Security Questionnaires: Why You Received One and How to Answer It Effectively
Information security used to be much simpler—or at least it seemed to be, right? In the past, most business applications were hosted on-premises, and security teams guarded defined perimeters and secured corporate networks.
Oh, how the game has changed. Right now your company’s probably working with dozens, if not hundreds, of third parties (e.g., SaaS vendors, cloud infrastructure, professional service firms) to handle all kinds of business processes.
According to a Deloitte survey, more and more companies today engage vendors to fulfill critical business functions: 70% of businesses rate their dependence on outside vendors as moderate to high. Many vendors now have access to sensitive customer data while performing their jobs, and vendor-caused risk incidents have become incredibly common. In fact, 47 percent of businesses surveyed by Deloitte experienced a risk incident involving an outside vendor.
Customers trust you with their sensitive data, and if you choose to work with a third-party vendor that doesn’t have adequate data protection safeguards, you’re putting your customers’ privacy and peace of mind in jeopardy and your own reputation on the line.
Threats to customer data can come from a vendor whose IT team forgot to apply the latest patches to their own software, or from rogue employees within a vendor’s firm who are looking to exploit information for personal gain. Natural disasters or financial failure can shut down an unprepared vendor, leaving you in a position where you’re unable to deliver a mission-critical service to your customers.
These unfortunate outcomes can be avoided when organizations take the time to understand the risks each potential vendor poses and only work with those that have responsible security safeguards in place. Security assessment questionnaires help businesses ask the right questions to vet potential partners and make better third-party hiring decisions. Read on to see:
- What topics are typically covered in a security questionnaire
- Tactical tips on how to effectively respond to a security questionnaire (because there’s a lot at stake if you don’t provide accurate answers)
- What questions to ask of your vendors within your own security questionnaire
5 Essential Steps To Creating an Effective Third-Party Risk Management Program
What is a Security Questionnaire?
Security questionnaires are lists of often complex and technical questions, usually compiled by IT teams, to determine a company’s security and compliance posture. Distributing security questionnaires to vendor partners is considered a cybersecurity best practice across most industries today.
The layout, format, and questions may differ between organizations, but all security questionnaires are designed to determine if a third party can be trusted to adequately protect sensitive customer information. Businesses across industries must evaluate all third parties on security posture, and security questionnaires are a standard step in the vendor procurement process today.
Why Did You Receive a Security Questionnaire?
If your business receives a security assessment questionnaire, take it as a compliment. If this happens, it means that your potential customer (or partner) wants to do business with you. They’re leaning in already and want to take the next step by validating your security posture with a written security assessment.
Typical Topics Covered In a Security Questionnaire
Typical subject areas covered in a security questionnaire include the following:
- Application & Interface Security
- Audit Assurance and Compliance
- Business Continuity Management & Operational Resilience
- Datacenter Security
- Encryption and Key Management
- Governance and Risk Management
- Identity and Access Management
- Infrastructure Security
- Hiring and personnel policies
- Security Incident Management
- Supply Chain Management, Transparency, and Accountability
- Threat and Vulnerability Management
Security questionnaires may be lengthy, complex, and repetitive. We’ve seen questionnaires with over 300 questions! Even then, providing correct answers is critical due to potential liability. For example, if your company answered affirmatively for a security control—but the control didn’t really exist and a costly breach occurred—your company could be held liable for damages.
How to Create Faster Security Questionnaire Responses
It’s no secret how long and grueling the process of answering security assessment questionnaires can be. There’s no set time to complete a questionnaire, and speed doesn’t matter—only honesty and accuracy count, especially when it comes to avoiding future liability.
Below are six helpful recommendations your team can use to make answering security assessment questionnaires quicker and easier.
1. Break down the questionnaire
Start by eliminating any questions not applicable to your unique situation and compile evidence supporting why they don’t fit. Reference your Risk Assessment as a guide to reduce the questionnaire’s scope for your organization. Ask for clarification on any vague questions—make sure you fully understand what’s being asked and answer all parts of the question, as anything else risks jeopardizing the customer relationship.
2. Create a centralized knowledge base
Building a centralized repository for all security assessment answer content will significantly benefit your team. Catalog your entire answer history for fast, easy access and consistency across assessments. Continually monitor and update the repository, adding new answer content as it becomes available.
3. Be prepared with a remediation plan
When security gaps get uncovered by a questionnaire, it’s critical to be prepared with a time-scheduled remediation plan showing a process underway to rectify the shortcomings and to get your security posture aligned with customer expectations. Ask the customer if it’s possible to do another assessment questionnaire after the new controls are in place. By taking responsibility for the control gaps and providing a remediation plan, your team demonstrates honesty, accountability, and an innovative spirit while working to earn customer trust.
4. Understand how certifications help with security questionnaires
Preparing for and completing compliance frameworks such as SOC2 or getting certifications like ISO 27001 or aligning your security program to a best-in-class framework like the NIST Cybersecurity Framework can go a long way toward preparing your team to address most security questionnaires.
In fact, you should ask the questionnaire sender whether a SOC 2 type 1 report can be used in place of a security questionnaire, as many topics will be covered during the attestation process.
Achieving your first SOC 2 report will require some effort. If you’re serious about doing a SOC 2, Hyperproof can help you achieve your SOC 2 type 1 and type 2 reports in less time and maintain compliance in the most efficient way. You can learn more about how we support SOC 2 compliance efforts by watching this video or visiting this page.
5. Reference prior security questionnaires
Always ask if a previous questionnaire could be used and have all of your previously completed security questionnaires handy for quick reference. Don’t hesitate to engage your questionnaire content repository as a reference to drive response consistency over time.
6. Tips for answering future questionnaires
Keep answers short and simple—don’t answer what isn’t asked or provide too much information. Frankly assess your organization’s strengths and weaknesses—don’t embellish the successes or make excuses for the shortcomings. Engage your strongest internal subject matter experts to answer the questions correctly, emphasizing accuracy over speed. Foster strong lines of communication with partners, be forthcoming with evidence, and always ask for clarification if needed to ensure you give the assessors the information they need.
Be Aware of Liability Pitfalls
When it comes to security assessment questionnaires, it’s important to remember what you say or don’t say can incriminate your organization with equal severity. The importance of providing accurate information in security questionnaires can’t be emphasized enough.
Here’s an example: Let’s say your organization fills out a questionnaire claiming all your data transmissions are encrypted. Most indeed are, but the team member filling out the questionnaire falsely assumes all transmissions are encrypted, which isn’t the case. Nobody checks the facts, and a few months later, a data breach occurs, exposing sensitive customer info. The non-encrypted info is stolen and exploited by the attackers. Now, your organization is in deep legal trouble for providing false information to customers and is liable for all the incident damages.
Your organization can also find itself in legal trouble for the information you fail to provide. Take, for example, the unfortunate case of Rady Children’s Hospital in San Diego, California. They worked with Blackbaud, a cloud service provider that experienced a significant ransomware incident in May of 2020. This breach exposed the sensitive information of over 19,000 patients, and now the hospital is being sued for its negligence in failing to properly screen its vendor’s security, business continuity, and crisis management programs.
Where to Start When Creating Your Own Security Questionnaire
Properly vetting the security posture of vendors starts with a security questionnaire to better understand all the possible risks associated with your SaaS provider network. To start, identify the vendors who have access to sensitive company or customer data. Then, generate questions to determine what policies, procedures, and controls they have in place to ensure data security, confidentiality, integrity, and availability. Who do they allow to access the information you share with them? Who do they conduct business with? Do they subcontract with parties in certain high-risk locations? And what type of due diligence does your vendor conduct with their third parties (or your fourth parties)?
3 Steps You Can take to Maintain Strong Governance Over Your SaaS Vendors
You could be responsible up to four or five levels deep, so it’s crucial to dig into your vendor’s supply chains early to get a clear picture of what you’re dealing with in terms of risk.
The standard best practice is to use an industry-standard questionnaire as the starting point and then tailor it based on your organization’s needs. Here are some industry-standard security assessment methodologies you can start with:
Consensus Assessments Initiative Questionnaire (CAIQ). Created by the Cloud Security Alliance, it provides a set of Yes/No questions you may want to ask of a cloud service provider to determine if their cloud services are reliably secure.
CIS Critical Security Controls (CIS First 5 / CIS Top 20): The Center for Internet Security (CIS) is a non-profit entity that wants to safeguard private and public organizations against cyber threats. The CIS’s 20 controls are a prioritized set of actions to protect critical systems and data from common cyber attacks. These are highly effective controls that reduce cybersecurity risk and map to most major frameworks such as the NIST Cybersecurity Framework, NIST 800-53, the ISO 27000 series, and regulations like PCI DSS, HIPAA, NERC CIP, and FISMA.
Standardized Information Gathering Questionnaire (SIG/SIG-Lite): SIG and SIG-Lite were created by the Shared Assessments Program, a trusted source for third-party risk management resources including tools and best practices to manage vendor risk. The SIG questionnaire is a tool to assess cybersecurity, IT, privacy, data security, and business resiliency. SIG-Lite is a compilation of higher-level questions from SIG and is generally used for low-risk vendors.
NIST 800-171: The National Institute of Standards and Technology (NIST) implements provides guidance on cybersecurity and privacy for firms serving the U.S. federal government. The purpose of NIST 800-171 is to help protect controlled unclassified information (CUI) in nonfederal systems and organizations. It contains 14 specific security objectives with a variety of controls and maps to NIST 800-53 and ISO 27001. If your organization offers products, solutions, or services to the Department of Defense (DoD), General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) it must comply with NIST 800-171.
The days of guarding your fenced perimeter and focusing solely on your organization’s security posture are gone. Each business today is part of a large, interconnected network where vendor security posture must be a primary concern. Though often complex and taxing to manage, security assessment questionnaires are a critical tool that can make all the difference when deciding which vendors are worthy of inclusion in your business family.
Just how important is vetting your supply chain vendors today? Steve Tcherchian, XYPRO CISO, and Chief Product Officer says, “It’s absolutely critical as anyone engaged with your business is an extension of your business.”
“Security questionnaires are part of due diligence today. Just like you would do your due diligence in any other business transaction, security needs to be considered part of that effort. Unfortunately, it’s too often an afterthought because it gets in the way of doing business. It can’t be treated this way because vendors are most targeted, and if something happens to them, it happens to you as risk can no longer be deflected to third-parties without consequence.”
Reduce Your Third-Party Risk Assessment Workload With Hyperproof
Hyperproof provides a Vendor Risk Management solution that can help you jumpstart the third-party risk assessment process. This solution comes with security questionnaire templates. These vendor security questionnaires can be tailored so you can collect the most relevant information from each vendor. All vendor risk statuses and their questionnaire statuses can be tracked centrally in Hyperproof. It’s easy to see which of your vendors still need to complete questionnaires and determine which vendors and tasks you need to focus on next.
Explore Hyperproof’s vendor risk management solution
Get the Latest on Compliance Operations.
Hyperproof has built innovative compliance operations software that helps organizations gain the visibility, efficiency, and consistency IT compliance teams need to stay on top of all of their security assurance and compliance work. With Hyperproof, organizations have a single platform for managing daily compliance operations; they can plan their work, make key tasks visible, get work done efficiently and track progress in real-time.
Organizations using Hyperproof are able to cut the time spent on evidence management in half, using the platform’s intuitive features, automated workflows and native integrations. Hyperproof also provides a central risk register for organizations to track risks, document risk mitigation plans and map risks to existing controls. Hyperproof is used by fast-growing companies in technology and business and professional services, including Netflix, UIPath, Figma, Nutanix, Qorus, Glance Networks, Prime8 Consulting and others.