What is the Vendor Security Alliance (VSA) Questionnaire?

The Vendor Security Alliance (VSA) questionnaire was created by a coalition of companies committed to improving Internet security. 

It is one of the most well-known, highly respected security questionnaires, alongside:

• The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
• CIS Critical Security Controls
• NIST SP 800-171
• Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
• ISO 27001

The VSA questionnaire is free to use and accessible on the VSA website.  

Learn how UpGuard streamlines the security questionnaire process >

Who Created the Vendor Security Alliance (VSA)?

The Vendor Security Alliance (VSA) was formed by Airbnb, Atlassian, Docker, Dropbox, and Uber to streamline vendor security compliance and due diligence, allowing its members to leverage the VSA network of third-party auditors to carry out vendor risk assessments. 

This enables vendors to assess other vendors faster, and at a lower cost than before. Alongside its founding members, the VSA includes companies like Adobe, Coinbase, TaskUs, and Replicated. 

Why Was the VSA Questionnaire Created?

The reason the VSA questionnaire, alongside other vendor security questionnaires, was created is because of cybersecurity risk, particularly third-party risk, and fourth-party risk. When doing business with a vendor, it's not safe to assume that you are doing business with solely the party under contract. 

Vendors outsource to other vendors. Whether you like it or not, you are relying on your vendors and their vendors using sound cybersecurity practices, and you should apply the same standard of testing to all parties.

Every day, organizations around the globe depend on each other to embrace robust information security policies and practices to prevent data breaches and data leaks, and protect sensitive data like PII and PHI.

In the past companies had no standardized way to assess the security of their peers and third-party vendors.

What are the Types of VSA Questionnaires?

The VSA issues two free questionnaires which are updated annually:

• VSA-Full: This is the classic VSA questionnaire that focuses deeply on vendor security and is used by thousands of companies globally.
• VSA-Core: This questionnaire is comprised of the most critical vendor assessment in addition to privacy. The privacy section covers both US data breach notification requirements, the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR). 

VSA-Full

The VSA-Full was first published in 2016 and was designed to help companies improve their vendor risk management program by streamlining vendor security assessments. 

The VSA questionnaire contains eight different sections including:

1. Service Overview
2. Data Protection & Access Control
3. Policies & Standards
4. Proactive Security
5. Reactive Security
6. Software Supply Chain
7. Customer Facing Application Security
8. Compliance

VSA-Core

The VSA-Core questionnaire focuses on security and privacy principles and practices. From a security perspective, it does not go into the same depth as the VSA-Full questionnaire but it does add the Privacy section that covers the core principled of USA data breach laws, the California Consumer Privacy Act, and GDPR. 

The VSA-Core questionnaire should be used when companies wish to ensure the vendor has well-designed security and privacy operations, whereas the VSA-Full focuses solely on security. 

How is the VSA Questionnaire Different From Other Vendor Assessment Questionnaires?

Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire. 

Security experts know that any vendor supplying a product or service can introduce risk, especially if they have access to sensitive data without appropriate controls in place. The issue is that getting vendors to complete security questionnaires can be laborious, time-intensive and expensive. 

This is why the VSA urges companies approach third-party risk management as:

• Data-risk based: Not all vendors should be held to the same standard, the risk is proportionate to the sensitivity of the data they are accessing (and its volume). This means the security controls vendors have in place must be proportionate to their risk
• Integrated security: Great security is not achieved by purchasing a product, it's achieved by taking a defense in depth approach that starts with how the product is designed, tested, patched and maintained, as well as what steps have been taken to minimize the chance of a data breach, and what happens after a security incident (incident response planning and disaster recovery)
• Service-oriented: Many companies offer multiple products and services. Rather than auditing the company, the VSA assessment process focuses on the product or service being delivered. This means vendors should fill the questionnaire out for each specific product or service that is being evaluated.  

Read our guide on the top security questionnaires >

What Type of Organization Should Use the VSA Questionnaire?

While the VSA questionnaire was originally created for the VSA's members, it is free to use for any security team as a means to assess the security of vendors.

Common industries include financial services, technology, healthcare, government, and higher education.

Why You Should Consider Using Security Ratings With the VSA Questionnaire

Security ratings provide risk management and security teams with the ability to continuously monitor the security posture of their vendors.

The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.

The key thing to understand is that security ratings fill the large gap left from traditional risk assessment techniques like security questionnaires. Sending questionnaires to every third-party requires a lot of commitment, time, and frankly isn't always accurate. 

Security ratings can complement and provide assurance of the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization. 

According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.

Read more about why security ratings are important here.

UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.

We base our ratings on the analysis of 70+ vectors including:

• Susceptibility to man-in-the-middle attacks
• Insecure SSL/TLS certificates
• SPF, DKIM and DMARC settings
• HTTP Strict Transport Security (HSTS)
• Email spoofing and phishing risk
• Vulnerabilities
• Malware susceptibility
• Unnecessary open administration, database, app, email and file sharing ports
• Exposure to known data breaches and data leaks
• Vulnerable software
• HTTP accessibility
• Secure cookie configuration
• Results of intelligent security questionnaires

If you are curious about other security rating services, see our guide on SecurityScorecard vs BitSight here.