If your team is in the practice of sending out a questionnaire or survey to each vendor to assess the threat level they present to your organization, you have the right mindset of being proactive when it comes to third-party security. If your company hasn’t yet designed an assessment process in order to evaluate the security and processes for each of your vendors, then that’s the next critical step in order to help prevent cybersecurity attacks and security threats. In this post, we will walk you through the process of building the assessment and customizing the questionnaires to fit each vendor to ensure you’re asking the right questions (and aren’t wasting anyone’s time in the process).
Over the next several weeks, we’ll continue to address each of the 5 steps to raising awareness with your leadership team that we outlined in our latest ebook, “Why Third Party Security is Critically Important”. Today, we’ll address Part 3 of the series, “Design An Assessment Process That Matches The Risk Level of Each Vendor”. Did you miss Part 1 or 2? Check them both out on the Whistic blog.
The Importance of Third-Party Vendor Questionnaires
Most companies are aware of the impact that third-party vendors have to their security protocols. While vendors add significant business value and are irreplaceable to an organization, the more vendors an organization has in its toolbag, the more risk that these solutions present. Consider this alarming statistic: in 2016, the number of data breaches increased 40%, with the average U.S. data breach costing $7.1 million. On top of that, 63% of data breaches are linked to third parties in some way.
While your organization can’t govern the way your vendors do business or the way they protect the data that you entrust to them (customer information, PII, and even financial data), you can ask questions of them to ensure their protocols are up to your organization’s procedural standards. One way to understand how they treat sensitive customer data? Conduct third-party assessments that are prepared by your organization, but completed by each of your vendors (especially those that present the greatest risk).
It will be important for your Information Security and IT teams to collaborate on designing the assessments, but they must take caution in their approach and avoid a “one size fits all” process or questionnaire. By customizing the assessment process and associated questionnaires, the documentation requests and recurring assessment cadence based on the vendor’s risk-level will not only benefit the vendor, but will also prevent you from having to sift through information that is irrelevant due to unnecessary due diligence.
For example, a vendor that supplies a plug-in for your contact center should not have to fill out the exact same questionnaire that is required of your data center vendor.
4 Steps to Conducting Effective Vendor Security Assessments
- Match the Questionnaire to the Vendor’s Risk Level
In our last post, you learned how to categorize vendors based on risk. Your highest risk vendors are the best place to start when it comes to creating the questionnaire. First, determine what kind of information they have access to (customer records, employee data, financial information, all of the above?) and create the questions based on the type of risk that they present. Focus not on “what would I like to know about my vendors?” but rather on “what do I absolutely need to know in order to assess the risks posed by my vendors?”
Next, develop questions that are relevant to the types of risks they present to your organization. You might consider leveraging an existing standardized set of questions, such as:
- the Vendor Security Alliance’s Questionnaire
- the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ)
- the Shared Assessments Group’s Standard Information Gathering (SIG) questionnaire
- or building a custom set of questions that leverages different standards but drills down on topics particularly important to your organization.
2. Set a Deadline — and Stick to It
Setting a timeline for completion is a critical step both for your internal team and for the vendor completing the assessment. Your IT and Information Security teams have so much on their plates that security questionnaires for high risk vendors can often take a backseat. Your vendors likely don’t have a lot of capacity to complete questionnaires for each of their clients either, so unless you provide a strict deadline and stick to it diligently, then it will likely take significantly longer to obtain the responses (if you do at all).
3. Designate a Team to Review Responses
Once the questionnaire has been developed and sent to the vendor, then the real work begins internally. For large enterprise organizations, it’s often unnecessary to have each member of the IT or Information Security team review the responses submitted by each vendor. Determine the members of your organization that should be involved and form a small, nimble team that can meet regularly to review and discuss the responses. These individuals should understand both the business impacts as well as the technical ramifications of each vendor’s questionnaire results and should be able to raise up concerns or courses or action as appropriate.
4. Take Action Where Necessary
Last but certainly not least, the most important step is to take action on the results of the assessments. It does no good for either the vendor or your organization if the results sit without attention — and the more time that passes, the less relevant the responses are. If you have a dedicated team, ensure that they are empowered to take action on any red flags. Whether that means setting up a call with the vendor to discuss pertinent security issues, requiring an amendment to your agreement that includes an action plan, or even choosing to downgrade or limit service, the only way that the IT or Information Security team can truly do their job of protecting your organization from third-party security issues is through action.
Remember to Re-Assess Even Your Low Risk Vendors
While your team’s time should be focused on the highest risk vendors first, low risk vendors shouldn’t be forgotten or pushed off. Security postures and product use cases can change rapidly and your organization can’t afford to ignore hundreds of vendors under the assumption that they were reviewed once in the distant past. In order to prevent an issue with vendors that you’ve previously swept under the rug, be sure to set a time frame to re-assess these low risk vendors on a recurring basis, such as semi-annually.
Ready to Learn More?
Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.
Request a Live Demo with a Whistic Product Specialist