qrUayVeK

11
2A GUIDE TO
3RESPONDING
4TO 3RD PARTY
5QUESTIONNAIRES
6KEN STASIAK
72 1
8Organizations regularly send questionnaires to their vendors regarding vendor
9security and compliance status. These questionnaires are particularly prevalent
10in the manufacturing and professional service industries, where organizations
11want to know whether they are accepting undue risk from their vendors. If
12you’ve received one of these questionnaires, you may be wondering how best
13to tackle it. If you consistently receive them, you are all too familiar with how
14time-consuming they can be. Responding to these questionnaires thoroughly
15can be cumbersome, though responding to them carelessly (or not at all) will
16risk client relationships. So, the question becomes, what is the best strategy
17for handling these questionnaires?
18Synopsis
19To address this issue, we will discuss the following topics:
201) What is the purpose of these questionnaires?
212) How should I answer the questions?
223) What if my organization is weak in the areas the questionnaire is
23addressing?
244) When should I engage a risk manager for assistance?
255) Can I fill out just ONE questionnaire and send that to clients?
266) Can certification/compliance with a framework (like NIST) be used
27in lieu of answering all of these questionnaires?
287) What is the best strategy, based on my resources, risk, and
29business goals?
308) Tip and Tricks
313
32A GUIDE TO RESPONDING TO
333RD PARTY QUESTIONNAIRES
34WHAT IS THE PURPOSE OF SECURITY QUESTIONNAIRES? 4
35TPVM PROCESS FLOW 5
36HOW SHOULD I ANSWER THE QUESTIONS? 6
37WHAT IF MY ORGANIZATION IS WEAK IN THE AREAS THE
38QUESTIONNAIRE IS ADDRESSING? 8
39WHEN SHOULD I ENGAGE A RISK MANAGER FOR
40ASSISTANCE? 9
41CAN’T I JUST FILL OUT ONE SECURITY QUESTIONNAIRE
42AND USE IT FOR OTHER CUSTOMER REQUESTS? 10
43CAN CERTIFICATION/COMPLIANCE WITH A FRAMEWORK
44(LIKE NIST) BE USED IN LIEU OF ANSWERING ALL OF
45THESE QUESTIONNAIRES? 10
46WHAT IS THE BEST STRATEGY, BASED ON MY RESOURCES,
47RISK, AND BUSINESS GOALS? 12
48TIPS AND TRICKS 13
49TABLE OF CONTENTS
504 1
51WHAT IS THE PURPOSE OF
52SECURITY QUESTIONNAIRES?
53Third party security questionnaires are surveys sent by organizations (or customers1) to their
54vendors2 as a way to evaluate vendor security practices or compliance status. The questionnaires
55are a useful tool in an organization’s third party vendor management (TPVM) program. These
56questionnaires may cover any number of security or compliance related issues, such as information
57security policies, physical security procedures, data classification, technical controls, or even
58whether the vendor has their own TPVM program. We have seen questionnaires range from
5920 to 200 question, and they may require varying degrees of validation, such as supplying
60supporting documentation. In short, these questionnaires help customers vet, classify, and
61manage vendor risk as part of a broader TPVM program.
62TPVM has been a topic of conversation for a number of years, but recently the conversation
63has gotten much louder. For financial organizations, TPVM has been around for years with
64various regulators and regulations mandating a formal process for evaluating their vendors.
65Then, in 2014, the security industry was reminded that third parties can have an impact on
66security, when Target got breached through an access channel used by their HVAC vendor.
67Why did Target get breached? The answer is fairly simple. Many organizations do not screen
68ALL their vendors. Generally, for cost justifications, organizations self-select a subset of vendors
69to enroll into the TPVM program. This is a perfectly acceptable solution, as long as organizations
70select the right vendors to include in their TPVM program. Unfortunately for Target, by not
71doing an internal impact rating of their vendors, the HVAC vendor was missed, and the weakest
72link in the chain broke.
73The Target breach is perhaps the most prominent reminder of the importance of an effective
74TPVM program. This event galvanized several other organizations to start taking a more
75serious look at vendor security. Today, customers are enforcing security from their vendors to
76limit the risk of downstream liability. To help improve the TPVM process, organizations often
77utilize security questionnaires as a means of ranking vendor risk, based on several factors,
78such as:
791 Data that the vendor holds, such as regulatory, Controlled Unclassified
80Information (CUI) or Intellectual Property (IP).
812 Access the vendor has to the organization’s environment/data
823 Whether the vendor stores, transmits, or processes their data
831 For the purposes of this document, “customer” refers to the company that is requesting the security questionnaire.
842 For the purposes of this document, “vendor” refers to the company that is providing services to an organization, and is thus the entity
85filling out the questionnaire.
865
87WHAT IS THE PURPOSE OF SECURITY QUESTIONNAIRES?
88Vendors are ranked internally by the customer based on several factors (above), and are
89assigned an impact rating (High, Moderate, Low). This rating will then determine what kind
90of security questionnaire the vendor receives. High impact vendors receive an inclusive list
91of questions that the vendor must fill out in order to continue to provide “services3” to the
92organization. Medium vendors follow a similar process; however, the question set is generally
93reduced to capture only egregious control deficiencies. Low impact vendors are generally
94neglected in the third party vendor management program.
95If you are currently supplying services to large organizations and have the ability to access sensitive
96information, chances are high you will be selected to fill out a security questionnaire. In the end,
97vendors that have a high impact to one organization generally will have a high impact to other
98organizations. Depending on the number of customers, a vendor can fill out as many as thirty to
99fifty security questionnaires per year. While the use of security questionnaires is a key component
100of a good TPVM program, they can place a heavy burden on the vendors who receive them. Now
101that we understand the background and purpose of the security questionnaires, we will move on
102to discuss how you as a vendor can best approach them.
1033 The term “services” issued in a non-discriminating fashion relates to any business activity, whereby the vendor has an impact to the
104organizations security/supply chain.
105TPVM PROCESS FLOW
106Conducts internal
107impact rating
108Identifies high/
109medium vendors
110Updates
111questionnaire to
112address new threats
113Sends questionnaire
114to vendor
115Reviews questionnaire
116responses
117Identifies questions
118that are either
119noncompliant
120or lack
121documentation
122Sends follow up
123questions or
124requests for further
125documentation
126Communicate
127with vendor via
128email, portal, or
129conference to
130discuss findings
131Periodic calls
132with vendor to
133ensure plan is on
134schedule
135Puts vendor in
136mitigation status
137in procurement
138system or
139accepts
140remediation and
141marks vendor
142compliant
143Fills out
144questionnaire
145Returns it to
146customer
147Acknowledges
148deficiencies or
149provides
150documentation
151Communicate
152with vendor via
153email, portal, or
154conference to
155discuss findings
156Vendor provides
157plan to address
158deficiencies
159Periodic calls
160with vendor to
161ensure plan is on
162schedule
163Depending on
164impact rating,
165vendor receives
166another
167questionnaire
168annually
1691
1702
1713
1724
1735
1745 6
1757
1767
1778
1789
1796 1
180HOW SHOULD I ANSWER
181THE QUESTIONS?
182From a vendor’s perspective, the impact of these questionnaires can vary from a little annoying to
183dedicating several Fulltime Employees (FTE) to respond and migrate to these requests. Again,
184depending on your impact to the organization, you may receive a comprehensive question set of
185over 200 questions, or a basic question set covering only general security practices. While most
186vendors will only have to fill out a handful of these questionnaires, the time to complete often
187pales in comparison to the time to actually be compliant (i.e., answering Yes to every question).
188If you have never received a security questionnaire, you are in luck (and by luck, we mean time is
189ticking because they will be coming soon). Regardless of whether you will have to complete
190several intensive questionnaires or just a handful of short surveys, it is important to be prepared
191for them.
192Let’s review a sample question included in almost all questionnaires.
193Question: Is there an information security policy that has been approved by
194management, communicated to appropriate constituents and an owner to
195maintain and review the policy?
196Available responses:
197• Yes
198• No
199• N/A
200Please attach the approved policy.
201Though it is just one question, it is more complex than it appears at first glance. This is a loaded
202question with 4 parts. First, is there a security policy? Second, has it been approved by management?
203Third, has it been communicated to the company? Finally, has an owner been assigned to maintain
204and review? On the surface, responding Yes means you have all 4 components of a security policy,
205while responding No means you do not have any of these components in place. In reality, though,
206you may have some of the components in place. However, the question is couched in an all or
207nothing response and provides no “partial” response option.
208There are benefits and drawbacks for each answer. If you answer Yes, then the customer will likely
209review your policy to ensure it adequately addresses various security topics. If you answer No, the
210customer will put you into mitigation status, where you will be asked to develop the aforementioned
211areas. N/A is generally only used for very specific questions (or risk analysis). In this instance, an
212N/A would likely also warrant mitigation status, until you can prove the policy and overall process
213exists or that the control/question is outside of your scope/risk analysis.
214How you choose to respond to the questionnaires will largely reflect the way your organization handles
215the risks associated with these questionnaires. Receiving a security questionnaire by itself can create
216organizational risk. If you fail to respond, or you have too many deficiencies, you could lose the
217customer or (just as bad) be fined for not complying to the Service Level Agreement (SLA). Your
218options from there will generally fall into the five categories described below, which mirror the 5
219general ways to handle any risk.
2207
221HOW SHOULD I ANSWER THE QUESTIONS?
222All organizations have an acceptable level of risk—a state where they are willing to assume the
223consequences for not implementing certain security controls, due to the nature of their business
224or certain constraints. However, the questionnaires do not take into account your acceptable
225risk. You will rarely receive a questionnaire to which you can fully comply at first. Therefore, you
226can choose to report these deficiencies on the questionnaire and accept the risks of that action
227(business impact = potential loss in sales).
228An important note: Conducting a risk assessment (before answering the questionnaire, if at all
229possible) is the best way to determine what level of risk you are truly willing to accept. A risk
230assessment will help your organization determine what kind of threats you currently face, what
231kind of risks your organization is willing to take, and how a noncompliant questionnaire may
232impact your organization.
233You may decide that storing, processing or transmitting your customer’s data is just too costly. If so,
234you want to transfer the risks of handling that data to a third party, thus offloading the compliance
235requirements for relevant questions to that third party.
236This is common with Cloud-based Software as a Service (SaaS) or hosting, since many of these
237providers have hundreds of companies and thus spread the cost of security/compliance to that
238population.
239Though this is definitely not recommended, you may decide not to respond to the questionnaire altogether.
240This option is itself risky because it reveals that either you do not understand the business
241impact this questionnaire could have on the organization or you are (naively) hoping the
242customer forgets about you.
243Similarly, some organizations may be (knowingly or unknowingly) holding the risk from the
244questionnaire. For example, someone may receive the questionnaire and simply not inform
245executive management that a questionnaire has been requested. The questionnaire is thus in a holding
246pattern until the appropriate personnel choose to do something about it.
247Recently one of our clients had received a security questionnaire and asked for our assistance.
248I sat down with the executive management team, and during the conversation I asked when
249they received the questionnaire. The senior Vice President said a few weeks ago. Just as I was
250able to ask a follow-up question, the CIO said, “Not entirely true. I received the first request about
251six months ago.” To complicate the matter, per their SLA, they were to be fined
252$10,000 month for every month they were noncompliant, and they had one week left to
253respond. Clearly, putting the questionnaire on hold with no action was about to cost this
254organization a lot of money.
255ACCEPT
256TRANSFER
257IGNORE
258HOLD
259Another strategy is to address your deficiencies through mitigation.
260To do this, you understand that the questionnaire has required an investment to improve your
261security posture. Be sure that you communicate your mitigation strategy to your customer. Customers
262will often work with a vendor to provide additional time for compliance. In fact, customers often love to
263see their vendors being this proactive, and this can often strengthen the vendor-customer relationship.
264MITIGATE
2658 1
266WHAT IF MY ORGANIZATION
267IS WEAK IN THE AREAS THE
268QUESTIONNAIRE IS ADDRESSING?
269If you suspect your organization is weak in some of the areas covered by the questionnaire, there
270are a few actions you can take to give your customer what they are looking for without having to
271rebuild your entire security program unnecessarily.
272Risk Assessment and Scoping
273If you have any leeway whatsoever before the questionnaire must be submitted, we highly recommend
274performing a risk assessment. When you perform a risk assessment prior to a questionnaire, you
275are setting the scope and area of risk as it pertains to your customers. While a questionnaire can
276touch on companywide policies and security practices, the area of “focus” or scope should be
277limited to the business units that can affect the customer’s data. But if you do not have a clear
278understanding of the risks associated with separate business processes, you may under- or over-state
279your compliance. Doing a risk assessment prior to a questionnaire or even after you receive one
280allows you to set the scope for various business processes. This also puts you in a defensible
281position for answering N/A to certain questions, if you have properly scoped your environment
282and assessed your risks.
283Segmentation
284Segmenting systems containing sensitive customer information from the rest of your networks
285helps you devote resources to securing the areas with which your customers will be concerned.
286Again, the scope of the questionnaire likely covers only those areas of your organization that
287handle the customer’s sensitive data. If you can prove that customer data is limited to certain
288areas in your network that are secured with various controls, it is easier to comply with the
289questionnaire. Effective segmentation can limit the scope and increase security maturity in an
290abbreviated timeframe, versus having to implement security across your entire company4. While
291segmentation involves some technical changes, it involves business process reengineering to an
292even greater degree. Since you are changing the way a business unit functions, this is not as easy
293as implementing a firewall or other technical security components.
294To exemplify how segmentation affects security questionnaires, take these examples:
295• Those in the manufacturing industry may receive CUI. The systems that access CUI should be
296segmented. By segmenting, you are limiting the scope of the audit, thus reducing the
297questions or controls to a subset of your environment.
298• If you have a call center and have sensitive customer data, then limit the ability for everyone in
299the company to access customer records, databases, or portals. This will make it easier to
300protect important data if access is restricted.
3014Of course we recommend having a strong security program across your entire program. But we also recognize that you may have a
302limited timeframe for complying with the questionnaire and need to dedicate resources to securing the areas that will have the biggest
303impact on your business.
3049
305WHAT IF MY ORGANIZATION IS WEAK IN THE AREAS THE
306QUESTIONNAIRE IS ADDRESSING?
307Remediation Plan
308If you haven’t performed a risk assessment and do not have time to complete one prior to the
309timeframe provided by the customer, the next best step is to develop a plan that allows you to make
310improvements to security, while keeping your customer engaged on the progress. Rarely will
311customers pull contracts because a vendor is not at the level of security maturity they expected, as
312long as the vendor has a plan to continually improve security posture. Communication is key here. Be
313sure to keep your customer in the loop for how you plan to implement improvements.
314WHEN SHOULD I ENGAGE A
315RISK MANAGER FOR ASSISTANCE?
316TPVM follows the same process for every company regardless of size or complexity. However,
317responding to questionnaires can vary greatly. The security questionnaires have various terms and
318underlying assumptions with which the vendor may not be familiar. For example, one of SecureState’s
319clients received a questionnaire that referred to NIST, ISO and PCI. These are generally understood
320security acronyms, but to the client, they were foreign. We commonly hear questions such as,
321“Do I need to follow NIST?”, or “Should I be ISO certified?”, or “We don’t take Credit Cards, do we
322need to be PCI compliant?”. Without understanding the context or meaning of the questions, the
323vendor may misrepresent its security or commit to making improvements that may not be necessary.
324In these cases, it is best to consult an expert for assistance in understanding and/or completing the
325questionnaire. Just as you might engage a lawyer for their expertise in understanding the legal process
326and contract verbiage, engaging a cybersecurity expert, risk manager, or even consulting a peer in
327the industry will allow organizations to understand the requests and contextualize what is expected.
328An expert can assist you in understanding the questions, focusing your efforts, building a
329remediation plan if necessary, and providing a strategy for answering the questions. Generally,
330these questionnaires are one size fits all; rarely do customers take the time to develop specific
331question sets for individual vendors. Therefore, your customer may be asking you questions that may
332simply not apply to your environment. This can complicate the way a vendor decides to respond.
333Additionally, keep in mind that not all questions are created equal. Often, there are
334questions that the customer will require vendors to comply with, and there will be questions that
335the customer will simply prefer the vendor comply with. An expert can help you sort through
336those questions by facilitating communication with the customer. That way, you can focus
337your efforts on the issues that will have the biggest impact on your relationship with the client.
33810 1
339CAN’T I JUST FILL OUT ONE SECURITY
340QUESTIONNAIRE AND USE IT FOR
341OTHER CUSTOMER REQUESTS?
342You would think, but unfortunately the answer is usually no. For the past decade, organizations
343have tried to streamline their TPVM program by looking for ways to reduce their overhead in
344managing the program and reduce the burden on their vendors. However, various constraints still
345complicate the process for both vendors and customers. Below is the primary reason why you
346cannot use one security questionnaire to respond to multiple customer requests:
347• Customization: While vendors can try to create one master security questionnaire (one to
348many5) and submit that questionnaire to all customers, this will not always be accepted.
349Organizations like to customize question sets based on their own security practices. Thus, the
350questionnaires will reflect the customer’s preferences, creating a one to one6 mapping for
351customers to vendors. The questionnaires you receive from your customers will likely be very
352different, and customers may not accept your master security question set.
353Customers are still using manual ways to evaluate the questionnaire which causes issues to the
354vendors, since the process in many instances is archaic.
355• Streamlining: While some organizations have streamlined the TPVM process, others lack the
356resources to do so. Many organizations are still using Excel spreadsheets, or basic web based
357portals to facilitate the security questionnaire process, with little to no workflows built in. Most
358communication is still handled via email. Customers may not accept a one to many
359questionnaires if it complicates their TPVM process.
360The above constraints mean more time and effort answering these questionnaires, which often
361leads to frustration and stress, since almost always these questionnaires have a time limit for a
362reply. The good news is that there are ways to circumvent these constraints, as we discuss later.
363CAN CERTIFICATION/COMPLIANCE
364WITH A FRAMEWORK (LIKE NIST)
365BE USED IN LIEU OF ANSWERING
366ALL OF THESE QUESTIONNAIRES?
367The correct answer is, it depends. The graphic on the next page illustrates many of the variables
368that go into the decision of when you should answer the questionnaire or use a framework that
369can be used to respond to multiple requests.
3705A vendor can fill out one questionnaire and use this for multiple customer requests
3716An organization (your customer) sends you a security questionnaire and you respond directly to that questionnaire.
372SIMPLE GUIDE ON RESPONDING
373TO THIRD PARTY SECURITY
374QUESTIONNAIRES
375If you already comply with one of
376these regulations, they can be
377used as proof of security practices.
378START WITH
379DATA TYPE
380A LESS THAN 6 PER YEAR B C
381HOW MANY QUESTIONNAIRES ARE YOU RECEIVING?
382RESPONDING TO EACH
383QUESTIONNAIRE
384THROUGH EXCEL
3851 Questionnaire to 1 Client with
386high acceptance
387Satisfies 100% of questions
388with a tailored response
389Yes or No response to controls
390Customer determines scope
391High chance for onsite
392validation
393Ad-hoc one off requests
394If data is hosted, SOC2 may
395SUFFICE
396Risk Assessment
397Vulnerability Scans
398Penetrations Test
399Ad-hoc Requested Services
400Outside of the questionnaire
401response, must perform:
402USING A VALIDATED
403SELF ASSESSMENT
404WITH ATTESTATION
4051 Response to Multiple Requests
406with medium acceptance
407Satisfies nearly 75% of
408questions
409Risk based controls
410You can determine scope
411Medium chance for onsite
412validation
413Attestation needed outside of
414audit year
415Can use frameworks such as
416Shared Assessment AUP or
417NIST
418Risk Assessment
419Vulnerability Scans
420Penetrations Test
421Outside of the self assessment,
422must perform:
423ACHIEVING FORMAL
424ISO CERTIFICATION TO
425REPLY TO REQUESTS
4261 Response to Multiple Requests
427with high acceptance
428Satisfies nearly 100% of
429questions
430Control based with risks
431You can determine scope
432Low chance for onsite
433validation
4343 year audit cycle with annual
435survalience audits
436Industry recognized and
437provides competitive
438advantage
439Program Testing
440Plan, Do, Check, Act
441Outside of ISO certification,
442must perform:
443FTC GLBA HITRUST CSF TR-39 PCI-DSS FISMA
444PII FINANCIAL PHI PIN CHD FEDERAL
445REDUCE SCOPE
446Scope to reduce impact and focus
447on relevant data that impacts the
448customer.
449ALL DATA
450RELEVANT DATA
4511
4522
4533
454LESS THAN 18 PER YEAR MORE THAN 18 PER YEAR
45512 1
456WHAT IS THE BEST STRATEGY,
457BASED ON MY RESOURCES, RISK,
458AND BUSINESS GOALS?
459Because of the growing prevalence of these questionnaires, it is essential to develop an organizational
460strategy for dealing with them, whether that involves handling them on a case by case basis or
461automating the process. To do so, you need to look at your overall security strategy by considering
462the following questions:
4631) What type of access do you have to your customers’ data? Do you really know the sensitivity
464and amount of customer data you access?
4652) Can you reduce/eliminate access to that data? As discussed above, can your transfer or
466segment your environment to reduce scope?
4673) What is the value of customer business to your organization? Is it 10% of your total revenue/
468profit?
4694) What is the return on investment (ROI) for particular customers? Is it worth it to make a
470substantial investment in updating security controls to comply with customer needs, if the
471customer represents only a small portion of your profit?
472a. Keep in mind - if you have multiple customers, you will receive multiple security
473questionnaires. You should aggregate the revenue/profit when determining if it makes
474sense to invest dollars into the maturity of your security program. ROI = (Gains –
475Cost)/Cost.
4765) Are there any future business or marketing advantages to pursuing a certain strategy?
477a. Security is a key element in contracts and can be a competitive advantage when
478pursuing new opportunities. If you invest money into your security program, can that
479be used to simultaneously assist responding to questionnaires as well as to market to
480new customers? What are your competitors currently doing?
4816) Are you looking to move into a new industry? If so, will this impact the number of
482questionnaires you may receive, the standards to which you may have to comply, or the
483cost of security?
484a. Be sure you understand the costs if you are moving into a new industry. For example,
485doing work with the Federal government has many advantages, but the cost of
486security is significant. Plan for these costs upfront prior to entering into a new business
487venture, and adjust your questionnaire strategy accordingly.
488Once you have discussed the business impact of various strategies, this should give you better
489direction on your organization’s commitment to security. If you do not have a dedicated security
490resource, and haven’t done much with your security program, the upfront costs for establishing a
491security program can be significant. Plus, maintaining the program will continue into perpetuity.
492Clearly, there are sunk costs and reoccurring ongoing costs to an effective security program.
493Once you have established your organization’s commitment to security overall, this will help you
494determine the most cost effective means of responding to these questionnaires.
49513
496Provide only the minimal information the question asks for- don’t get overzealous.
497If a question asks whether you have a policy, respond Yes and attach what you have. You
498may have additional evidence to prove effectiveness and implementation of the policy,
499but if the customer does not ask for it, don’t provide it. Put the onus back on the
500customer to analyze your responses and request more information. It is a general auditing
501rule that the more information you provide, the more chances you give the auditor to find
502errors.
503Be self-aware of both your strengths and your limitations in your responses. If you don’t
504have something, don’t lie, but don’t over-emphasize your own deficiencies.
505It is important to remember that just as it takes you time to complete the questionnaire, it
506also takes the customer time to review responses.
507Devote your time to addressing the issues the customer will be most concerned with.
508TIPS AND TRICKS
509Security Questionnaires are like audits, but they are filled out by you. This makes them a Self-
510Assessment Questionnaire (SAQ). The term SELF is the key; you are filling this out and providing
511your answers back to be reviewed. 1
512In many instances we have found that the “sales” person or the point of contact (POC) for
513the customer is filling out these requests. These individuals are usually not experts in security
514or compliance. Have a second set of eyes review the questionnaire before it is submitted.
515At the same time, if security personnel are going to fill out the questionnaire, do not use the
516questionnaire as an excuse for budgeting for items that go beyond the scope of the
517questionnaire. For example, if the questionnaire asks whether you perform vulnerability
518scanning, there’s no need to demand your organization perform penetration tests.
519Remind all involved that there is no need to become overly paranoid!
5202 Make sure that the appropriate person fills out the questionnaire.
521The security questionnaire may reveal that you are not adhering to your service level
522agreement (SLA). We have seen numerous examples of this. Since this is a breach of
523contract, it can jeopardize your customer-vendor relationship. It’s best to get a third party
524legal and/or cybersecurity team involved to help you strategize a plan of action.
5253 Review your SLA before responding to the questionnaire.
52614 1
527Don’t panic. As with any audit, there will likely be missed controls or areas of noncompliance.
528The key is to develop an action plan to mitigate the deficient areas. The plan should include
529timeframes and tasks that will be completed.
530Expect your customer to have either monthly or quarterly status calls to discuss your
531progress on your action plan.
5324 At least 90% of the time you will have one or more “No” in your response.
533TIPS AND TRICKS
534Unless you can truly answer Yes to everything, don’t just answer Yes in hopes that it will
535satisfy their request.
536All Yes’s = Onsite audit, follow-up documentation, and additional questions. That’s not
537something you want.
5385 Answering Yes to everything will be a RED flag.
539If your customer does not have a formalized TPVM program, they may miss some details,
540and/or they may not care whether you meet every single requirement they give you.
541Signs of an immature TPVM program: if the questionnaire is an Excel document, their TPVM
542program is not very mature. Thus, each review of their vendors will be time intensive on
543their part. Knowing this will allow you to input only basic information, and leave it to them
544to follow up with you if additional information is required. If they ask you to upload or send
545your documentation via email or “drop box,” request a secure way to communicate. This will
546either delay or signal to your customer that you care about security.
547Signs of a mature TPVM program: If they have a secure “drop box” for questionnaires and
548related documentation, they may have a more mature program. However, don’t make it any
549easier on them. Instead of neatly organizing and designating your documents, upload them
550in a big zip file and let them sort it out. The easier you make it on them, the easier it will be
551for them to find something wrong in your responses.
552Forcing customers to do additional work in sorting through your answers will not
553jeopardize your relationship with them. The only things that could impact that
554relationship is if you completely ignore it, lie on it, or have significant deficiencies you
555refuse to address.
5566 Evaluate the maturity of your customer’s TPVM program
55715
558Anytime you have more No’s than Yes’s, you should contact a cybersecurity firm to assist.
559If the customer is requesting an onsite audit, call an expert.
560If you contract with an outside firm, they should contact the customer directly (without the
561vendor on the phone) to discuss the acceptable level of risk of that customer to vendor
562relationship
563In many instances we have acted in this capacity and have been able to get the customer
564to focus on a few major items versus the entire questionnaire.
565Engaging an outside firm shows commitment to security and signals independence.
566The outside firm should develop a list of activities that need to be completed along with
567a timeframe to complete. Once again, this outside assistance will make the customer more
568willing to accept the plan and timeframe.
569You have done very little in security up to this point, now what? When is the best time to
570call in a cybersecurity firm to assist? 7
571Of course you can, but I wouldn’t recommend it. You will spend valuable time and money on
572complying with what may be unimportant aspects of the questionnaire. Focus on
573remediating what is most significant to the customer and that which provides the most ROI
574for your own security program.
575Customers generally request more than what they pursue themselves.
576For example, one of our clients had a customer that requested them to be ISO 27001
577certified. The client contacted us to discuss the cost and process to get the certification.
578We contacted the customer, and after speaking with them, we determined that they
579themselves were not ISO 27001 certified.
580Do not allow the customers to dictate your security program. Your program should be
581proactive, not reactive.
5828 Shouldn’t I just do everything they ask for in the security questionnaire?
583Preform a risk assessment. Understanding your risks, and ultimately the controls you have in
584place, will prepare you to respond to a security questions. BONUS: every security
585questionnaire will require at least an annual risk assessment.
586Understanding your risks will allow you to respond to the questionnaire in a risk based
587analysis. For instance, if you believe a question relates to an issue that is low risk to the
588organization, you can respond accordingly.
5899 What should I focus on when preparing for a questionnaire?
590TIPS AND TRICKS
59116 1
592According to SecureState’s annual 2016 attack vector report (available in late October 2016),
593the most common way SecureState ethically breaks into a company is through phishing
594attacks. Ensure that your organization has an awareness program and that you conduct
595phishing campaigns.
596Good first step- At a minimum the following assessments/programs are almost always
597included in a questionnaire. If you know you are receiving a questionnaire in coming months,
598begin implementing these items:
599External Penetration Test and or Vulnerability Scans
600Phishing Tests
601Annual Risk Assessment
602Incident Response Plan
603Policy and Procedures
604This depends on your SLA or contracts with your customer. Read these first before
605responding to a questionnaire.
606There is a cost of doing business with organizations especially if you have access to
607sensitive data. Generally, organizations will not pay for the security assessments or
608mitigation to become compliant to their questionnaire. However, onsite audits are paid for
609by the customer, but these generally are in relation to either a high impact and high risk as
610determined by answers on the questionnaire.
611Will my customer pay for third party assessments? Should I pay for my vendors to
612be secure? 10
613There are two sides to the coin, either you are responding to a questionnaire or you are
614sending out a questionnaire to get a response. Each consumes resources.
615It depends on the number of questionnaires or vendors you are assessing. A quick ROI
616calculation:
61711 The other side of the coin: If I need to create a TPVM program, should I do this in-house?
618Avg Fully Burdened Security Salary = $100,000
619Avg Time Per Vendor AvgTime = 12 hrs
620# Vendors = 36
621Workable YearHrs = 1,720
622Salary/YearHrs = $58.14
623AvgTime x # Vendors x $58.14 = $25,116
624If you only have one vendor the cost to fill out or review is roughly $697. If you have more than 16
625vendors or questionnaires, you should invest in a solution as noted in the diagram on the next
626page.
627TIPS AND TRICKS
62817
629TIPS AND TRICKS
63018 1
63123340 MILES ROAD
632CLEVELAND, OH 44128
633WWW.SECURESTATE.COM