Tips for Answering Vendor Security Questionnaires
As information security, governance, risk and compliance continually changes organizations will continue to assess their 3rd party vendors using risk-based methodologies to help protect their business operations. We at SecureCoders understand how overwhelming, time consuming and painful the security questionnaire response process can be. We hope the tips outlined below will help ease this pain so that you can close deals faster by responding to potential customers quickly resulting in faster sales cycles.
Use a Template
Use a commonly used questionnaire template to help seed and baseline your security responses. Develop a core understanding of your internal security controls and common responses to your vendors questions using one of the following templates:
Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
The Cloud Security Alliance developed the CAIQ to address one of the leading concerns organizations have when moving to the cloud, namely the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management. The questionnaire is free and updated annually. For more information, see: https://cloudsecurityalliance.org/research/cloud-controls-matrix/
Vendor Security Alliance — VSA Questionnaire (VSA)
The Vendor Security Alliance (VSA) questionnaire was created by a coalition of companies committed to improving Internet security. The VSA developed the VSA-Full and VSA-Core free questionnaires that are updated annually. For more information see: https://www.vendorsecurityalliance.org/
Higher Education Community Vendor Assessment Tool — (HECVAT / HECVAT Lite):
The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that generalizes higher education information security and data protection questions, as well as issues regarding cloud services for consistency and ease of use. The Higher Education Information Security Council (HEISC) developed the HECVAT, HECVAT Lite and On-premise free questionniares that are updated annually. For more information see: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM)
The Health Sector Coordinating Council and Cybersecurity Working Group (HSCC) developed the Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM) to provide guidance around templates to support components and inventory attributes of a supplier risk management program, processes for establishing and sustaining the supplier risk management program, supporting the contract management process, guidelines and templates to support assurance that suppliers are adhering to their contract commitments and planning/testing/recovery from supplier cybersecurity incidents.
Shared Assessments Group – Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains. Shared Assessments developed the SIG questionnaire, the SIG LITE and the SIG CORE paid questionnaires that are updated annually. For more information see: https://sharedassessments.org/sig/
Implement a Framework
Implement control’s documentation and implement controls based on a well adopted framework. Seed another baseline for your security questionnaire responses using on of the following frameworks:
ISO 27000 Series
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
For more information on ISO 27001 see: https://www.iso.org/isoiec-27001-information-security.html
NIST SP 800 Series
Publications in the National Institute of Standards and Technologies (NIST’s) Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.
For more information on all NIST SP 800 Series see:https://csrc.nist.gov/publications/sp800
For more information on NIST SP 800-53 see: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST CSF
The National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF) is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
For more information on NIST CSF see: https://www.nist.gov/cyberframework
ISACA COBIT
COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for the governance and management of enterprise information and technology, aimed at the enterprise. The framework is business focused and defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
For more information on COBIT see: https://www.isaca.org/resources/cobit
Center for Internet Security (CIS) Controls & Benchmarks
The CIS Critical Security Controls (CIS Controls) are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of information technology (IT) experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including, retail, manufacturing, healthcare, education, government, defense, and others. While the CIS Controls address the general practices that most enterprises should take to secure their systems, some operational environments may present unique requirements not addressed by the CIS Controls.
CIS has a global community of cybersecurity experts, that developed the CIS Benchmarks which is more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats.
For more information on CIS Controls see: https://www.cisecurity.org/controls
For more information on CIS Benchmarks see: https://www.cisecurity.org/cis-benchmarks/
Implement Best Practices
Centralize
Centralize responses in a repository for effective and efficient access. It is important to save all vendor security responses for reference as well as to help in improving the efficiency of answering future questionnaires. File shares, Microsoft Teams, Google Drive and SharePoint are all options to help centralize questionnaires and associated responses. SecureDawn’s security questionnaire response tool is built specifically for centralization of responses.
Save Evidence
Save copies of policies, procedures, standards. and screenshot to provide evidence of security program operationalization. This documentation should be centralized and easy to access, reference or send to those that request it. Create copies of sanitized documents that remove your organization’s confidential or sensitive information. One way of doing this is to extract the table of contents from your documented policies, procedures and standards. If you do not feel comfortable sending copies of documentation then mention in your response that you can provide via either a remote screenshare or onsite audit.
Assess your vendors
Downstream risk is a growing concern in security departments that assess their vendors. Organizations should be assessing vendors based on criticality and vendor risk management best practices. Consider developing, assessing and improving the maturity of your vendor risk management program. Shared Assessment has developed the Vendor Risk Maturity Model and associated toolkit that guides organizations in building, implementing and optimizing the maturity of their vendor risk management program. More information can be found at: https://sharedassessments.org/vrmmm/
Know your responsibilities
Organizations that you interact with want to make sure their assets are protected. If you are transmitting, storing or processing their information they expect you to have the controls in place to protect that information. You may be running on a major cloud provider like Amazon Web Services, Microsoft Azure, Google Cloud or one of the many others that provide some of the security controls. Make sure you review and save your vendors security documentation and responses as it may help aid you in your responses. But don’t forget what controls you are responsible for. Complementary User Entity Controls (CUECs) or User Control Considerations (UCCs), are controls that a vendor has included within its system, in which you the user must implement to ensure the vendor’s control objectives are accomplished.
Automate
Use technology like SecureDawn’s security questionnaire response tool to help reduce the time it takes to respond to questionnaires, improve accuracy and maintain consistency of questionnaire responses. We have decades of experience helping organizations with the overwhelming task of responding to their customers’ vendor assessment questionnaires.
Why should you partner with SecureCoders?
Secure coders focuses on helping enable your business with our custom built technology and offering custom tailored security questionnaire response services.
Enable your Business
We help organization’s enable their business and create revenue through the following:
Fast & automatic answering of questionnaires
Our intelligent question answering understands and responds to 100’s of questions immediately.
Collaboration with your team
Assign questionnaires to co/workers that can review responses to questions.
Close deals faster
Respond to potential customers quickly and professionally resulting in faster sales cycles.
Custom Tailored Services
SecureCoders is the principal delivery and implementation partner for SecureDawn’s security questionnaire response tool. We offer the following custom services build around your organizations needs:
Product jumpstart
Dedicated resource for 30 days to assess and analyze the Security Response program, build a questionnaire library and evidence repository.
Assessment review managed services
Review of completed vendor security questionnaires (VSQ’s) where existing documentation exists.
Full assessment support managed service
Review of completed VSQ’s communication with internal and external stakeholders, critical feedback on responses, and a review of documentation referenced in responses.
We at SecureCoders hope you find these tips helpful and that it reduces your pain in the vendor security questionnaire process. We understand that building trust with your vendors and responding to their security questionnaires is directly tied to business enablement. We are happy to help you improve the maturity of your risk management program. Please don’t hesitate to reach out and contact our team if you have any questions or needs. For more information on our Security Questionnaire Response services and products please contact us at info@securecoders.com or visit www.securecoders.com.