The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains.
Who created the SIG questionnaire?
The SIG questionnaire was created by Shared Assessments. Shared Assessments provides best practices, solutions, and tools for third-party risk management teams to create an environment of assurance for outsourcers and their vendors.
Shared Assessments' foundation is in regulatory and compliance-driven financial services but has grown to include the increasing number of industries that treat good vendor risk management as standard operating practice, such as HIPAA-regulated entities.
Why was the SIG questionnaire created?
As the Santa Fe Group CEO and Chairman Catherine A. Allen said, "it’s increasingly understood that third party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organization’s reputation, the best practices for effective third party risk management are certainly less well understood."
When doing business with third-parties, it's not safe to assume that you are solely doing business with the party under contract.
Just as your organization may outsource to a service provider or external provider, your vendors likely do too. So whether you know it or not, you are relying on your vendors, and increasingly their vendors using sound security controls.
This means you should apply the same standard information gathering process for testing all parties.
The SIG questionnaire aims to provide standardize resources for managing the complete third-party relationship lifecycle.
Standardization is critical for advancing effective, secure third-party controls and risk management risk assessments. The Shared Assessments Program created a suite of third-party risk management tools that aim to create efficiencies and lower costs while maintaining compliance with regulations, industry standards and guidelines across information technology environments.
What are the types of SIG questionnaires?
There are three types of SIG questionnaire:
- SIG questionnaire: The SIG assessment evaluates vendors based on 18 individual risk controls, which together determine how security risks are managed across the vendor's environment.
- SIG LITE: The SIG questionnaire is extensive, targeting multiple risk areas across multiple disciplines. For vendors who have less inherent risk, who don't require the entire SIG assessment, SIG LITE can be valuable. It takes the high-level concepts and questions from the larger SIG assessments, distilling them down to a few questions.
- SIG CORE: SIG CORE is a library of questions that security teams can pick and choose from, including extensive questions about GDPR and other specific compliance regulations.
How can the SIG questionnaire be used?
The SIG questionnaire can be used in a handful of ways, depending on your organization's needs and the type of vendor you are assessing, including:
- To evaluate a service provider's information security controls.
- Completed by third-party vendors and used proactively as part of due diligence or a request for proposal (RFP) response.
- Completed by a service provider and sent to their clients instead of completing one or multiple third-party risk assessments.
- Used by an organization as part of the self-assessment process
How often is the SIG questionnaire updated?
The SIG questionnaire is updated on a yearly basis to comply with new industry standards and to account for changes in the cybersecurity landscape.
The 2020 Shared Assessments Third-Party Risk Management Toolkit was released on November 20, 2019 to enable organizations around the world to meet new and evolving regulatory compliance demands, and address evolving physical and cyber risk.
New for 2020 are expanded third-party privacy tools for GDPR and the California Consumer Privacy Act (CCPA), new operational risk content on emerging and expanding third-party risk scenarios such as money laundering, trafficking, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain.
New usability features and expanded operational content include:
- Expanded operational/enterprise risk: Content for the comprehensive but customizable question library addresses corporate governance functions of anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain. Enterprise risk governance, information security risk, and privacy data protection questions have expanded based on new regulations, including CCPA and GDPR.
- Risk and regulatory compliance content: New content across tools helps risk professionals close regulatory compliance gaps in third party relationships.
- Data governance: Privacy regulations such as PIPEDA, CCPA, FIPA, The SHIELD Act, and GDPR mandate that organizations diligently track data collected by or disclosed to third-parties, how that data is used, and where it is accessed. The enhancements assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships, including fourth-party management.
- Service provider configuration and response management: New agility in the Standardized Information Gathering (SIG) Management Tool enables service providers to make it easier to build, configure, and maintain multiple completed questionnaires, reducing the effort and complexity involved in responding to due diligence requests.
- External content automation: Shared Assessment members, outsourcers, and licenses can extract and integrate SIG content into their platforms via JSON.
How is the SIG questionnaire different from other vendor risk assessment questionnaires?
The SIG Management Tool is a Microsoft Excel workbook that allows assessors to draw from the bank of questions in the SIG Content Library to create customized questionnaire templates based on their needs.
This is different to other security questionnaires, such as HEVCAT and the Vendor Security Alliance Questionnaire, the SIG questionnaire evaluates third-party vendors and service providers based on their own 18 individual risk control areas.
Other well-known, respected security questionnaires include:
- The National Institute of Standards and Technology (NIST) SP 800-171
- ISO 27001
- CIS Critical Security Controls
- The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
- The Vendor Security Alliance Questionnaire (VSAQ)
What is in the Standardized Information Gathering (SIG) Questionnaire Toolkit?
The components of the 2020 Standardized Information Gathering (SIG) Questionnaire Toolkit are:
- Third-party Privacy Tools: This set on tools was built from the demand driven by 2019's GDPR Privacy Tools, with an expanded scope to meet requirements for various privacy regulations and framework updates. These tools provide templates for pre-assessment scoping or readiness assessments that enable privacy-centric assessments, incorporating privacy controls and obligations based on specific jurisdictions.
- Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: SIG's VRMMM is one of the longest-running third-party risk maturity models. The 2020 VRMMM Benchmark Tools' improved maturity tracking and functionality lets managers set more granular maturity level ratings and deliver greater reporting clarity. VRMMM Benchmark Tools are free to use and available here.
- Standardized information gathering (SIG) Questionnaire Tools: The SIG employs a holistic set of questions based on industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency, and data security risk.
- Standardized Control Assessment (SCA) Procedure Tools: The SCA assists risk professionals in performing onsite or virtual assessments of vendors, providing the verification or attestation component of third-party risk programs.
Why you should consider using security ratings alongside the SIG questionnaire
The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.
The key thing to understand is that security ratings fill the large gap left from traditional risk assessment techniques like the SIG questionnaire. Sending questionnaires to every third-party requires a lot of commitment, time, and frankly isn't always accurate.
Security ratings can complement and provide assurance of the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.
UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are curious about other security rating services, see our guide on SecurityScorecard vs BitSight here.
How UpGuard can help you automate security questionnaires
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.