Business partnerships require trust, but knowing whether your vendors merit that trust is difficult. With the rise of information technology, the ways in which trust can be broken, intentionally or unintentionally, have multiplied and become more complex.
Vendor security assessment questionnaires are one method to verify that service providers follow appropriate information security practices so your business can weigh the risk of entrusting them with your data.
This article outlines some helpful hints to create thorough vendor assessment questionnaires as part of your security program. Security questionnaires are notoriously annoying to administer. Good planning is critical to ensure that you ask the right questions, and in such a way that gives you the best insight from your vendor risk management program.
1. Know Your Business
The types of data that your business generates and the types of services it consumes are key considerations for minimizing your exposure to third-party risk. UpGuard has discovered third-party vendor breaches containing identifiable customer information, especially credit card details and SSNs can be used by malicious actors for identity theft and fraud; breaches containing medical records are worth even more than credit cards on the dark web; breaches that contain proprietary business data like financials, blueprints, code, and strategy/messaging documents give competitors an upper hand when exposed; and usage details and other psychographic data can help attackers target people by providing information for more focused phishing attempts.
For example, if your business uses cloud SaaS (Software-As-A-Service) products, understanding data security will be among your top concerns. If your IT solutions are primarily used on premises, where storage is inside a managed data center, you will likely want to ask more questions about security testing in the software development lifecycle to understand the likelihood of vulnerabilities.
The number of vendor relationships your business has, and the criticality of those relationships, is also worth clarifying. Some industries and companies are strong on vertical integration, and vendor relationships may carry less risk. In other cases, vendors are part of core business processes and can easily expose your most critical assets.
- What kinds of data does your business create, and where is it stored?
- How many vendors do you have?
- What is the criticality of your vendor relationships?
2. Clarify Your Goals
Like every project, creating a successful vendor risk assessment questionnaire starts with establishing clear goals. For less mature organizations, getting a questionnaire in place at all might be the goal. For more mature organizations, you may already have a process but need to make it more efficient. A larger scope for your questionnaire must be balanced against the increased cost of maintaining and administering it.
Finally, being frank about what is ultimately driving your vendor risk program ensures that everyone has the same top priority. What would the worst case data breach look like for your business? What regulatory penalties could you face? Could human lives be lost in a service outage? While the goal is for everything to work perfectly all the time, reaching alignment on top level priorities will provide guidelines that can avoid conflict or misunderstanding when working out the details of what questions to ask.
- What does a bad data breach look like for your business?
- How many assessments do you need to process each month?
- What does a good outcome for the vendor risk program look like?
3. Good Artists Borrow…
When it comes to vendor risk assessments, there’s no need to reinvent the wheel. While there is no justification for slouching– 3rd party risks are more important than ever– we do ourselves and our ecosystem of customers a disservice when we don’t build on what has been done before. And just as humans share 99% of their DNA with apes, businesses are more alike than they are different. The core concerns about vendor risk are mostly the same for everyone-- does the vendor follow security best practices, who are their vendors, what technology are they using and is it updated-- while some small details will change from company to company, understanding these core issues will give you a general understanding of how your vendors handle their security risk.
Getting a headstart on a vendor risk management program can be easy. Resources such as the VSAQ (Vendor Security Assessment Questionnaire) by Google are fantastic to move quickly. Originally released in 2016, the VSAQ was designed specifically to help companies understand vendor security practices. Out-of-the-box, it addresses multiple areas including data protection, supply chain management and information security policy. VSAQ has been designed to make risk assessments easier for vendors, with a focus on streamlining the security review process.
ISO 27001, HIPAA, PCI DSS
On the other end of the complexity spectrum lie standards such as ISO 27001, HIPAA and PCI DSS (Payment Card Industry. These types of comprehensive industry standards and regulatory requirements tend to result in extremely detailed vendor security questionnaires. Questionnaires complying with these standards often dive deep into concepts including:
- Physical security, including the vendor data centers
- Application security, especially focused on penetration testing of web applications
- Network security
- Data security
- Security incident management and incident response
- Security testing practices in the vendor's software development process
- Security awareness training across the vendor's organization
- Disaster recovery and business continuity planning for the vendor
UpGuard VendorRisk easily produces questionnaires compliant with ISO 27001, HIPAA and PCI DSS. Multiple clients in financial services, healthcare and other regulated sectors use VendorRisk to validate their vendor's security controls.
With high-level objectives for the program and some consideration of priorities, you are ready to start drafting the questionnaire. If you choose a template or industry standard, then your security questionnaire will be broken out into categories which help to logically organize the questions, and to ensure comprehensive coverage avoiding blind spots for security risk. Understanding which areas are important, and what you need to know in those areas, can help build a tailored, but complete questionnaire for your business.
- What security questionnaires for similar businesses can you find online?
- What standard security questionnaires offer questions you can use?
- Is there a solution that can help you get started with out-of-the-box capability?
- How you will know if your security program isn't working?
4. Personnel and Resources
One constraint that should feed into deciding the scope and specificity of your vendor risk assessment questionnaire is the number of people who will be reading and processing the responses. In a perfect world, you would have as much information as you can imagine. For those of us who live in the real world, there are time costs to processing information. Structuring data to true/false or numerical responses– anything that can be programmatically assessed for risk factors– can help automate parts of that intake so that personnel time is only spent reading the free response sections that require interpretation and judgment.
With that in mind, your vendor risk program will have some kind of budget and some number of people working on it. They will have a fixed number of questions they can read through for a given period of time. Your questions should be formulated to make the most of that time– to quickly eliminate non-risks and understand whether vendors meet your requirements.
- How many people will administering vendor security assessment questionnaires?
- What other duties will they have?
- How can assessment intake be sped up or automated?
5. Process for administering the document lifecycle
Distributing questionnaires is only part of administering them. After sending one out, recipients might need follow up reminders. The recipient of your questionnaire might not be the appropriate vendor security contact, creating additional lag on the fulfilment end. If there are any deviations from your acceptable risk management threshold, or technological choices on the vendor’s part that haven’t previously been discussed by your organization, you will need to conduct internal reviews to decide whether the response is acceptable. If it is outside of your security policy, you will need to review the results with the vendor and see if they can remediate the issues or show that compensating controls in other areas mitigate the risks posed by them.
After reaching a decision on an acceptable vendor submission, those documents need to be stored in some easily accessible and auditable solution so that they can be retrieved in the event of an internal review, change in security policy, or breach with that vendor. And, if all goes well, they need to be scheduled to be re-sent at some point in the future. The threat environment changes, your business changes, and vendor security practices change. Annual resubmissions of vendor risk assessment questionnaires provide some assurance that those things stay in alignment.
As assessment questionnaires are collected over time, the way a vendor’s security risk profile has changed can be deduced from changes between intervals and can show if a vendor is becoming more resilient or riskier as the relationship proceeds.
- How often will security questionnaires be distributed to vendors?
- When will security questionnaires need to be accessed for review?
- What parts of that process can be automated?
6. Limitations of Vendor Questionnaire Assessments
If vendor assessments sound like a lot of work, that’s because they are. The goal of reiterating what makes a good questionnaire isn’t to tell you what you already know, but to help shape the business case for you to conduct your security program. Part of that is knowing what is out of scope.
Questionnaires rely on good faith answers from vendors in their self-assessment. Because there is no independent visibility into the internal security policies and risk management practices of a company, vendors are assumed to be answering questionnaires in good faith. At the very least, assessment questionnaires help protect the primary company in the event of an incident, by showing that due diligence and vendor security assessment was performed and that they acted under the assumption that the vendor had certain controls in place to protect data and services.
At scale, maintaining regular questionnaires for vendors becomes unwieldy. Many companies will only assess their most important vendors, leaving hundreds of others unaccounted for. Tracking vendor security contacts and assessment questionnaire renewals can prove challenging even for a small subset of vendors. This process often contends with more direct business work for your information security team, and can be neglected if the administrative overhead outweighs the perceived risk.
Questionnaire assessments are typically submitted annually, but changes in security risk happen in seconds. Technologies are added, removed, and updated; vulnerabilities are discovered in previously secure software; configurations and access controls are modified-- this is the day-to-day work of an IT department. This is why questionnaires should be accompanied by independent external security ratings that can track observable changes over time.
7. Learn More
There’s quite a lot to vendor security questionnaires and vendor risk assessment when you start drilling down into details. The process involves writing questionnaires, submitting them to vendors, staying on them until they are complete, reviewing the answers, deciding if the vendor’s risk is acceptable, and renewing questionnaires at regular intervals.
In The Guide to Vendor Questionnaires, we take a look at how to improve the risk assessment and security questionnaire process, and what UpGuard does to automate and document it.