A third-party questionnaire is a list of questions that vendors complete to help organizations understand their vendors’ security posture, vulnerabilities, and compliance with industry standards (including, but not limited to SOC 2, ISO 27001, etc.). However, if this questionnaire is completed incorrectly, organizations can face a series of unknown third-party risks. Here we cover the ins and outs of third-party security assessments to help vendors understand how to complete them and the reasons behind them.
Why did you receive a third-party security questionnaire?
You received a third-party security questionnaire because another organization is considering doing business with you. This questionnaire is part of that organization’s due diligence. Before engaging with your business, they must assess all risks associated with your cybersecurity posture, particularly if you will be handling or have access to their sensitive data.
Why are third-party security assessments important?
These assessments are part of an organization’s third-party risk management (TPRM) strategy. The cyber threat landscape is increasingly sprawling and includes not only distributed networks but vendor networks as well. Any time an organization uses a third party or vendor for software services or anything related to sharing information over a network, they need to ensure that information will be safe.
If a third-party vendor experiences a security breach, it doesn’t just impact the services they provide but can lead to legal and regulatory actions including hefty fines for businesses using their services. In other words, companies can be liable for damages and compromised personally identifiable information (PII) even if the breach is on the vendor’s side.
Because working with third parties can mean sharing information, using services, and generally intertwining technological and data assets, businesses must do their due diligence when choosing vendors. Hence, third-party security assessments are vital if an organization wants to minimize risk.
It’s worth noting that these assessments can also benefit the vendors. It provides an opportunity to prove value to potential clients and a chance to conduct an internal security assessment which can bring to light potential problems for mitigation before any damage is done.
What is typically covered in a third-party security assessment?
In general, the questions will span four primary domains:
Risk identification
Technical controls
Process controls
User training and access
The exact content of a security assessment questionnaire varies, but common questions may include the following:
Do you collect, store, or transmit personally identifiable information (PII)?
Where do you store PII, and on what type of devices?
Who can access PII, and via what methods can it be accessed?
How do you monitor devices connected to systems, software, and networks?
What industry standards do you adhere to, and what certifications do you have?
What form of network security do you use? Do you use a firewall or VPN?
What is the state of your endpoint security, and do you install antimalware on all devices?
What is your patching cadence, and do you retire end-of-life products?
Do you continuously monitor your controls to prevent cyber attacks?
What is your incident response plan, and who oversees it?
What is your process for remediating new risks?
How frequently do you conduct audits or penetration tests? What were the findings of your most recent test?
Do you require multi-factor authentication and use the principle of least privilege?
What type of cyber awareness training do you provide your employees?
The assessment is often centered on an industry-standard framework. For example, the Center for Internet Security (CIS) maintains a list of 18 critical security controls, so the questionnaire you receive may ask how your organization handles each of them. The Cloud Security Alliance (CSA) also offers a Consensus Assessment Initiative Questionnaire (CAIQ) that allows the assessment of vendor security controls. Other organizations, including the National Institute of Standards and Technology (NIST), also offer assessment frameworks.
Answering a third-party security assessment and questionnaire
How you answer the questionnaire can determine whether the requesting organization will want to do business with you and can lay the foundation for a relationship built on trust. Therefore, you must answer thoroughly and honestly. It’s also essential to complete the questionnaire in a timely manner. The following sections outline key best practices to remember during the process.
Develop a knowledge base
It’s important to establish a single source of truth for answering such questionnaires. It is unlikely that you will only ever complete a single questionnaire, so find a way to store your answers to questions in a centralized location that can be updated as needed. This way, you will have the information at your fingertips the next time you have to complete an assessment. It also ensures that your answers to different assessments are consistent and not at odds with each other since they will have come from the same source.
Establish a remediation plan
While completing a questionnaire, you may discover gaps in your current security posture. Depending on the size of these gaps, they may or may not cause prospective clients to look elsewhere for services, but either way, it will be in your best interest to remediate them.
Consider the questionnaire as having provided an opportunity for internal assessment and reflection. Once you identify a list of potential issues, develop a robust plan to prioritize and fix them. Having such a plan in place doesn’t just help when it comes time for the next assessment, but the plan itself shows potential clients that you are taking security seriously.
Provide relevant and accurate answers
While fear of losing a potential client may make you inclined to adjust your answers creatively or avoid certain topics, this is not the best way to establish trust moving forward. If there are existing problems, be upfront about them, and include your remediation plans. This shows other organizations that you are honest and trustworthy.
If, instead, you leave ambiguous replies, it will look like you have something to hide. And if it turns out that a breach is caused by something you should have revealed during the questionnaire but didn’t, there could be serious repercussions.
Obtain and provide certifications
Obtaining certifications for some of the most commonly used security frameworks, such as NIST or ISO 2700, is a way to quickly demonstrate a robust security posture. Though the process can be arduous, the outcome is well worth it. Having certifications shows prospective clients that you are aligned with international standards. Many will accept or even prefer this to having you answer a questionnaire.
Simplify third-party security questionnaires with SecurityScorecard
Whether you are on the sending or receiving side of a third-party security assessment, it helps to bring the right technology on board to streamline the process. With SecurityScorecard’s Third-Party Security Assessments, you can automatically send and validate vendor assessments, shortening the process by as much as 83%. Our software simplifies responses for vendors by using automation that suggests answers based on previously submitted information and operates as a single source of truth. Security assessments can also be used in tandem with SecurityScorecard’s Security Ratings, which grade your vendor’s security performance by identifying how well they protect information. From there, the data from the security rating can be used to validate the responses of your vendors, ensuring your business has a complete scope of the threats associated with any vendor you work with. Our assessments also support communication between vendors and risk managers with automated reminders and chat capabilities. To learn more, request a free demo today.
