Business partnerships require trust, but knowing which vendors you can trust to protect your customer's PII and PHI is difficult. With the rise of information technology, there are countless ways that trust can be broken, whether intentionally or unintentionally.
Vendor security assessment questionnaires are one method to verify that service providers have an appropriate security program in place.
New vendor questionnaire frameworks are introduced on, what feels like, a daily basis. Each has their own use cases, benefits, and drawbacks.
With that said, we've explored before, planning your vendor security questionnaire process and using a vendor risk assessment questionnaire template can streamline vendor onboarding, and save you time and money.
Additionally, vendor risk management is a vital part of reducing third-party risk and fourth-party risk, mitigating cyber risk and preventing data breaches involving third-party vendors and service providers.
The issue you and many third-party risk management (TPRM) professionals face is that as more vendor security assessments have been introduced, it has become more challenging to grasp which vendor assessment frameworks to use, at which time, and for which third-party.
At UpGuard, simplifying security risk management is part of our job. That's why we've compiled a list of ten of the top questionnaires used in IT vendor security assessments today.
We believe third-party risk management is too important to leave to chance, which is why we developed UpGuard Vendor Risk, a robust vendor risk management platform that uses security ratings combined with a library of pre-built questionnaires to help you gain deep insight into vendor security and improve your coverage without increasing headcount.
Our questionnaire module helps you send questionnaires, improves your review process, and saves completed questionnaires on the platform, ensuring they are always accessible.
In addition to security questionnaires, security ratings provide instant assurance of security controls and continuous monitoring of any vendor's external security posture. Read more about why security ratings are important, and how they complement security questionnaires here.
11 Top Questionnaires for IT Vendor Assessments (in alphabetical order):
- California Consumer Privacy Act (CCPA) Questionnaire
- Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)
- Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
- General Data Protection Regulation (GDPR)
- Higher Education Community Vendor Assessment Tool — (HECVAT / HECVAT Lite)
- ISO 27001 Questionnaire
- Modern Slavery Questionnaire
- National Institute of Standards and Technology — NIST SP 800–171
- Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
- Vendor Security Alliance — VSA Questionnaire (VSA)
- Payment Card Industry Data Security Standards (PCI DSS) Questionnaire
1. California Consumer Privacy Act (CCPA) Questionnaire
The California Consumer Privacy Act (CCPA) or AB 375 is a new law that became effective on January 1, 2020, designed to enhance consumer privacy rights and protection for residents in the state of California by imposing rules on how businesses handle their personal information.
The CCPA is the most extensive consumer privacy legislation to pass in the United States and is akin to the European Union's General Data Protection Regulation (GDPR) and other data privacy laws and privacy regulations.
Like GDPR, CCPA is an extraterritorial law that applies to all organizations, regardless of whether they operate in California.
2. Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)
They were created and maintained by the Center for Internet Security (CIS), a forward-thinking nonprofit that harnesses the power of a global IT community to safeguard public and private organizations against cyber threats.
The CIS controls embody the first steps to securing the confidentiality, integrity, and availability of an organization, and can be considered a short-list of high-priority, highly effective defensive actions for any vendor seeking to improve their cyber defense.
The first five CIS Controls are often referred to as providing cyber hygiene and studies have shown that their implementation provides an effective defense against the most common cyber attacks (~85% of attacks).
Additionally, the CIS Controls map to many major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA.
3. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
The Consensus Assessments Initiative Questionnaire (CAIQ) is a security assessment provided by the Cloud Security Alliance (CSA), a leading organization dedicated to defining and raising awareness of secure cloud computing best practices. The CAIQ helps cloud consumers and auditors assess the information security capabilities of data center and cloud providers.
The CAIQ was created to address one of the leading concerns organizations have when moving to the cloud, namely the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management.
It provides commonly accepted industry standards to document security controls in IaaS, PaaS, and SaaS offerings.
The CAIQ does this through a series of "Yes/No" questions designed to ascertain compliance with the CSA Cloud Controls Matrix (CCM) which is composed of 133 control objectives structured across 16 domains that cover all key aspects of cloud technology.
4. General Data Protection Regulation (GDPR) Questionnaire
The General Data Protection Regulation (GDPR) is an extraterritorial European law that applies to the processing, storage, and exposure of personally identifiable information (PII) of European citizens.
While many organizations know they must process data in accordance with GDPR, many forget that GDPR is focused solely on data, which means that any data that passes through or is stored with a vendor must also comply with GDPR.
Additionally, GDPR requires that organizations report data breaches within 72 hours to the appointed Data Protection Authority (DPA), who will handle the legal ramifications of the data exposure, which can result in fines up to €20 million or 4% of annual global revenue, whichever is higher.
To get visibility on your vendor's compliance with GDPR, you'll need to develop a robust GDPR questionnaire or use the one available on the UpGuard platform.
5. Higher Education Community Vendor Assessment Tool — (HECVAT / HECVAT Lite)
The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that generalizes higher education information security and data protection questions, as well as issues regarding cloud services for consistency and ease of use.
HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework:
- HECVAT: 265 questions including qualifying questions for HIPAA and PCI-DSS opt-in
- HECVAT Lite: A lightweight questionnaire used to expedite the process
- On-premise: A unique questionnaire used to evaluate on-premise applications and software
HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessment Working Group, EDUCAUSE, Internet2, and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC).
6. ISO 27001 Questionnaire
ISO/IEC 27001 is one of the most well-known and well-used information security standards and is part of the ISO/IEC 27000 family of standards. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO 27001 takes a systematic approach to vendor risk management by running standard risk assessment and compliance checks, then providing suggestions and action plans to treat and prevent issues in the future.
One of the biggest benefits of using the ISO 27001 questionnaire is that it proactively identifies how vendors are utilizing resources and tools incorrectly, which is often what results in compliance gaps and security threats in the first place.
7. Modern Slavery Questionnaire
The Modern Slavery Questionnaire is aligned with Australia's Modern Slavery Bill 2018 and the UK's Modern Slavery Act 2015.
It is designed to help support you in identifying any modern slavery risks, enable collaborative efforts between third-parties and organizations to address the risks, improve transparency, and identify areas for further due diligence.
8. National Institute of Standards and Technology — NIST SP 800–171
NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) provides federal agencies with a set of guidelines designed to ensure that Controlled Unclassified Information (CUI) remains confidential, available, and unchanged in nonfederal systems and organizations.
NIST SP 800-171 contains 14 specific security objectives, each with a variety of unique controls.
Any federal agency that engages with third-parties and any nonfederal systems or organizations that are used by federal agencies must comply with NIST 800-171.
While NIST SP 800-171 mainly focuses on companies that work under a government contract, it represents a concerted effort to improve cybersecurity at a national level and is a detailed framework that can be used by any organization looking to improve its cybersecurity posture.
9. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains.
There are three types of SIG questionnaire:
- SIG questionnaire: The SIG assessment evaluates vendors based on 18 individual risk controls, which together determine how security risks are managed across the vendor's environment.
- SIG LITE: The SIG questionnaire is extensive, targeting multiple risk areas across multiple disciplines. For vendors who have less inherent risk, who don't require the entire SIG assessment, SIG LITE can be valuable. It takes the high-level concepts and questions from the larger SIG assessments, distilling them down to a few questions.
- SIG CORE: SIG CORE is a library of questions that security teams can pick and choose from, including extensive questions about GDPR and other specific compliance regulations.
10. Vendor Security Alliance — VSA Questionnaire (VSA)
The Vendor Security Alliance (VSA) questionnaire was created by a coalition of companies committed to improving Internet security.
The VSA issues two free questionnaires which are updated annually:
- VSA-Full: This is the classic VSA questionnaire that focuses deeply on vendor security and is used by thousands of companies globally.
- VSA-Core: This questionnaire is comprised of the most critical vendor assessment in addition to privacy. The privacy section covers both US data breach notification requirements, the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR).
Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
11. Payment Card Industry Data Security Standards (PCI DSS) Questionnaire
In 2006, five major credit card companies–Visa, MasterCard, Discover, American Express, and JCB, came together and established the Payment Card Industry Security Standards Council (PCI Security Standards Council or PCI SSC) to administer and manage security standards for companies that handle credit card data.
Any organization who accepts or processes payment cards must be PCI compliant which involves three main things:
- Ensuring that sensitive card details are collected and transmitted securely
- Storing data securely by meeting the 12 security domain requirements of the PCI standard, such as encryption, continuous monitoring, and security testing of access control to card data
- Annual validation that required security controls are in place, which can include forms, security questionnaires, external vulnerability scanning, and third-party audits.
Which questionnaire is right for your third-party risk management (TPRM) program?
Determining the right assessment tool for your organization's vendor risk management (VRM) program isn't something to take lightly. However, the number and quality of security questionnaires available for use are continually increasing.
The majority are regularly updated and improved (typically on an annual basis) by groups of experts in cybersecurity, information security, compliance, and risk, and are increasingly adopted by the world's leading companies.
If you're not sure which questionnaire or framework is right for you, let our team at UpGuard help you decide or use our library of pre-built questionnaires that can simplify the process and save your team significant time and resources.
Why you should consider using security ratings alongside vendor questionnaires
The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.
The key thing to understand is that security ratings fill the large gap left from traditional risk assessment techniques like security questionnaires. Sending questionnaires to every third-party requires a lot of commitment, time, and frankly isn't always accurate.
Security ratings can complement and provide assurance of the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.
UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are curious about other security rating services, see our guide on SecurityScorecard vs BitSight here.
How UpGuard can help you scale and improve your vendor risk management program
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
If you'd like to see your organization's security rating, click here to request your free security rating.