As organizations outsource more and more tasks and labor to save time and money, more vendors also introduce additional security risks. Relationships with third parties, unfortunately, increase the potential for vendor risk and opportunities for supply chain attacks. This has brought a need for broader awareness for managing that risk. Fundamentally this means an emergence in vendor risk management trends and in the use of vendor security questionnaires to help measure that risk.
Vendor security assessment questionnaires are an excellent way to get to know more about who your vendor is and to get an idea of their security posture. We’ve put together a guide to help you understand more about what a vendor security questionnaire is and how it is used to help you conduct risk assessments.
Why Use Security Questionnaires?
Vendor security questionnaires are designed to identify vulnerabilities that vendors pose, analyze those vulnerabilities, mitigate them, and avoid data breaches from occurring. Ultimately the goal is to protect the enterprise organization that is hiring the vendor. Questionnaires offer a depth of understanding security posture through identifying key controls based on best practices. With the use of a questionnaire, it can also be determined whether or not a vendor’s risk management objectives align with the organization’s.
In his post on how to complete security questionnaires, Darren Gallop notes that such questionnaires are sent by organizations to their tech vendors to evaluate security policies and procedures. The most important point is that they “review the risks involved with using a company’s product or service.” They also ensure that a vendor measures up to regulatory compliance standards.
How Should You Start an Assessment?
To start, security questionnaires for risk assessment need to determine the type of risk that is posed by the vendor and rank vendors according to critical, high, medium, or low risk. When organizations establish a vendor inventory, they create a preliminary understanding of the types of risks vendors pose to their business by ranking and tiering said vendors. This inventory forms a comprehensive classification system of most of the potential vulnerabilities that might be encountered such as legal risk, reputation risk, or operational risk.
What Does an Assessment Questionnaire Look Like?
Most questionnaires are built up of anywhere from 50 to 400 questions about a vendor’s security policies and procedures relating to their physical and internal security. Some questions might ask about the physical security of their facility, while others might ask about the login procedures to their systems. Other questions consider what regulatory standards they are compliant with and what certifications they hold.
Many of the questions on a security assessment questionnaire are yes or no questions. One question, for example, might ask if the vendor has a recent SOC 2 report from an independent auditor. Another example of a question included on a security questionnaire might be “Do you have a removable media (flash drives/USB media) policy and controls to implement the policy?” A simple yes or no answer may not suffice here, however, it is good practice for organizations to request proof from their vendors often in the form of policies, procedures, or other samples.
One Questionnaire to Rule Them All?
Often it is a challenge as to whether or not an organization should take a standard approach when sending questionnaires out to their vendors. Not all vendors are the same and each vendor receives a different ranking or tier depending on what services they provide and what risk they pose to the organization. For this reason, many organizations choose to create unique questionnaires for each vendor. This does not always mean starting from scratch, as an organization may create a standard questionnaire that is easy to customize with additional questions depending on the type of vendor.
A hybrid approach to creating questionnaires may also save time, where a standardized questionnaire is developed depending on which rank the vendor falls under. For example, a rank 1 vendor, at critical risk, might be the vendor that handles sensitive payment card information for customers and a rank 4 vendor, at little to no risk, might be the vendor that supplies stationery to the office. The type of questionnaire presented to a rank 1 vendor would be significantly different and you might not even present a questionnaire at all to that particular rank 4 vendor.
What Should You Include in a High-Level Risk Questionnaire?
Your questionnaire should approach how vendors identify, analyze, and prioritize threats as well as how threats are contained and dealt with if a breach occurs. It should question the vendor’s own level of incident response, risk management, and disaster recovery in order to protect your organization’s liability in the face of a high-risk event or breach. How does your vendor handle data? Do they have a policy for data destruction once it is no longer in use to avoid fallout should a breach occur?
3 Questionnaire Best Practices
- Get proof of your compliance and regulation checks: If you ask whether or not a vendor has a certain certification, request for proof.
- Only ask what is necessary: Standardize your questions based on rank as discussed above. Leave out any question that isn’t applicable to save time for you and your vendor.
- Assess regularly: Don’t send out questionnaires only once. Assessment should be done as an ongoing feature of your vendor risk management program. Some organizations will send out a questionnaire once a year or once every six months, depending on the type of service the vendor offers and the risk they pose.