Phase 1: Initial Panic
Over the coming weeks, we’ll dive into the key phases involved within the overall process of responding to a security questionnaire.
Given the current status of Cybersecurity & Information Security environments, odds are that you have been involved in responding to a security review, or more specifically completing a security questionnaire at the request of one of your business partners. With the volume of vendor assessments Whistic sees across our SaaS platform, it’s not an understatement to say that we field a number of questions asking why they are being asked to complete a security questionnaire, followed by how to “do it right”, and so forth.
It’s evident that companies realize in order to access another entities’ data, there are necessary protocols in place in order to properly vet third parties and mitigate risk. Electronic Data Interchanges (EDI’s) are proliferating as is our dependence on The Cloud. As a primer, examples of industry standard questionnaires include (in alphabetical order) acronyms like:
CAIQ & CAIQ-Lite:
Consensus Assessments Initiative Questionnaires from The Cloud Security Alliance, or CSA for short.
CIS First 5 & CIS Top 20:
The Center for Internet Security Versions of Audit Guidelines.
GDPR & GDPR Processor Questionnaire:
General Data Protection Regulation Regulations.
HECVAT & HECVAT Lite:
Higher Education Cloud Vendor Assessment Tool Standards.
International Organization for Standardization Framework of policies.
National Institute of Standards And Technology Framework.
Frameworks designed by the U.S Department of Commerce & the European Commission and Swiss Administration.
SIG, SIG Core, & SIG Lite:
Standardized Information Gathering Questionnaires from The Shared Assessments Program.
Vendor Security Alliance Questionnaire from The VSA, a coalition of top technology companies committed to improving internet security.
Whether you’re working through your first questionnaire, or it’s been a while since you’ve completed a security questionnaire it’s important to approach this process with optimism & a level-head. While nobody wants to explain to their manager that ANY potential deal or partnership was lost due to inability to comply and/or respond to a security review appropriately, this can be a painful reality some must endure.
It’s quite possible your business doesn’t have a robust information security team, and this is fine as multiple departments should be involved in completing a security audit and there are resources available to help step you through this process. Below are a few quick reference articles to provide further insight & context for the uninitiated or those that need a refresher:
It’s important to assign the appropriate priority and timeliness when populating & returning your security questionnaire to the requestor in order to expedite the flow of data necessary to conduct business, and equally important to show your security posture as one that fosters trust moving forward.
Since panic & stress typically don’t help get things done, Whistic admonishes an air of calm upon receipt of a security compliance request, allowing you to start getting organized in an efficient manner.
If you’re the type of person that eats their dessert first, or doesn’t like waiting (absolutely nothing wrong with either in our opinion by the way), feel free to download the Ebook here.
Schedule A Whistic Platform Demo To See How You Can Setup Your Own Security Profile