A vendor risk management questionnaire (also known as a third-party risk assessment questionnaire or vendor risk assessment questionnaire) is designed to help your organization identify potential weaknesses among your third-party vendors and partners that could result in a data breach, data leak or other type of cyber attack.
Why are Vendor Risk Assessment Questionnaires Important?
It starts with understanding your organization, the data it generates and the service providers it relies on.
For example, personally identifiable information (PII) and protected health information (PHI) is often the target of cybercriminals because it can be sold on the dark web for identity theft and insurance fraud.
The key thing to understand is that regardless of your industry, data protection is paramount and security questionnaires are the base of any third-party risk management (TPRM) program.
This is particularly true if you operate in an industry with tight regulatory controls like PCI DSS, APRA CPS 234: Information Security Prudential Standard or HIPAA.
This means managing cybersecurity risk during onboarding through to offboarding vendors.
Vendor security assessment questionnaires are one part of verifying that your service providers are following appropriate information security practices and can help with incident response planning and disaster recovery.
Vendor questionnaires are one part of vendor risk management, read our other post to understand why vendor risk management is so important.
What are the Downsides of Vendor Risk Assessment Questionnaires?
The problem with security questionnaires is they are notoriously labor-intensive to administer, which is why many organizations are investing in tools to automate vendor risk management to mitigate vendor risk (third-party risk and fourth-party risk).
Unfortunately, even the best questionnaire only offers a snapshot of your vendor's cybersecurity posture.
Technology changes, business processes are outsourced, policies are updated, renewed and discarded, so the security risk presented by your digital supply chain is in constant flux.
Security questionnaires are self-assessments meaning you are believing what vendors tell you about their security controls. To build a robust third-party risk assessment framework, your organization needs to look at more than just questionnaires.
Develop a process to scale your cyber security risk assessment process and keep track of current, existing and potential vendors.
And most importantly, look for ways to verify the claims vendors make about their security standards.
How Can My Organization Build a Robust Vendor Risk Management Program?
Standard best practice is to use an industry standard questionnaire as a starting point and then adapting it based on your organizations needs. This is because it is hard to get a clear understanding of internal network security, data security and information security without asking the vendor for additional information. For example, the best way to understand their access controls is to ask your vendor.
Here are five industry-standard security assessment methodologies you can start with:
- CIS Critical Security Controls (CIS First 5 / CIS Top 20): The Center for Internet Security (CIS) is a non-profit entity that wants to safeguard private and public organizations against cyber threats. CIS's 20 controls are a prioritized set of actions to protect critical systems and data from common cyber attacks. These are high-priority, highly effective controls that reduce cybersecurity risk and map to most major frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series and regulations like PCI DSS, HIPAA, NERC CIP and FISMA.
- Consensus Assessments Initiative Questionnaire (CAIQ): CAIQ comes from the Cloud Security Alliance (CSA), an organization dedicated to defining and raising awareness of best practices for secure cloud computing. The questionnaire provides industry-accepted ways to document security controls in IaaS, PaaS and SaaS offerings. There are a set of questions that you should ask your cloud provider.
- NIST 800-171: The National Institute of Standards and Technology (NIST) implements provides guidance on cybersecurity and privacy for the U.S. through best practices and standards. The purpose of NIST 800-171 is to help protect controlled unclassified information (CUI) in nonfederal systems and organizations. It contains 14 specific security objectives with a variety of controls and maps to NIST 800-53 and ISO 27001. If your organization offers products, solutions or services to the Department of Defense (DoD), General Services Administration (GSA) or National Aeronautics and Space Administration (NASA) it must comply with NIST 800-171.
- Standardized Information Gathering Questionnaire (SIG / SIG-Lite): SIG and SIG-Lite were created by the Shared Assessments Program, a trusted source for third-party risk management resources including tools and best practices to manage vendor risk. The SIG questionnaire is a tool to assess cybersecurity, IT, privacy, data security and business resiliency. SIG-Lite is a compilation of higher level questions from SIG and is generally used for low risk vendors.
- VSA Questionnaire (VSAQ): The Vendor Security Alliance (VSA) is a coalition of companies committed to improving Internet security. VSAQ was first published in 2016 and is designed specifically to help companies monitor their supplier's security practices. It contains six sections: data protection, security policy, preventative and reactive security measures, supply chain management and compliance.
You can extract thousands of potential questions from these frameworks and adapt them to align with your organizations needs and priorities. However, security questionnaires are only part of the solution.
Consider investing in a tool to monitor your vendors and their vendors' security ratings in real-time. This will allow your organization to streamline the vendor assessment process, monitor for changes in security posture and request remediation of key issues at high-risk vendors.
These tools can monitor for issues relating to DMARC, CVE-listed vulnerabilities and exploits, social engineering like phishing and spear phishing, malware (ransomware and other types of malware), email spoofing, typosquatting, domain hijacking, SSL, DNSSEC, man-in-the-middle attacks and other cyber threats.
Free Vendor Risk Assessment Template
Here are some questions you can use as a sample vendor risk assessment questionnaire template broken into four sections:
- Information security and privacy
- Physical and data center security
- Web application security
- Infrastructure security
To streamline the vendor risk assessment process, risk assessment management tool should be used. Vendor Risk by UpGuard hosts an up-to-date library of popular cybersecurity questionnaires that can be edited to accomodate your unique third-party security requirements.
Information Security and Privacy Questions
- Does your organization process personally identifiable information (PII) or protected health information (PHI)?
- Does your organization have a security program?
- If so, what standards and guidelines does it follow?
- Does your information security and privacy program cover all operations, services and systems that process sensitive data?
- Who is responsible for managing your information security and privacy program?
- What controls do you employ as part of your information security and privacy program?
- Are there any additional details you would like to provide about your information security and privacy program?
Physical and Data Center Security Questions
- Are you in a shared office?
- Do you review physical and environmental risks?
- Do you have procedures in place for business continuity in the event that your office is inaccessible?
- Do you have a written policy for physical security requirements for your office?
- Is your network equipment physically secured?
- What data center providers do you use if any?
- How many data centers store sensitive data?
- What countries are data centers located in?
- Are there any additional details you would like to provide about your physical and data center security program?
Web Application Security Questions
- What is the name of your application? And what does it do?
- Do you have a bug bounty program or other way to report vulnerabilities?
- Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?
- Does your application require login credentials?
- How do users get their initial password?
- Do you have minimum password security standards?
- How do you store passwords?
- Do you offer single sign-on (SSO)?
- How can users recover their credentials?
- Does your application employ a defense in depth strategy? If so, what?
- How you regularly scan CVE for known vulnerabilities?
- How do you do quality assurance?
- Do you employ pentesting?
- Who can we contact for more information related to your web application security?
Infrastructure Security Questions
- Do you have a written network security policy?
- Do you use a VPN?
- Do you employ server hardening?
- How do you keep your server operating systems patched?
- Do you log security events?
- What operating systems are used on your servers?
- Do you backup your data?
- How do you store backups?
- Do you test backups?
- Who manages your email infrastructure?
- How do they prevent email spoofing? e.g. DMARC
- How do you protect employee devices from ransomware and other types of malware?
- What operating systems do employee devices use?
- Are employee devices encrypted?
- Do you employ a third-party to test your infrastructure security?
- Who can we contact in relation to infrastructure security?
For a step-by-step guide on how to preform a vendor risk assessment, click here.
Why You Should Consider Using Security Ratings Alongside Security Questionnaires
The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.
The key thing to understand is that security ratings fill the large gap left from traditional risk assessment techniques like the SIG questionnaire or VSA questionnaire. Sending questionnaires to every third-party requires a lot of commitment, time, and frankly isn't always accurate.
Security ratings can complement and provide assurance of the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.
UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are curious about other security rating services, see our guide on SecurityScorecard vs BitSight here.
How UpGuard Can Automate Your Vendor Risk Assessment Questionnaires
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.