I have been on the receiving end of many vendor security assessments from customers and prospects. Here are some tips to increase the likelihood that you’ll get a timely, usable response to the next vendor security assessment that you send out.
Understand what data you will be providing
One size doesn’t fit all. The level of attention and resources appropriate to a vendor security assessment will vary based on the nature and extent of the data and networks that the vendor will (or may) have access to. Determine the nature of the data (e.g. financial, health or other protected personal data, EU-origin personal data, other regulated data, sensitive intellectual property or business data, etc.), the source of the data (from which countries is the data originating) and which internal systems the vendor will have access to.
Understand which products and services you are interested in
You are more likely to receive a timely, usable response if both you and the vendor understand the products and services that the vendor will be providing. For example, a vendor may offer both hosted services and on-premise license software. The vendor may offer various geographically-specific or market-specific product and services. If you let the vendor know which services, products and options you’re interested in, the vendor can more quickly provide the relevant information. If you ask for an assessment applicable to all products and services worldwide, you’re much less likely to get a timely, specific, usable response. A phone call to the sales or account rep at the vendor may save both you and the vendor significant assessment time.
Fit the questions to the risks
There are a number of pre-made or customizable vendor security questionnaires available, such as:
- Consensus Assessments Initiative Questionnaire (CAIQ) offered by the Cloud Security Alliance
- Standardized Information Gathering (SIG) questionnaire sold by Shared Assessments
- Vendor Security Alliance questionnaire
If you send a 15-tab SIG questionnaire with over a thousand questions with no indication of which products or services the questionnaire relates to, the poor schmuck at the vendor whose job it is to respond will likely (a) put the request at the bottom of the pile, (b) provide ambiguous answers (e.g. “It depends on which product/service you use”) and/or (c) make assumptions as to applicable product and services in order to minimize their work.
Once you understand the nature of the data (or access) that you will provide to the vendor and the products or services that the vendor will provide, the core assessment areas are:
- Where will the vendor (and any subprocessors) process and/or store the data?
- How will the vendor (and any subprocessors) protect the data, in transit, in use and at rest?
- How mature and robust is the vendor’s (and subprocessors’) ability to identify, respond to and notify you of a security incident affecting your data/systems?
- How long will the vendor (and any subprocessors) retain the data?
If this vendor is critical to your business operations, you will also need to understand:
- What steps does the vendor (and any subprocessors) take to ensure resilience and business continuity in event of external disruptive events?
Many of these areas may be addressed in third-party reports and certifications that the vendor already has, such as a SOC 2 Type 2 report, PCI DSS Attestation of Compliance, ISO 27001 certification, FedRAMP certification or other independent standards-based audits or assessments. (The vendor may require a nondisclosure agreement before providing the report or audit results.)
If you are not getting timely (or usable) responses to the vendor security questionnaire that you’re sending out, take a good look at the questionnaire from the recipient’s perspective. Are the questions clear and unambiguous? Are the questions directly relevant to the data/access that you’re providing to the vendor and the services/products that the vendor is providing? Can you use a simpler initial screening questionnaire and then follow-up if there are specific areas that need further investigation?
Should you still use a vendor that doesn’t respond to a reasonably-tailored (e.g. fewer than 200 initial questions) security assessment questionnaire or doesn’t provide any external standards-based security certification for a hosted service? Ask yourself (or ask the person who will have to sign off on accepting the risk) how they will respond after the vendor shows up in a data breach report to the question, “It was your job to assess vendor security; how could you have signed off on this vendor?”
What’s next for Vendor security assessment
Vendor security assessment isn’t “one and done.” How often you reassess the vendor will depend on the sensitivity of the data/access that the vendor has and on your initial risk assessment. When you do the reassessment, in addition to asking any new questions that are applicable to the data/access and the vendor’s products or services, provide a copy of the vendor’s previous answers and ask the vendor to identify any changes.
With the growing focus on vendor security assessments, many vendors are implementing automated tools to manage the questionnaire response process such as RFPIO, Loopio and Qvidian. If your questionnaire is structurally simple, it can be managed more quickly in an automated system. “Structurally simple” means limiting a question to a single topic, avoiding nested questions and providing the questionnaire in Excel or Word, if possible.
These tips should increase the likelihood that you’ll get a timely, usable response to the next vendor security assessment.