trustworthyness or trustworthy AI and I’ll explain in a short While in terms of some of these new terminologies, there’s certainly a lot when we’re looking at artificial intelligence to consider um policies around data governance um system impact related to um uh AI and AI connectivity. So for example, where an AI system is being developed um and the the connectivity to critical infrastructure to external networks development, design, testing of AI systems. All of these areas wrap around um the set of govern based controls that are captured in the new SIG. Um certainly when we’re looking at SIG core versus SIG light, SIG light has very much a more reduced set of controls to cover the govern map and measurement elements with the core having a lot more depth around each of these respective areas. So the thought process around uh the application, the design and the testing of AI systems for example um or development of policies involve and responsibilities um in terms of managing an AI system or managing the risk associated with AI. From a mapping perspective, we’re looking all about identifying that context of an AI system. So, what is the system going to do? What won’t it do? Um how do we categorize and inventory our AI systems? Or at least thinking from a third party, how do they inventory AI systems? Have they identified cost and benefits of the use of AI? um and have they assessed a level of impact that their AI system will have. So impact to other systems, individuals, groups, even society for that matter depending on uh where the systems being used and if it’s being used in the public domain. So the controls are really trying to focus around has an organization has a third party uh got a clear statement and got a clear process in place for identifying what the system’s going to do, how it’s going to operate. Thomas: um what risks, what benefits, what level of impact um is the use of this IAS system going to bring and then naturally the level of controls that we then going to be applied to to to protect that. So whether it’s privacy based controls or cyber security based controls um or safety based controls for example and then finally there’s measurement controls around as as as well captured within within the um within the SIG uh core and light as well. Um and as you’d expect from measurement controls that focus around well how do we assess and analyze um and and track risk um are there any metrics that are being developed so that we look at the short and long-term um um um process of managing risks in an effective manner. So af very much focused around the risk concept and the risk side of AI. But the purpose very much is having that understanding and that that that confidence that third parties developing an AI system um has has conducted a very thorough risk analysis and risk approach and I’ve identified exactly what the system’s going to do, how it’s going to be protected, how it’s going to be secured, again particularly when we’re looking at very sensitive topics around the type of data it’s accessing for example. Now before I move on, you can see on the right hand side there are uh new terminology that’s captured as always with new with new technologies or or or new topics uh this is just a few areas so the concepts of trustworthiness building trustworthiness into an AI system uh AI actors key responsibilities in terms of the elderly interaction not just those developing an AI system but everything everyone involved um what ISO may call interested parties associated with the system and AI system inventories. And certainly one of the difficult components of the first with any any new uh uh technology or system not least around AI of course is well how do we translate that particular when we’re engaging with a third party um if we’re trying to ask personal questions around how have they developed their AI system and how have they scoped it to make sure that um uh they have done the necessary due diligence and impact assessment. Thomas: How do we communicate what we mean by have they considered trustworthiness within the system within the SIG um assessment itself outside of setting questions and control domains, domain families, so AI, access control, asset management, there are objectives and control statements that are updated on a yearly basis as well and refined. And the purpose of this is to help bridge that gap in understanding. So setting the scene around what’s the purpose of this domain and what’s it trying to achieve or what are we trying to uh uh get out of this? And so to give you an example when we’re looking at the concept of trustworthiness, SIG states um among other areas, the ability to create standards to encourage that creation of development methods that emphasize this concept of trustworthiness. So what are we talking about with trustworthiness? We’re looking at the accuracy and safety of that AI system, the level of security and system and data. Um and information resilience and what level of accountability and transparency in terms of what it’s going to do with the data, how it’s going to process and access the data. Um, privacy protection and fairness so that if a system’s going out in the public domain, for example, if it’s a system that’s going to be used to make decisions and there’ll be actions and consequences as a result of those decisions, there are steps throughout the process whether it’s through the design um, uh, the risk assessment and the testing to make sure that bias is is is is removed um as as practically as possible particularly anything that could could be considered as harmful bias. So see as well as is is establishing key questions and alignment to areas such as uh the AI RMF standard. Thomas: It then starts to extract further information to help companies make those decisions around well what are we trying to get out of these domains and these domain questions and certainly having clear objectives control statements um and even risk statements in terms of what is a risk uh if if this were to occur or for not implementing this control starts to make it a lot clearer particular when we’re looking at and making a decision around are these controls important to us and these sort of controls or control groups that we want to assess our third parties against. So what are the core concerns that section R AI can address within the SIG. So certainly by having a greater visibility of of the type of risks and how risk assessments are being performed um on AI systems, we can start to gain information around how is a third party addressing privacy ability, reliability and accuracy of the data and how the data is being processed. What resiliency, security and safety measures are being implemented? And particularly thinking about development and testing and thinking about the traditional um development life cycle models, how they building um these controls and and and and and criteria uh into the development process and hopingly to address and make visible in terms of the level of fairness that the AI system is going to be used, how it’s going to be utilized and what it’s going to be doing with that information and data. Because of course when we’re thinking about what type of risk should we be concerned about when we’re looking at uh AI? There’s a lot of different risks, but certainly some of the areas I guess are more pertinent at this stage are areas around obviously security vulnerabilities in the AI application itself. So if there’s a lack of governance, if there’s a lack of lack of clear uh safeguards in place, is it going to mean greater exposure to system and even data compromise for example? Thomas: Is a lack of transpol transparency in methodologies that are being used to to measure and understand AI risk when when the system is being development being developed and if there are deficiencies in those measurements and reporting um is it going to increase that impact of potential AI risks that not being appropriately identified addressed captured and managed through the use of uh safety security privacy controls and other uh governancebased controls as well. And then thinking about AI security policy specifically if there’s inconsistency with other risk management procedures. So we’re talking here about um identifying reviewing AI risk as um as I said um but looking back at the original uh uh slides around the the the topics we can see that there’s enterprise risk um within the SIG as well. So there’s already control areas that touch on wider ranging organizational operational risk and risk management practices. So what are we doing about artificial intelligence? Is it isolated or are we bring it to the fore as part of wider enterprise risks has perhaps a greater visibility across top management for example and on the right as you can see um in following the same vein as the NIST AIMF and and and the way the controls have been developed in SIG we can see those three cornerstones of govern mapping and measurement of risk. There is a fourth one you can see there around managing. So risks are prioritized and acted upon based on a projected impact. Um and this is where when we look at how to implement um or if we’re implementing or or or utilizing those section R criteria when engaging with third parties, we then need to think about that whole management piece of how do we how do we manage the risk remediation, the risk mitigation and risk treatment. Um where risks around these those are picked up or are captured. Secondly is section S or supply chain risk management. So you may have noticed earlier that we already have another area that captures um elements of external parties in section B called nth party management. Thomas: Um but there are key differentiators between them both um certainly when you think of and and look at section uh B around end party. Thomas: The focus is more around the third party management component um and and requirements whether it’s from uh setting controls and criteria from a contractual and agreement perspective um access um by third parties to scope systems and scopes data. Um following a similar pattern to the NIST 800161 standard section S looks at the wider supply chain framework and how we deal with and consider risk associated with supply chain um um associated with um cyber security uh risk management. So as I say 800161 um uh has been mapped in quite a lot of depth um um to section S. Um and one of the benefits here of course is it now allows organizations to apply um supply chain specific requirements to security and privacy controls. Um if anyone’s not familiar or as familiar with 800161 um the focus from this here has been on um looking at the full end to end from A to Zed um um of um uh supply chain risk management. Um apologies for the intrusion from deems there. Um and so it can be used how to assess how third parties have established and and considered risk management across the wider supply chain. Um it covers a lot of detailed areas including um policy, governance and security practices. Um some technical components around how do we consider supply chain when we’re looking at access control management the restriction of access. So where there are if there are suppliers down the wider supply chain that will interact in any capacity with our data with our information or information systems. What considered controls do we need to apply from an access access management component? Incident management and response um and and uh uh contingency and resiliency planning as well. And how do we extend this to the wider supply chain group of organizations um and even maintenance of systems, networks, personal data and data privacy controls and key roles and responsibilities. Thomas: So the new section S in in in in this C cups there’s quite a lot of detail whether it’s from a a policy perspective a technical perspective or a wider governance perspective particularly as I say around instant and business resiliency um uh management as well um and the additional areas that um may or may not be appropriate depending on the nature of what a supplier is doing. So the likes of secure software development and the wider software development life cycle as well. So a brand new area focusing very much on on on the wider supply chain management process, but again um uh in not too dissimilar to the AI control piece um leveraging a a best practice framework in this case 800161 to give that viewpoint on wide compliance against um managing suppliers and supply chain. Um where this particularly useful is when you look at the likes of NIST 161, it will take known controls and best practice controls from the likes of 853. So the information security standard and says well how do you apply a supply chain slant on these type of controls and so we can see um uh a wider focus on not just are you managing your suppliers effectively and through contracts and contractual agreements but where there’s a need for those technical controls um um how are they being managed assessed recorded um um and and and um and documented. Lastly, as you can see at the bottom of the screen, you have I’ve identified control attributes specifically that are applied in section S, the uh STRM um component. So, policy, standard and procedures, access control, training roles, SDLC, business resiliency uh and incident management. Um and this neatly leads on to uh the next topic which is covering uh these changes to to control attributes, control standards and control nappings um and and in some cases changing domain names. Um and why I I’ve particularly called these these uh uh nine 10 or so um attributes up is it gives an indication just how wide reaching um the supply chain uh control family um is. So let’s have a look a bit more about the concept of these control attributes, standard mappings and domain names. So I say there’s significant focus on controls, control families and control attributes. Thomas: So what do we mean by this these control families and attributes? So as you can see on the first um blue table we have identity and access management which is designated as a control family which is grouping controls together under a common theme. And what’s interesting here as we can see um probably as we can see um this is covered under seven individual uh sections of the SIG. So from section D assets information management all the way to S supply chain risk management. So what this means is controls and and questions within each of the These uh seven areas will have a control family titled identity and access management. Alongside this, we then have attributes and I particularly picked out policy, standards and procedures. And so the attributes offer a more uh granular nuanced view um of controls and control families. Um and this is where it can get quite interesting in terms of how you apply this from party uh risk perspective particularly when identifying um mandatory controls and mandatory control areas. And so again as we can see policy, standard and procedure which is listed under identity access management again is referenced across five separate uh sections. So from section D of the SIG all the way through to section S. And so what this does is it allows us to have um a say tighter views or more narrow views on areas that may be mission crit critical to us as an organization. So for example, if data security and data access management are are considered um uh critical or of concern to yourself as an organization, by being able to map those particular attributes separate questions. Thomas: When we have an assessment of a third party against SIG core or SIG light and risks come through, we can then start to look at compliance and compliance ratings. So what level of compliance is met against policy and standard or data security or multiffactor authentication. So it allows us to have some very good viewpoints whether it’s at an individual third party basis or across a broad range of third parties. So are there trends we’re seeing based on particular control attributes or control families um that may be giving us cause for concern. On top of this, I did mention this increased standards mapping particular around cyber and third party management. Um so in the in the pink shade, we can see eight separate uh and new uh standards that have been mapped into SIG 24. So CMMC2 supply chain act which is the German supply chain act which is focused more from a environmental and ESG perspective. Uh inter agency guidance on third party relationships um more focusing around the banking sector. Uh CIS center for internet security version 8 as we’ve mentioned 800161 around the supply chain risk management process and AI risk management framework. Um and the NYDFS uh uh guidelines or new guidelines focused again around climate guidance. So what this means in practice is there’ll be some areas such as the MIDFS and and um uh AI RMF that will be focused on particular aspects of the SIG only. So most notably around ESG and uh uh AI risk for example and there’ll be others such as CIS version 8 um that will be spread naturally be spread out across multiple um out of the full 21 uh sections because the controls that CIS for example covers or the controls that C MMC covers um spread across multiple diff multiple topics and different topics as well. We can also see three standards that already existed um in the SIG but have been updated again to reflect the updates that the respective standard bodies have made. So for ISO 27,0002 the 2022 which is the implementation of of of annexa controls and 27,0001 the certifiable standard and PCIDSS the uh payment card uh standard which was upgraded to version 4 um I believe just a little over a year ago now. Thomas: So a lot of different standards mappings and this expands everything that was already in place to begin with. So the likes of 853 for NIST um for example or CIQ for for cloud and cloud security standards as well. So if you think about all those different aspects different the some of the new topics and certainly thinking about the the differences between a SIG light and a SIG core um where SIG light takes a smaller snapshot of the controls and SIG core is a more indepth um uh in some cases much greater depth in terms of controls where the controls uh go um the SIG framework can help organizations when developing that approach to assessing third parties. So if you think about your standard process of of saying well What assessments do we use? Is it fit for purpose? We need to start making sure we’ve got the right assessment to fit the right type of organization. Whether it’s multinationals or small organizations, whether it’s a profile as whether it’s a tiered organization, a tier one vendor, tier 2 or tier three or high, medium, low, whatever the case may be. Um then that process of how do we engage the third party to get them um to complete a SIG assessment. Um and and making sure when risks come back we know what to do with them and then we can report back on the results to uh executive management to the board um and to other interested parties. So certainly thinking of the first two areas around assessment identification and profiling and tiering uh this is where the use of the SIG light and SIG core come in um uh and and are quite important at this early stage. So if you’re thinking about the complexity and and and type of third parties that we’re dealing with what is is going to be more appropriate to us um a core or a light assessment. It may be that given the criticality of what a third party is providing or the size and the complexity of the organization or the fact that listed as a tier one third party that a SIG core assessment is is is more relevant. It’s a significantly larger assessment but it will give a lot more uh detail and understanding around timely and critical topics. Thomas: It may be on the other angle that an organization is a much smaller is a much smaller footprint in terms of the the product and service provision to the organization. It might be a lower tier um it might be physically smaller in terms of uh small um a very small organization and so a light may be a more appropriate um use case for that type of organization. So the fact that the sig gives those good capabilities to have both both parts of the uh the puzzle, so to speak. They’re very in-depth um and and and complex assessment, the light to touch assessment that still touches on those 21 critical control areas or control families um can help to make it much easier in making that decision around which assessment is fit for purpose. It’s important to note as well before we go on in terms of the light in the course, I’ve been talking about the fact that there are 21 individual control areas and again the library set up such that there’s not always going to be a need to access all 21 areas. In some cases, there will be, but given that each each area is isolated, so to speak, or captured in a single domain, does make it much easier, particularly when you’re looking at that profiling and tiering to say, well, AI is not as necessary for us in this component or given what the third parties are doing, maybe ESG is not as critical at this point in time, and we’ll only focus on the cyber security and liance elements, for example, or AI is mission critical based on what our third parties are doing. And so that automatically becomes um one of the critical areas that we want to assess our third party against. And then thinking back to the control families and the control attributes, we decided that we’re going to use a light or can use a core or we may use a combination of both um if appropriate. Um what control families are critical to us? What do we need to pay attention to? Technically, we looking at the tail end of risk management component and working out the risks that coming back, how do they impact us as an organization? Thomas: If you’ve identified those mandatory control areas, maybe there are attributes around data security, the use of multiffactor authentication for example, uh resiliency um um and contingency requirements for example. And we may want to call those out both within the assessment as part of assessment identification, but also internally so that when if if or when those risks do occur, we know that we need to spend more time focusing on the remediation process with the with the vendor or we need to be asking the vendor to complete certain actions outside of that so that we can address those risks appropriately. And of course, there’s always going to be a dotted line then back to the final level of reporting um in terms of those assessing those third party assessment results. And again, using those control domains, families, control attributes can then make it easier particularly when trying to sum up um and and look at the overall compliance picture based on those SIG requirements and SIG control points. SIG framework enables organizations to assess third parties against structured structured um assessments or to tailor each assessment based on control domains, families and attributes. So again thinking about having those control domains providing visibility on security, privacy, business systems and practices. What’s important to yourself as an organization? And do we need to send uh shortened surveys or or or wider surveys based on the control domains that are important to us? And again, that flexibility of taking a domain in isolation or taking a wide variety of domains. So from section A through to section V um um around cloud security for example. Um can should really helped to sort of set that scene and and making sure we’re asking the right questions and the right topics um to our third parties. That flexibility and that depth of review based on whether it’s a full or or a light assessment um is quite critical as well. Um the worst thing is is is is providing assessments to to to a third party um then become irrelevant because the controls haven’t been identified or reviewed properly um or or it’s it’s it’s too much particularly given the size and complexity of the organization. Thomas: For example, um so providing a an organization consisting of two personnel or three personnel um who have very minimal um hardware and infrastructure um a survey of several hundred questions may be um over the top um whereas uh a more light based assessment where you’re touching on all the highlevel topics still across continuity, asset management, uh incident response maybe be far more appropriate. So that flexibility and that depth of review is critical and that ability that the SIG has um to tailor that depth based on individual um moduleized if you will domain areas that identification of the critical control areas. So having that think about um ESG and particularly think particularly now around supply chain and AI what does it mean to us and particularly what does it mean to our industry and sector. So as we’ve seen there are more uh sector specific standards mappings um that that are coming in place within within the SIG um on top of um internationalwide or nationalwide um standards such as ISO and NIST. Um but it may be that you’re in an industry and sector where these topics are becoming to the fore um are becoming um hot topics of discussion. Um we know for example looking at the financial sector and the financial industry um both in the UK, in Canada, in the United states um in other uh uh geographies as well that the the concepts around due diligence around supply chain risk management around outsourcing are picking up pace and and there are more guidelines there are more requirements coming out from different regulators around how organizations apply that due diligence. So in some cases it may be through the the industry and to demonstrate through the industry that best practices are in place that there is a need to use for example section S supply chain risk management that’s going to provide you that good overview and and that that good uh level of due diligence that when when you’re engaging with the industry or sector leaders or or or regulators that you can say we’ve done our due diligence against our wider supply chain and again linking it back to known standards as well such as the 800161. Thomas: So there’s a lot of consideration about how you can use all aspects or different aspects or isolated aspects of the SIG, whether it’s large or small, um whether it’s individual control or domain areas, um or or whether it’s individual attributes that are important to yourself as an organization or a sector. Um and this should then make for a much more um value adding assessment, particularly when you can then start to demonstrate um um that mandatory control areas um have good rates of compliance, where there are low rates of comp liance based on the third party engagement in the third party assessment results um that you know you’re in the right area in terms of targeting remediation um and remediation activities. So we take a wider view then what area should we be focusing on right now? So for those companies who already use the SIG and have been using it for for many many years is um there’ll be a lot of feic familiarity uh with the version uh 2024 version. So quickly reviewing the light in the core frameworks looking at what those changes are those section Rs those section S taking a look at how uh domain objectives um how new control attributes can be can be shaped and how how they can be um uh joined together and helping to establish those critical control domains and mandatory requirements. looking from the standards mapping as well. Um, thinking about some of the new standards that are that are in place. So, for example, if you’re using ISO 27,01 or you you you’ve been using it for many years, obviously it’s it’s it’s very timely and and very welcome that there now are good mappings and very clear mappings uh to the 2022 requirements. So, if you’re the on 2022 for that standard, for example, then makes it a lot more easier to quickly pinpoint all the controls within SIG whether it’s core or light that have been mapped to that particular standard. So identifying which standards if any are important to you which again will help that mapping of what questions do we want to ask of our third parties and then finally identifying where any new control areas may be considered high priority or critical domains. Thomas: So again from a regulatory perspective if supply chain is of top mind or or top of key discussions at the moment again it makes sense to start t and and looking at those uh sections and to see what type of questions there are and how we can apply them to our third parties and then finally obviously that engagement of the third parties as as well. So once we’ve decided the light and the core maybe it’s based on the level of profiling and tearing now we start to assess those third parties. Um it may be useful that we need both that it may be um based on the tier we use some light we use some core we use a blended approach. Um but again through those establishment of those control domains and mandatory requirements. Um um we can start to execute those plans to address risks through mitigation, remediation. Um and then finally that continual review of the SIG framework. Um although as say there’ll be there’s an annual an annual review where where SIG is updated. Obviously in between that there always may be a chance to review to say these are the assessments that we’ve used now. Um do they still fit the bill or after our use of the Right. Do we need to progress to more the core uh aspects because it’s giving us a far more level of depth in terms of uh critical control areas or control domains that are important to us as a business. Uh before we move on to Q&A, um I believe my colleague Matthew um uh has a few slides. Matthew. Matt: Yes. Uh thank you Thomas. I’m just Give me one very quick second here. Matt: All right. So, as uh Thomas was talking about, you know, we’re one of the things that we’re working with here at Prevalent is helping you get ahead of third party risk in um a connected world. And obviously, I apologize for these slides. Um now, these are the things really in terms of third party risk management that we at prevalent here tend to see from customers. They want the data that they need to make better decisions. They want to increase team efficiency and break down silos and they want to evolve and scale their program. These are the things that we tend to hear a lot. Um now this is really what we focus on here at Prevalent. It’s helping you do those things, but it’s also these um few phases in this um really life cycle approach to third-party risk management from sourcing and selection all the way over to offboarding and termination and this is really kind of where we where we look at where we approach what what our product helps to do. Um these are all the risks that we use that we approach these risk are areas from cyber security through business and operational all the way down to compliance risks and ESG. And this is kind of how we automate and accelerate your programs. We do manage we have a really a three-part program or product of people, data and platform. You know, we have a managed services team, the uh risk operations center, the rock, who does a lot of really good work. Um, we’ve got the your third party risk intelligence. We do integrate SIG into our platform as well. Um, I’m not sure on the timing of when the SIG 2024 updates will be in platform, but they will go into our platform. Um, and this is lastly where we are right now. And these are our the resources that you can get for SIG. It’s the SIG 2024 key updates and considerations. We’ve got some items here as well. This is the blog about SIG 2024 and the blog on the site about the standard information gathering questionnaire more generally. So, it’s an update blog post and it’s also a blog post kind of explaining the assessments more generally. So, that is my product spiel and now I will switch it back over to to Ashley for moderating Q&A. Ashley: Thanks, Matt. Uh, you might have noticed I went ahead and launched our second poll so we can follow up with you regarding any initiatives or projects that you may have. Uh, we’re just curious to see if you’re looking to establish or augment a TPRM program within the year. And please be honest because we do follow up with you. But we got a couple minutes left on the clock. So, let’s go ahead and get through some of these questions. Thomas: Some uh interesting questions actually. There’s um Ashley: Yeah. I can answer. Thomas: Yeah. So, there’s yeah, there’s a few that’s come in. Um, so thank you very much for anyone who’s who’s asked a question. Um, so very quickly, how many questions are there in 2024 core and light? Um, so, uh, core on its own is 620 questions and light is 125. Um, so that’s a total of 745. My math is correct. Um, if you to combine both sore or um and SIG light um in its entirety. As say key differences, light takes all of the same 21 domain areas but applies a much more light touch. What that means in practice is for example um where the core may go to the nth degree in terms of business impact assessments um and continuity uh management plans. Light will only touch on those pertinent aspects around do you have a continuity plan in place? Is it tested for example? Um do you have key rules. Um, how widely adopted is the use of the SIG um, in the context of Europe versus USA? So, yes, it’s an interesting point. So, in terms of um, when you look across the standards and the standards mappings, um, there’s quite a few standards that have been mapped specifically to US-based um, regulators or federal agencies or or institutions. But equally so there’s a lot um that are that are increasing not just in the US but but globally as well um particularly with the likes of ESG as I mentioned the German supply chain um uh uh act or requirements is very much focused around around ESG um I’d say generally there’s a wider adoption in the US but that’s not to say it’s it’s only US- ccentric um um uh there are a lot of organizations globally that are making use of the SIG Um particularly again given that um uh the level of standards mapping is incorporating so many international um internationally recognized standards and the topics as well um are are of use across uh regardless of geography um regardless of um location. Thomas: Um how are we doing on the clock Ashley? Are we good for Ashley: uh why don’t we go ahead and answer one more question. And I know we’re coming up on time here. Thomas: Okay. What would you recommend when to use SIG or Cake? So, as said, uh good questions says that the cake um is is is a cloud uh cloud management standard um for cloud organizations, cloud hosting organizations. Um so, the SIG does give a lot of depth particularly in the core with relating to um uh managing and securing um sort of uh tenant tenant data um and and and controls focused around um um securing data through backup through through through testing and through threat management as well particularly when you engage with a cloud provider. Certainly cake will go into far a lot more detail and and and depth in terms of um uh minimum requirements um for if if you’re cloud hosted provider for example for infrastructure or software as a service So I guess it depends on which side of the coin you are. Um for many companies if you’re making use of um a cloud provider such as Amazon um or or Dropbox or a similar cloud um solution um SIG generally will give you a lot more uh depth across a broader range of topics um than than the cake would give. So it really depends on I guess which side of the coin um you’re on. Ashley: Excellent. Well, thank you, Thomas, Matt, and everyone for all of your questions. Uh, they both gave us some great information to take in today, and I hope to see all of you either in your inbox or at a future prevalent webinar. Cheers everyone, and have a great rest of your week. Matt: Thanks all.