Business requires trust, but knowing whether your vendors merit that trust is difficult. With the rise of information technology, the ways in which trust can be broken, intentionally or unintentionally, have multiplied and become more complex. Vendor risk assessment questionnaires are one method for verifying that third parties follow good information security practices so your business can weigh the risk of entrusting them with your data.
This article outlines the process for creating good vendor assessment questionnaires and shows examples of how other organizations have done so. Vendor questionnaires are notoriously annoying to administer. Good planning is critical to ensure that you ask the right questions, and in such a way that creates the most value for your investment.
The types of data that your business generates and the types of services it consumes are key considerations for minimizing damage from third parties: Identifiable customer information, especially credit card details and SSNs can be used by malicious actors for identity theft and fraud; medical records are worth even more than credit cards on the darknet; proprietary business data like financials, blueprints, code, and strategy/messaging documents give competitors an upper hand when exposed; and usage details and other psychographic data can help attackers target people by providing information for more focused phishing attempts.
If your business uses cloud apps, understanding data transmission and storage methods will be among your top concerns. If your IT solutions are primarily used on premises, where storage is under your control, you will likely want to ask more questions about the software development lifecycle to understand the likelihood of vulnerabilities in that software.
The number of vendor relationships your business has, and the criticality of those relationships, is also worth clarifying. Some industries and companies are strong on vertical integration, and vendor relationships may carry less risk. In other cases, vendors are part of core business processes and can easily expose your most critical assets.
Like every project, creating a successful vendor risk assessment questionnaire starts with establishing clear goals. For less mature organizations, getting a questionnaire in place at all might be the goal. For more mature organizations, you may already have a process but need to make it more efficient. A larger scope for your questionnaire must be balanced against the increased cost of maintaining and administering it.
Finally, being frank about what is ultimately driving your vendor risk program ensures that everyone has the same top priority. What would the worst case data breach look like for your business? What regulatory penalties could you face? Could human lives be lost in a service outage? While the goal is for everything to work perfectly all the time, reaching alignment on top level priorities will provide guidelines that can avoid conflict or misunderstanding when working out the details of what questions to ask.
When it comes to vendor risk assessments, there’s no need to reinvent the wheel. While there is no justification for slouching– third party risks are more important than ever– we do ourselves and our ecosystem of customers a disservice when we don’t build on what has been done before. And just as humans share 99% of their DNA with apes, businesses are more alike than they are different. The core concerns about vendor risk are mostly the same for everyone-- does the vendor follow security best practices, who are their vendors, what technology are they using and is it updated-- while some small details will change from company to company, understanding these core issues will give you a general understanding of how your vendors handle digital business.
With high level objectives for the program and some consideration of priorities, you are ready to start drafting the questionnaire. Consider breaking the questionnaire out into categories, which help to logically organize the questions, and to ensure comprehensive coverage, avoiding blind spots for risk. Understanding which areas are important, and what you need to know in those areas, can help build a tailored, but complete questionnaire for your business.
One constraint that should feed into deciding the scope and specificity of your vendor risk assessment questionnaire is the number of people who will be reading and processing the responses. In a perfect world, you would have as much information as you can imagine. For those of us who live in the real world, there are time costs to processing information. Structuring data to true/false or numerical responses– anything that can be programmatically assessed for risk factors– can help automate parts of that intake so that personnel time is only spent reading the free response sections that require interpretation and judgment.
With that in mind, your vendor risk program will have some kind of budget and some number of people working on it. They will have a fixed number of questions they can read through for a given period of time. Your questions should be formulated to make the most of that time– to quickly eliminate non-risks and understand whether vendors meet your requirements.
Reading questionnaires is only part of administering them. After sending one out, recipients might need follow up reminders. The person filling it out might not be the contact to whom you have sent it, creating additional lag on the fulfillment end. If there are any deviations from your risk tolerance policy, or technological choices on the vendor’s part that haven’t previously been discussed by your organization, you will need to conduct internal reviews to decide whether the response is acceptable. If it is outside of your policy, you will need to review the results with the vendor and see if they can remediate the issues or show that compensating controls in other areas mitigate the risks posed by them.
After reaching a decision on an acceptable vendor submission, those documents need to be stored in some easily accessible and auditable method so that they can be retrieved in the event of an internal review, change in policy, or breach with that vendor. And, if all goes well, they need to be scheduled to be re-sent at some point in the future. The threat environment changes, your business changes, and their practices change. Annual resubmissions of vendor risk assessment questionnaires provide some assurance that those things stay in alignment.
As questionnaires are collected over time, the way a vendor’s risk profile has changed can be deduced from changes between intervals, and can show if a vendor is becoming more resilient or more risky as the relationship proceeds.
If vendor assessments sound like a lot of work, that’s because they are. The goal of reiterating what makes a good questionnaire isn’t to tell you what you already know, but to help shape the business case for you to conduct your assessment program. Part of that is knowing what is out of scope.
Questionnaires rely on good faith answers from vendors. Because there is no independent visibility into the internal infrastructure of a company, vendors are assumed to be answering questionnaires in good faith. At the very least, questionnaires help protect the primary company in the event of an incident, by showing that due diligence and assessment was performed and that they acted under the assumption that the vendor had certain controls in place to protect data and services.
At scale, maintaining regular questionnaires for vendors becomes unwieldy. Many companies will only assess their most important vendors, leaving dozens or hundreds of others unaccounted for. Tracking vendor contacts and assessment renewals can prove challenging even for a small subset of vendors. This process often contends with more direct business work for resources, and can be neglected if the administrative overhead outweighs the perceived risk.
Questionnaire assessments are typically submitted annually; changes in security profile happen in seconds. Technologies are added, removed, and updated; vulnerabilities are discovered in previously secure software; configurations and access controls are modified-- this is the day-to-day work of an IT department. This is why questionnaires should be accompanied by independent external assessments that can track those kinds of changes over time, at least as far as they can be known from the outside.
There’s much more to questionnaires and vendor assessment when you start drilling down into details. The process involves writing questionnaires, submitting them to vendors, staying on them until they are complete, reviewing the answers, deciding if the vendor’s risk is acceptable, and renewing questionnaires at regular intervals.
In The Guide to Vendor Questionnaires, we take a look at how to improve the assessment and questionnaire process, and what UpGuard does to automate and document it. Take a look to learn more: