6 Best Practices for Third Party Risk Assessment Questionnaires & Evidence Collection
The process of assessing a third party’s security risk, including a risk assessment questionnaire and evidence collection, is not easy. Often an already complicated process is muddled with day to day activities like getting your third parties to reply in a timely and accurate manner without losing track of all the requests you sent out.
Because of this complicated process, your organization should establish processes and guidelines including how to gather data, review answers and remediate pending issues. In addition to putting these processes and guidelines in place, selecting a questionnaire and evidence collection technology solution, can also help streamline the process. This technology can assist in simplifying data collection, including organizing evidence attachments, in context reviews and follow ups. Without a clear process and a good technology to assist in your questionnaire and evidence collection, it is easy to quickly become burdened by constant emails and consulting multiple sources where data is being collected, analyzed and remediated.
To assist you in this process, we’ve put together 6 best practices for conducting your third party risk assessment questionnaires and evidence collection.
1. Understand your third parties’ environment
The best place to start is with researching common problems, and/or typical security breaches in the vendor’s area you are analyzing to better understand how to evaluate the third parties that you are working with.
One way to gain insight into these issues on a continuous basis, is by using an automated security monitoring tool. These tools can not only help you communicate better with your vendors about potential risk, but also keep an eye out for risk areas and help determine your key risk indicators.
2. Find the best assessment questionnaire
After researching your vendor landscape, and your organization’s needs, you should decide whether you will be using a standard assessment questionnaire (like PCI-DSS,HIPAA, GDPR, ISO, NIST) or a custom questionnaire.
Standard assessment questionnaires are curated to fit regulations or specific industry trends to assess different areas of privacy or security risk, so they are a great starting point. However, the need for specific answers and more control, often results in custom questionnaires. Custom questionnaires are tricky because they force vendors to answer both standard and custom questions, which causes more work as third parties may not be able to leverage existing answers.
Regardless of what questionnaire you use, you should be aware that your third party vendor has probably filled out some compliance questionnaires in the past, and you should allow your vendors to leverage these answers using tools that will allow vendors to translate answers form one questionnaire into another.
3. Monitor and review questionnaires to keep vendors of track
It is easy to get lost in the back and forth, and often bury questionnaire assessments when no progress is being made. It is important to continuously monitor and review the progress vendors are making on questionnaires to see if there are roadblocks in the process and where you can aid in helping them answer efficiently. Allow third parties to reach out if they have any concerns over your questions or the evidence that you are requiring and make sure to keep that well documented as part of the process.
In addition to creating a healthy check-in process, we also recommend you set a clear deadline for an assessment to be completed by. This way both you and the vendor can work towards a common goal.
4. Use technology to streamline the process
Risk assessment questionnaires are not new. You’ve probably been sending most questionnaires by email and managing excel spreadsheets to check for answers. However, technology could give a boost to your process, and help you to better track answers and remediation items. The right tool can help you give your third-party vendors:
- A way to provide answers, evidence and any questions they may have in an easy to collaborate environment.
- A way to delegate answers within their organizations, so you get the correct expert answers for each relevant area.
- A quick way to remediate and discuss issues, where you can review evidence in the context of each question’s answers, making the process a lot more efficient.
The easier the tool is to navigate, the more time you can spend working to reduce risks with vendors and not be focused on the nitty gritty of data collection.
5. Verify and validate data
After the answers have been collected, the next step is to verify and validate the data. In our experience, we have found that not only is internal validation important, but external validation is also crucial. One great way to get external validation of your data is to utilize an automated tool, which can help quickly identify problem areas and assist in difficult remediation discussions. It is important to keep track of questions that might be high risk or controversial, so we suggest having a mechanism to tag or flag questions that will need more in-depth discussion, or internal review.
6. Provide questionnaire and assessment feedback
Finally, as you get ready to close an assessment, it is important to have control over what the third party vendors ultimately submit. This means being able to send back a questionnaire easily that does not meet the requirements, or the ability to close out the process and approve the assessment. At the end of every assessment, you should create a report on the findings and pending issues for remediation to provide with your team.
Risk assessments can quickly become overwhelming when done in tense environments or at scale. The better your process and organization skills, the easier it will be to gather those assessments quickly and painlessly. The 6 tips mentioned above, are geared towards streamlining the process and empowering you to focus on the relevant details.
New tools have also emerged that can help make this entire process easier and make sure the time spent coordinating and executing risk assessments goes towards analyzing and remediating any issues instead.
Tools like SecurityScorecard’s Atlas have been designed with that in mind. Atlas provides VRMs and Vendors an easy to use platform for secure information sharing and question answering, while removing any barriers from a time consuming process.