Organizations rely heavily on vendors and third-party service providers to fulfill critical business functions. While these partnerships are beneficial, they also introduce a level of risk that organizations must manage effectively. One of the most common ways to understand this risk is through vendor risk assessment questionnaires, which provide a standardized method for evaluating a vendor’s security practices and controls.
However, these questionnaires can sometimes yield conflicting results compared to security data, leaving organizations needing help with how to proceed. In this article, we will explore the value of vendor risk assessment questionnaires and guide what to do when responses disagree with security data.
How to approach security questionnaires
Questionnaires are a critical part of evaluating vendors. Before you get started, you’ll need to know your internal business point of contact and the external person you’ll need to work with. This will help define the scope of the vendor’s services, data access, and potential business impact. It will also help determine the level of detail required to evaluate security, regulatory, privacy, and compliance areas.
Sometimes, you won’t need to send a questionnaire at all. Typically, if an organization has a recent SOC-2 type 2 for review, that can bypass the need to submit a questionnaire, depending on your business relationship and vendor risk policy.
Set expectations with the vendor by providing instructions and deadlines. Once they answer the questionnaire, you need to review, analyze, and identify potential areas of concern to follow up on. Catalog the findings and inform your organization of the risks that the vendor may bring to your business.
Depending on how vital a vendor is to your organization, you may wish to set up a cadence of regular reviews to support that business relationship and maintain an acceptable amount of risk. All of this should be collaborative, with both parties able to identify security concerns and continuously improve security practices.
Automate questionnaire and evidence exchange with SecurityScorecard Assessments
SecurityScorecard Assessments is the leading cybersecurity questionnaire exchange and validation solution built for modern risk management. It accelerates the cybersecurity questionnaire exchange process by empowering organizations to send, complete, and automatically validate questionnaires at scale.
Here are just some of the benefits of SecurityScorecard Assessments:
Staying compliant is easy with SecurityScorecard’s secure platform. Maintain an immutable historical record of all interactions, questions, and answers from vendors, keeping you audit ready.
Create and send questionnaires in seconds
Choose from over 20 industry standard questionnaires, such as ISO, SIG, and NIST, or create your own questionnaires with custom Ratings data mappings to assess vendors. Schedule the distribution of future questionnaires to operationalize vendor assessments.
Know the status of every questionnaire
Set deadlines and track the status of outgoing questionnaires in one dashboard, giving you a single source of truth. Switch between list or kanban views, leverage tags for better organization, sort and filter by due dates, and see the turnaround time of your questionnaires. Stop sending follow-up emails with our automatic reminders.
Cut the questionnaire cycle in half
Review answers in minutes with transparency at every step. SecurityScorecard’s intuitive dashboard keeps you in control with the ability to mark questions as pending, flagged, or done. Add comments to streamline collaboration with stakeholders. Review and validate responses more efficiently with an automatically calculated validation score for every questionnaire, allowing your team to be more strategic.
What to do when questionnaire answers disagree with SecurityScorecard’s data
Since SecurityScorecard specializes in highlighting potential risks we see from the outside, sometimes there is a disagreement between the answers you get and the security data you have via the platform. That’s okay!
The next step in this situation is to communicate with the vendor about the finding. For free, vendors can use the platform to resolve a finding and have us remove it from the Scorecard to erase its score impact. Here are some typical resolutions:
- Remediated the vulnerability or security problem. For example, there was an applied patch to the vulnerable product version.
- There is compensating control in place. For example, a backported patch for the operating system on an asset running a vulnerable software version.
- Misattribution. For example, the domain or IP address in question is no longer that organization’s responsibility due to a business divestiture.
Note: Remind your vendor to provide details and evidence in their resolution request, including attachments if available, to help our Support team with the review process.
How does SecurityScorecard’s approach benefit customers?
When there is disagreement with our data, the SecurityScorecard team will promptly review the resolution request and either approve it or provide additional information and guidance. Our approach is straightforward and effective, saving time and smoothing the process for customers and their vendors.
Click here to calculate the ROI from switching to SecurityScorecard assessments for your vendor evaluation efforts. Spoiler alert: it’s significant.
To learn more about SecurityScorecard Assessments, request a free demo.