For many InfoSec teams, security assessment questionnaires are sometimes just as helpful as they are a hindrance. While assessment questionnaires are meant to help, groups compare areas of risk and opportunity, sorting through and compiling assessment responses can sometimes be a full-time job, one that InfoSec team members are expected to complete as an afterthought.
Using a custom assessment questionnaire
While there are plenty of trusted industry security assessments on the market, many modern SaaS organizations find that a canned questionnaire cannot keep up with the unique security controls that may be in place. In addition, SaaS vendors are becoming so varied in scope that answers to these questions don’t always fit into a pre-defined box, which leads to even more manual data segmentation. Today’s leading SaaS organizations turn to custom or semi-custom assessments that ask the questions they want — and need — to know to do business. Setting up a scalable, repeatable assessment questionnaire can also help automate the response gathering process, making it easier to understand immediately if a vendor is a viable prospect for your organization.
Read the 2021 State of Vendor Security report
In our 2021 report on vendor security, we highlight the current state of vendor risk management, identify trends we’re seeing in the industry, and provide recommendations on how to improve the process for buyers, sellers, and other key stakeholders.
Here are some areas of focus you should keep in mind when building your assessment questionnaire questions: 1. Current data security risk controls: This should be at the core of your assessment questionnaire. How is the vendor currently managing data privacy and security risk? What controls are in place? Here is where you can uncover all of this foundational data to drive your response down the road. 2. Similar partnerships already in place: One question you should ask right out of the gate is around other similar vendor partnerships already in place. If you’re a healthcare organization looking to partner with a vendor with multiple healthcare partners, you can be more confident in their HIPAA and targeted privacy safeguards. However, if you are their first healthcare vendor partner, it could be a learning curve to ensure your data is protected. 3. Hardware or data requirements: Will your team have to change or update any data safeguards to enter into a partnership? A security assessment questionnaire should outline precisely what has to happen. Adding in new hardware or data rules could be a lot of work. 4. Internal risk education programs: A majority of data issues are, unfortunately, caused by manual error or a lapse in internal security processes. Your vendors must be incredibly diligent with how they educate and talk about data security internally. On your assessment questionnaire, don’t be shy about asking how many people within an organization are certified for something like HIPAA or GDPR.
Whether you’re looking for a canned security assessment questionnaire or building your own to be more flexible, asking the right questions can be instrumental in finding and signing new vendor partners.