Vendor risk management becomes more important every year. Increasingly, enterprise IT incorporates a complex, interconnected system of cloud-based storage and application resources. Leveraging the cloud’s speed and volume to reduce operational overhead increases compliance risk in equal measure. As companies add more vendors to their IT ecosystem, they need to ensure that they verify vendors’ security controls. Most organizations take a three-pronged approach to security. After identifying risks, they incorporate technology and processes to help people protect data security. Although “knowing is half the battle,” knowing the right questions to ask is the other half which is why we’re offering a vendor risk management questionnaire template to help you.
Identify the risks
The first step to creating an actionable questionnaire is identifying risks so that you can analyze them. In many ways, this identification process is similar to the one you do for yourself. At the core, you want to ensure that your vendors are applying the right controls to nonpublic personally identifiable information (PII) to protect the information that you share with them.
Risk Type | Question | Yes/No/Other | Comment |
Data | Do you collect, store, or transmit personally identifiable information (PII)? | ||
Data | Do you limit your PII collection and storage? | ||
Location | Do you store PII in an on-premises location? | ||
Location | Do you store PII in a cloud location? | ||
Location | What geographic locations do you use when storing PII? | ||
People | How do you provide users access to PII? | ||
People | Can users access PII remotely? | ||
Devices | What types of devices do your users collect, store, or transmit PII from? | ||
Devices | Do you monitor all devices connected to systems, software, and networks? | ||
Compliance | Do you need to comply with any governmental regulations? (Please list regulations in comments) | ||
Compliance | Do you have any industry standards certifications? (Please list certifications in comments section) |
Identify key technical controls
Your organization determines its own risk tolerance. In other words, your organization knows the risks that you are willing to accept, reject, transfer, or mitigate. As part of creating a vendor risk management questionnaire you need to ensure that your third-party business partners have a risk tolerance that aligns with yours.
Control Type | Question | Yes/No/Other | Comment |
Network Security | Do you use a firewall? | ||
Network Security | Do you use a VPN? | ||
Network Security | Do you encrypt data at-rest and in-transit? (Describe encryption level in comments) | ||
Network Security | Do you use TLS and SSH certificates to ensure data exchanges are secure? | ||
Endpoint Security | Do you install antimalware and antiransomware on all devices? | ||
DNS | Do you monitor for DDoS attacks? | ||
DNS | Do you protect against spoofing of email servers? | ||
Patching Cadence | Do you install security patches for systems, networks, and software? (Explain timeline in comments) | ||
Patching Cadence | Do you retire “end of life” products? (Explain process in comments) | ||
IP | Do you install antimalware and antivirus on all devices connected to your networks? | ||
Application Security | Do you secure web applications from SQL injection and cross-site scripting attacks? (Explain further in comments) |
Identify key process controls
A mature organization establishes both written policies and a series of processes for maintaining a secure IT environment.
Control Type | Question | Yes/No/Other | Comment |
Monitoring | Do you continuously monitor your controls to prevent cyber attacks? (Describe in comments) | ||
Vendor Risk Management | Do you have a vendor risk management program? | ||
Vendor Risk Management | Do you have clauses in your service level agreements about vendor cyber security? (List relevant clauses in comments) | ||
Vendor Risk Management | Do you monitor your vendors’ cybersecurity? (Explain process in comments) | ||
Incident Response | Do you have an incident response team? | ||
Incident Response | Have you tested your incident response processes? | ||
Business Continuity | Do you have a business continuity plan? (Explain further in comments) | ||
Business Continuity | Do you incorporate DDoS and other cyber attacks as part of your business continuity plan? | ||
Remediation | Do you have a process to remediate new risks? (Explain further in comments) | ||
Audit | Have you had an IT audit in the last 12 months? (List any findings in comments) | ||
Penetration Testing | Have you had a penetration test in the last 12 months? (List any findings in comments) |
Identify key “people” controls
Control Type | Question | Yes/No/Other | Comment |
Password | Do you have a password policy? (List password requirements in comments) | ||
Authentication | Do you require multi-factor authentication? | ||
Access | Do you limit access according to the principle of least privilege? | ||
Training | Do you require workforce members to take a phishing training annually? (Provide documentation of completion) | ||
Training | Do you require annual workforce security training? (Provide documentation of completion) |
SecurityScorecard for vendor risk management (VRM)
Requesting information from vendors and providing questionnaires acts as the first step to a mature vendor risk management program. Our security ratings platform enables organizations to continuously monitor their vendor ecosystem across ten risk factors, including IP reputation, network security, DNS health, web application security, endpoint security, hacker chatter, leaked credentials, and patching cadence.
In addition, SecurityScorecard's Atlas, makes the entire questionnaire management process easier and more efficient. Atlas aligns questionnaire responses with SecurityScorecard Ratings, providing an instant 360° view of cyber security risk and automatic validation of responses, enabling companies to objectively pinpoint risk.
