A Vendor Risk Management Questionnaire Template

By Michelle Wu

Posted on May 4, 2020

Vendor risk management becomes more important every year. Increasingly, enterprise IT incorporates a complex, interconnected system of cloud-based storage and application resources. Leveraging the cloud’s speed and volume to reduce operational overhead increases compliance risk in equal measure. As companies add more vendors to their IT ecosystem, they need to ensure that they verify vendors’ security controls. Most organizations take a three-pronged approach to security. After identifying risks, they incorporate technology and processes to help people protect data security. Although “knowing is half the battle,” knowing the right questions to ask is the other half which is why we’re offering a vendor risk management questionnaire template to help you.

Identify the risks

The first step to creating an actionable questionnaire is identifying risks so that you can analyze them. In many ways, this identification process is similar to the one you do for yourself. At the core, you want to ensure that your vendors are applying the right controls to nonpublic personally identifiable information (PII) to protect the information that you share with them.

Risk Type

Question

Yes/No/Other

Comment

Data

Do you collect, store, or transmit personally identifiable information (PII)?

Data

Do you limit your PII collection and storage?

Location

Do you store PII in an on-premises location?

Location

Do you store PII in a cloud location?

Location

What geographic locations do you use when storing PII?

People

How do you provide users access to PII?

People

Can users access PII remotely?

Devices

What types of devices do your users collect, store, or transmit PII from?

Devices

Do you monitor all devices connected to systems, software, and networks?

Compliance

Do you need to comply with any governmental regulations? (Please list regulations in comments)

Compliance

Do you have any industry standards certifications? (Please list certifications in comments section)

Identify key technical controls

Your organization determines its own risk tolerance. In other words, your organization knows the risks that you are willing to accept, reject, transfer, or mitigate. As part of creating a vendor risk management questionnaire you need to ensure that your third-party business partners have a risk tolerance that aligns with yours.

Control Type

Question

Yes/No/Other

Comment

Network Security

Do you use a firewall?

Network Security

Do you use a VPN?

Network Security

Do you encrypt data at-rest and in-transit? (Describe encryption level in comments)

Network Security

Do you use TLS and SSH certificates to ensure data exchanges are secure?

Endpoint Security

Do you install antimalware and antiransomware on all devices?

DNS

Do you monitor for DDoS attacks?

DNS

Do you protect against spoofing of email servers?

Patching Cadence

Do you install security patches for systems, networks, and software? (Explain timeline in comments)

Patching Cadence

Do you retire “end of life” products? (Explain process in comments)

IP

Do you install antimalware and antivirus on all devices connected to your networks?

Application Security

Do you secure web applications from SQL injection and cross-site scripting attacks? (Explain further in comments)

Identify key process controls

A mature organization establishes both written policies and a series of processes for maintaining a secure IT environment.

Control Type

Question

Yes/No/Other

Comment

Monitoring

Do you continuously monitor your controls to prevent cyber attacks? (Describe in comments)

Vendor Risk Management

Do you have a vendor risk management program?

Vendor Risk Management

Do you have clauses in your service level agreements about vendor cyber security? (List relevant clauses in comments)

Vendor Risk Management

Do you monitor your vendors’ cybersecurity? (Explain process in comments)

Incident Response

Do you have an incident response team?

Incident Response

Have you tested your incident response processes?

Business Continuity

Do you have a business continuity plan? (Explain further in comments)

Business Continuity

Do you incorporate DDoS and other cyber attacks as part of your business continuity plan?

Remediation

Do you have a process to remediate new risks? (Explain further in comments)

Audit

Have you had an IT audit in the last 12 months? (List any findings in comments)

Penetration Testing

Have you had a penetration test in the last 12 months? (List any findings in comments)

Identify key “people” controls

Control Type

Question

Yes/No/Other

Comment

Password

Do you have a password policy? (List password requirements in comments)

Authentication

Do you require multi-factor authentication?

Access

Do you limit access according to the principle of least privilege?

Training

Do you require workforce members to take a phishing training annually? (Provide documentation of completion)

Training

Do you require annual workforce security training? (Provide documentation of completion)

SecurityScorecard for vendor risk management (VRM)

Requesting information from vendors and providing questionnaires acts as the first step to a mature vendor risk management program. Our security ratings platform enables organizations to continuously monitor their vendor ecosystem across ten risk factors, including IP reputation, network security, DNS health, web application security, endpoint security, hacker chatter, leaked credentials, and patching cadence.

In addition, SecurityScorecard's Atlas, makes the entire questionnaire management process easier and more efficient. Atlas aligns questionnaire responses with SecurityScorecard Ratings, providing an instant 360° view of cyber security risk and automatic validation of responses, enabling companies to objectively pinpoint risk.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!