A vendor risk management questionnaire (also known as a third-party risk assessment questionnaire or vendor risk assessment questionnaire) is designed to help your organization identify potential weaknesses among your third-party vendors and partners that could result in a data breach, data leak or other type of cyber attack.
Free Vendor Risk Assessment Template for 2023
Here are some questions you can use as a sample vendor risk assessment questionnaire template broken into four sections:
- Information security and privacy
- Physical and data center security
- Web application security
- Infrastructure security
You can download an editable and more comprehensive vendor risk assessment template here.
To streamline the vendor risk assessment process, a risk assessment management tool should be used. UpGuard offers a library of industry-leading vendor risk assessment templates mapping to popular regulations and cyber frameworks.UpGuard also offers a series of integrations and dashboards to streamline the VRM lifecycle across multiple industries and use cases.
Information Security and Privacy Questions
- Does your organization process personally identifiable information (PII) or protected health information (PHI)?
- Does your organization have a security program? If so, what standards and guidelines does it follow?
- Does your information security and privacy program cover all operations, services, and systems that process sensitive data?
- Who is responsible for managing your information security and privacy program?
- What controls do you employ as part of your information security and privacy program?
- Are there any additional details you would like to provide about your information security and privacy program?
- What is your process for data classification? What security measures are in place to protect each classification level?
- How do you ensure remotely accessed sensitive data (such as data accessed from mobile devices) is secured?
- Do you employ any anonymizing techniques, such as data masking? If so, describe the systems these techniques are implemented.
- Do any of your third-party vendors have access to your sensitive data? If so, what categories of sensitive data do they have access to?
- How do you ensure your third-party vendors that process your sensitive data have proper cybersecurity measures in place?
- What user authentication techniques are you implementing to prevent unauthorized access?
- Do you implement any Data Loss Prevention (DLP) strategies to defend against exfiltration?
- How do you ensure only the minimal level of required personal information is collected and processed? How do you define “minimal level”?
Physical and Data Center Security Questions
- Are you in a shared office?
- Do you review physical and environmental risks?
- Do you have procedures in place for business continuity in the event that your office is inaccessible?
- Do you have a written policy for physical security requirements for your office?
- Is your network equipment physically secured?
- What data center providers do you use if any?
- How many data centers store sensitive data?
- What countries are data centers located in?
- Are your data centers certified by any industry standards (e.g., ISO 27001, SSAE 16)?
- Are there any additional details you would like to provide about your physical and data center security program?
- Where is sensitive information physically stored?
- Is physically stored sensitive information segmented from general access network regions?
- How do you ensure the security of any personal data transferred between physical devices?
- Do you have any surveillance cameras in place? Where are they positioned and how long is the footage retained?
- Are any of your surveillance devices IoTs?
- How often do you conduct physical security audits?
Web Application Security Questions
- What is the name of your application? And what does it do?
- Do you have a bug bounty program or other way to report vulnerabilities?
- Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?
- Does your application require login credentials?
- How do users get their initial password?
- Do you have minimum password security standards?
- How do you store passwords?
- Do you offer single sign-on (SSO)?
- How can users recover their credentials?
- Does your application employ a defense in depth strategy? If so, what?
- How you regularly scan CVE for known vulnerabilities?
- How do you do quality assurance?
- How do you ensure data is transferred securirly between APIs and other third-party integrations?
- Do have a Web Application Firewall (WAF) implemented?
- How do you track and end-of-life web server software and outdated web dev libraries?
- Do you employ penetration testing for test the integrity of sensitive data security controls?
- Who can we contact for more information related to your web application security?
- How do you ensure the timely installation of web application security patches?
- What types of data processing activities do you perform for different types of users (visitors, customers, etc.)?
- How do you ensure separation of duties in your application development and deployment processes?
- How do you gather user consent for processing personal data?
- What measures are in place to prevent session hijacking?
- Do you implement input validation measures to prevent input-based attacks, such as SQL injection, keylogging, and Cross-Site Scripting (XSS)?
Infrastructure Security Questions
- Do you have a written network security policy?
- Have you ever experienced a data breach? If so, what was the impact and how was it addressed?
- Do you use a VPN?
- Do you employ server hardening?
- How do you keep your server operating systems patched?
- Do you log security events?
- What operating systems are used on your servers?
- Do you backup your data?
- How do you store backups?
- Do you segment your network to obfuscate access to sensitive resources?
- Do you test backups?
- Who manages your email infrastructure?
- How do they prevent email spoofing? e.g. DMARC
- Do you employ intrusion detection and prevention systems (IDPS)?
- How do you handle end-of-life hardware and ensure data is securely wiped?
- How do you protect employee devices from ransomware and other types of malware?
- What operating systems do employee devices use?
- Are employee devices encrypted?
- Are user logins managed in a centralized solution?
- How do you ensure secure configurations for all network devices, including routers, switches, and firewalls?
- How do you monitor for suspicious activities or infrastructure anomalies?
- Do you have an Incident Response Plan plan in place? How often is it tested?
- Do you have a disaster recovery plan in place? How often is it tested?
- How often do you review and update firewall rules and configurations?
- Do you employ a third party to test your infrastructure security?
- Who can we contact in relation to infrastructure security?
- What security measures are in place for defending against malware injections, ransomware attacks, and other malicious threats?
For a step-by-step guide on how to perform a vendor risk assessment, read this post.
Watch the video below for an overview of UpGuard’s risk assessment workflow.
Why are Vendor Risk Assessment Questionnaires Important?
Vendor security questionnaires are an invaluable aid during due diligence, helping you understand the potential risks and customer data privacy standards of new vendors before committing to partnerships.
Whether or not you operate in a high data breach risk industry, like healthcare, data protection is paramount, and security questionnaires are very effective at evaluating vendor security postures as part of a Third-Party Risk Management (TPRM) program.
This is particularly true if you operate in an industry with tight regulatory controls like PCI DSS, APRA CPS 234: Information Security Prudential Standard or HIPAA.
Even if your organization has tight security controls and a best-in-class information security policy, vendor risk management must be at the heart of your information security (InfoSec) program. This means managing cybersecurity risk during onboarding through to offboarding vendors.
Vendor security assessment questionnaires are one part of verifying that your service providers are following appropriate information security practices and can help with incident response planning and disaster recovery.
Vendor questionnaires are one part of Vendor Risk Management - learn why VRM is important.
What are the Downsides of Vendor Risk Assessment Questionnaires?
The problem with security questionnaires is they are notoriously labor-intensive to administer, which is why many organizations are investing in tools to automate vendor risk management to mitigate vendor risk (third-party risk and fourth-party risk).
Unfortunately, even the best questionnaire only offers a snapshot of your vendor's cybersecurity posture.
Technology changes, business processes are outsourced, policies are updated, renewed and discarded, so the security risk presented by your digital supply chain is in constant flux.
Security questionnaires are self-assessments meaning you are believing what vendors tell you about their security controls. To build a robust third-party risk assessment framework, your organization needs to look at more than just questionnaires.
Develop a process to scale your cyber security risk assessment process and keep track of current, existing and potential vendors.
And most importantly, look for ways to verify the claims vendors make about their security standards.
How Can My Organization Build a Robust Vendor Risk Management Program?
Standard best practice is to use an industry-standard questionnaire as a starting point and then adapting it based on your organizations needs. This is because it is hard to get a clear understanding of internal network security, data security and information security without asking the vendor for additional information. For example, the best way to understand their access controls is to ask your vendor.
Here are five industry-standard security assessment methodologies you can start with:
- CIS Critical Security Controls (CIS First 5 / CIS Top 20): The Center for Internet Security (CIS) is a non-profit entity that wants to safeguard private and public organizations against cyber threats. CIS's 20 controls are a prioritized set of actions to protect critical systems and data from common cyber attacks. These are high-priority, highly effective controls that reduce cybersecurity risk and map to most major frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series and regulations like PCI DSS, HIPAA, NERC CIP and FISMA.
Learn more about CIS Controls >
- Consensus Assessments Initiative Questionnaire (CAIQ): CAIQ comes from the Cloud Security Alliance (CSA), an organization dedicated to defining and raising awareness of best practices for secure cloud computing. The questionnaire provides industry-accepted ways to document security controls in IaaS, PaaS and SaaS offerings. There are a set of questions that you should ask your cloud provider.
Learn more about the CAIQ >
- NIST 800-171: The National Institute of Standards and Technology (NIST) implements provides guidance on cybersecurity and privacy for the U.S. through best practices and standards. The purpose of NIST 800-171 is to help protect controlled unclassified information (CUI) in nonfederal systems and organizations. It contains 14 specific security objectives with a variety of controls and maps to NIST 800-53 and ISO 27001. If your organization offers products, solutions or services to the Department of Defense (DoD), General Services Administration (GSA) or National Aeronautics and Space Administration (NASA) it must comply with NIST 800-171.
Learn more about NIST 800-171 >
- Standardized Information Gathering Questionnaire (SIG / SIG-Lite): SIG and SIG-Lite were created by the Shared Assessments Program, a trusted source for third-party risk management resources including tools and best practices to manage vendor risk. The SIG questionnaire is a tool to assess cybersecurity, IT, privacy, data security and business resiliency. SIG-Lite is a compilation of higher level questions from SIG and is generally used for low risk vendors.
Learn more about the SIG questionnaire >
- VSA Questionnaire (VSAQ): The Vendor Security Alliance (VSA) is a coalition of companies committed to improving Internet security. VSAQ was first published in 2016 and is designed specifically to help companies monitor their supplier's security practices. It contains six sections: data protection, security policy, preventative and reactive security measures, supply chain management and compliance.
Learn more about the VSAQ >
You can extract thousands of potential questions from these frameworks and adapt them to align with your organizations needs and priorities. However, security questionnaires are only part of the solution.
Consider investing in a tool to monitor your vendors and their vendors' security ratings in real-time. This will allow your organization to streamline the vendor assessment process, monitor for changes in security posture and request remediation of key issues at high-risk vendors.
These tools can monitor for issues relating to DMARC, CVE listed vulnerabilities and exploits, social engineering attacks like phishing and spear phishing, malware (ransomware and other types of malware), email spoofing, typosquatting, domain hijacking, SSL, DNSSEC, man-in-the-middle attacks and other cyber threats.
Why You Should Consider Using Security Ratings Alongside Security Questionnaires
The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.
The key thing to understand is that security ratings fill the large gap left from traditional risk assessment techniques like the SIG questionnaire or VSA questionnaire. Sending questionnaires to every third-party requires a lot of commitment, time, and frankly isn't always accurate.
Security ratings can complement and provide assurance of the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.
UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.
We base our ratings on the analysis of 70+ vectors, including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM, and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are curious about other security rating services, see our guide on SecurityScorecard vs BitSight here.
Watch the video below for an overview of the UpGuard platform.