Hello CISSP folks,
This topic is related to vendors/external service providers security. I was wondering if anyone has expertise in this area and could help me as I am having trouble finding an accurate answer on the web about it. Seems like an "Industry-recognized" best vendor security risk assessment questionnaire is the "Standardized Information Gathering" questionnaire (SIG). Although it seems really good, I was wondering if anyone has worked with it before and could really tell me which company invented it and maintains it? Is it a proprietary or open source (I think it is paid so it should be proprietary). Additionally is it "recognized" by any official entities or authorities - overall a little more history/information about it would really be appreciated if anyone knows. Thank you in advance.
I believe the SIG was originally developed under the BITs which now called the financial services round table. http://www.fsroundtable.org/category/bits/
It is now its own project managed by the Santa Fe Group under the Shared Assessment working group.
If you look at the members list for the Shared Assessent group it is primarily financial organizations which has helped drive this development of the SIG and the other assessment and vendor management programs.
It used to be free back in the day but they are charging for these resources now.
As for the actual use of it, If you don’t have any kind of vendor risk program it can act as a good starting point but conversely, if you aren’t that matured, the level of questions they ask probably aren’t that relevant to your organization. I used it in the past when we first started but I found it more productive just to look at our own policies controls and build a questionnaire against that. The thought process is, your vendors should be as secure as your own organization so assessing them to a degree of maturity you have not reached yet will just cause you extra work while driving little value. As you continue to refine and build your internal controls, update your questionnaire to keep the bar at the same level for your vendors. This also has helped us for level setting in that typically within contacts we have with our clients we are obligated to ensure our vendors protect the data to at least the level we would protect it ourselves so assessing them against your own controls makes it easier to maintain parity.
Thank you for your answers guys, I was trying to find out exactly what Clayjk listed - a bit of history and info around SIG. Gosh I love this community 🙂 - thank you both folks.