Posted on Jul 29, 2020
Engaging in due diligence before contracting with a vendor can be an overwhelming process, particularly as more cybersecurity laws enforce continuous monitoring. What used to consist solely of a point-in-time question and answer survey now requires verification and documentation to prevent a compliance violation or data breach. Although the dos and don’ts of due diligence questionnaires may be changing, the core principles underlying their importance remain consistent.
Often, individual departments adopt applications necessary for their needs, sometimes outside of the IT department’s purview. When creating due diligence questionnaires, organizations need to build a cross-functional team that can identify all vendors. Problematically, organizations struggle to find all the key stakeholders and to prevent information silos from occurring.
Don’t: Assume that you know all of the third-parties across the IT ecosystem.
Do: Talk to department heads and make sure they know what applications and vendors they use.
Don’t: Assume department heads know all the applications and vendors their teams use.
Do: Try talking to some additional line of business staff to mitigate risks from shadow IT.
Although many regulations, industry standards, and cybersecurity frameworks include similar compliance requirements, many have their own unique quirks. For example, the Payment Card Industry Data Security Standard (PCI DSS) provides prescriptive controls while the New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act takes a risk-based approach, allowing organizations to have flexibility in their controls. Often, organizations need to send multiple questionnaires to the same vendor to meet compliance mandates, creating a time-consuming documentation burden.
Don’t: Assume that a single questionnaire is “one size fits all.”
Do: Clearly understand all compliance requirements and controls necessary to meet mandates.
Don’t: Assume that all areas of the business are subject to the same standards.
Do: Work holistically across the organization to make sure each line of business and department is covered from a compliance standpoint.
Due diligence requires research before sending the questionnaires out. Similar to researching an organization’s credit before a merger or acquisition, cybersecurity due diligence requires doing research to understand the third-party’s historic security posture. Although a time-intensive process, knowing the answers that need additional documentation or review helps establish a proactive approach to vendor risk management.
Don’t: Assume that the vendor will tell you everything on their own.
Do: Use the internet to research past data breaches or security issues in the news.
Don’t: Assume that an organization is “too big to experience a data breach”.
Do: Ask the hard questions about security and be specific about potential concerns.
Third-party due diligence is a collaborative process. IT departments know how to vet the technology, while Chief Information Security Officers (CISOs) know the controls necessary to securing data. Chief Information Officers (CIOs) vet the technologies while department managers understand the functionalities they need to support their departments. With this many cooks in the kitchen, it’s easy to get burned.
Don’t: Allow multiple versions of the same vendor questionnaire exist on a shared drive.
Do: Set appropriate access controls and versioning so that you always know the most recent responses.
Don’t: Silo information from the cross-functional team involved in managing the due diligence process.
Do: Collaborate with all necessary stakeholders so that everyone understands the security risks involved in contracting with a vendor.
The old cybersecurity adage “trust but verify” holds true more today than ever before. In fact, many organizations turning to a Zero Trust model verify and never trust. Sending questionnaires mapped to the appropriate vendor compliance requirements is only the first step to due diligence. Unfortunately, this makes the questionnaire process even more time-consuming. Organizations sending multiple questionnaires to the same vendor ultimately need to verify more answers and do additional work.
Don’t: Assume that the person responding to the questionnaire knows whether the answers are right.
Do: Request documentation that supports the responses.
Don’t: Assume that the documentation is the most up-to-date or correct version.
Do: Engage in your own research to reduce the risks that incorrect responses and documentation can create.
The problem with cybersecurity questionnaires is that they provide a single point-in-time snapshot into a vendor’s security posture. Unfortunately, malicious actors never stop evolving their threat methodologies. With that in mind, due diligence is no longer a “once and done” process. Organizations need to continuously monitor third party cybersecurity posture, making due diligence an ongoing process.
Don’t: Wait for an annual vendor review to reassess its security posture.
Do: Continuously monitor third party risk as part of holistic due diligence.
Don’t: Assume a vendor will proactively tell you when they are alerted to a control weakness.
Do: Make sure that all controls adequately protect information even as the threat landscape changes.
SecurityScorecard’s Security Ratings enables a more robust vendor risk management program. Our easy-to-read scores provide visibility across ten risk factors so that organizations can have at-a-glance insight into their own vendor ecosystem risk.
Our Atlas platform leverages Artificial Intelligence (AI) and Machine Learning (ML) to ease the burdens associated with the due diligence questionnaire process. Our platform acts as a single source of documentation for sending, reviewing, and managing questionnaires. We include control mapping across a variety of mission-critical compliance requirements so that you can accelerate all due diligence efforts. Our AI/ML makes it easy to fill out questionnaires by mapping similar questions to one another across frameworks, regulations, and standards, providing an auto-fill option. Finally, as vendors respond to the questionnaire, our Atlas platform compares the answers to the risk information scanned from the public-facing internet to provide real-time validation over the responses.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.