The Vendor Security Alliance Questionnaire (VSAQ)was created by a coalition of companies committed to improving Internet security.
It is one of the most well-known, highly respected security questionnaires, alongside:
- The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
- CIS Critical Security Controls
- NIST SP 800-171
- Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
- ISO 27001
The VSA questionnaire is free to use and accessible on the VSA website.
Who Created the Vendor Security Alliance (VSA)?
The Vendor Security Alliance (VSA) was formed by Airbnb, Atlassian, Docker, Dropbox, and Uber to streamline vendor security compliance and due diligence, allowing its members to leverage the VSA network of third-party auditors to carry out vendor risk assessments.
This enables vendors to assess other vendors faster and at a lower cost than before. Alongside its founding members, the VSA includes companies like Adobe, Coinbase, TaskUs, and Replicated.
Why Was the VSA Questionnaire Created?
The VSA questionnaire was created to help businesses address growing cybersecurity risks across third-party cloud services and SaaS providers. When used during due diligence, the VSAQ secures the vendor vetting process, allowing organizations to identify the potential impact a prospect will have on their security posture.
In the past, companies had no standardized way to assess the security risks of their peers and third-party vendors. Now, thanks to questionnaires mapping to standards such as VASQ and PCI DSS, organizations can understand the information security policies of prospective partners and select vendors based on informed cybersecurity decisions.
With innovative features like questionnaire automation technology, Vendor Risk Management programs have significantly matured. Today, organizations can have complete visibility and control of their third-party risk landscape, reducing business continuity distruptions caused by vendor security hiccups.
What are the Types of VSA Questionnaires?
The VSA issues two free questionnaires which are updated annually:
- VSA-Full: This is the classic VSA questionnaire that focuses deeply on vendor security and is used by thousands of companies globally.
- VSA-Core: This questionnaire is comprised of the most critical vendor assessment in addition to privacy. The privacy section covers both US data breach notification requirements, the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR).
The VSA-Full was first published in 2016 and was designed to help companies improve their vendor risk management program by streamlining vendor security assessments.
The VSA questionnaire contains eight different sections including:
- Service Overview
- Data Protection & Access Control
- Policies & Standards
- Proactive Security
- Reactive Security
- Software Supply Chain
- Customer Facing Application Security
The VSA-Core questionnaire focuses on security and privacy principles and practices. From a security perspective, it does not go into the same depth as the VSA-Full questionnaire but it does add the Privacy section that covers the core principled of USA data breach laws, the California Consumer Privacy Act, and GDPR.
The VSA-Core questionnaire should be used when companies wish to ensure the vendor has well-designed security and privacy operations, whereas the VSA-Full focuses solely on security.
How is the VSA Questionnaire Different From Other Vendor Assessment Questionnaires?
Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
Security experts know that any vendor supplying a product or service can introduce risk, especially if they have access to sensitive data without appropriate controls in place. The issue is that getting vendors to complete security questionnaires can be laborious, time-intensive and expensive.
This is why the VSA urges companies approach third-party risk management as:
- Data-risk based: Not all vendors should be held to the same standard, the risk is proportionate to the sensitivity of the data they are accessing (and its volume). This means the security controls vendors have in place must be proportionate to their risk
- Integrated security: Great security is not achieved by purchasing a product, it's achieved by taking a defense in depth approach that starts with how the product is designed, tested, patched and maintained, as well as what steps have been taken to minimize the chance of a data breach, and what happens after a security incident (incident response planning and disaster recovery)
- Service-oriented: Many companies offer multiple products and services. Rather than auditing the company, the VSA assessment process focuses on the product or service being delivered. This means vendors should fill the questionnaire out for each specific product or service that is being evaluated.
What Type of Organization Should Use the VSA Questionnaire?
While the VSA questionnaire was originally created for the VSA's members, it is free to use for any security team as a means to assess the data security standards of vendors.
Common industries include financial services, technology, healthcare, government, and higher education.
Why You Should Consider Using Security Ratings With the VSA Questionnaire
The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.
The key thing to understand is that security ratings fill the large gap left from traditional risk assessment techniques like security questionnaires. Sending questionnaires to every third-party requires a lot of commitment, time, and frankly isn't always accurate.
Security ratings can complement and provide assurance of the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.
UpGuard is one of the most popular security rating providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source security risk feeds, and non-intrusive data collection methods to quantitatively evaluate the security practices of service providers.
We base our ratings on the analysis of 70+ vectors, including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file-sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you’re curious about other security rating services, see our guide on SecurityScorecard vs BitSight here.
Watch the video below to learn how UpGuard streamlines risk assessment workflows.