Are security questionnaires your Achilles heel? While there’s no avoiding them in your third-party security risk management process, there are definite ways to make the process smoother, faster and more productive.
Tip 1: Be Sure Your Questionnaire Considers Inherent Risk
Inherent risk is the risk level your business faces when you do nothing to reduce the likelihood or mitigate the chance of a cyber mishap caused by your third party. While your reliance on third-party vendors is necessary for doing business, your inherent risk can also be adversely affected by those vendors, because essentially, their risks are also your risks.
Therefore, it’s really important to have a clear and accurate understanding of your third-parties’ inherent risk. Understanding the business impact each of your third parties have on your organization will provide this important data.
To do so, consider the following:
- Criticality — how long can your business operate without the services of this third party?
- Sensitivity — how sensitive is the data you will be sharing with this third party?
- Access — which virtual or physical assets will your third party have access to?
Answering these questions will help you weigh your third parties accordingly, and is a critical step in reducing risk to your organization.
Tip 2: Scope Questionnaires According to Your Company’s Needs and Vendor Type
Traditional security questionnaires are one-size-fits-all and cause unnecessary frustration for everyone. On one hand, vendors are forced to waste time reviewing long questionnaires that include irrelevant questions. On the other hand, you, the one requesting the security questionnaires, need to subsequently evaluate your vendor’s responses to understand its security posture. Now multiply that by the number of vendors you have; what a waste of time and effort!
To streamline the process, you should select the control framework that governs your risk management practices, such as NIST 800-53 Rev 4, ISO 27001/2 or CIS. In addition, determine which standards and regulations you and your third parties must comply with, such as PCI DSS for organizations that handle credit cards or HIPAA if you work with health information. And of course, don’t forget data privacy regulations such as GDPR, CCPA and others.
Once you have your control set, profile your vendors, grouping them with similar type vendors. List what service they provide, the criticality of that service, the types of data they are handling, whether and how much they handle sensitive data and the internal contact managing the vendor. This will help you determine which questionnaires to send out to your vendors, according to your regulatory requirements and risk appetite.
Tip 3: Consider How to Arrange Questions for Maximum Efficiency
Make managing your third-party risk easier by structuring your questionnaire for maximum efficiency through:
- Control categories: Consider the control categories, such as control frameworks and industry standards and regulations as discussed above, and build your questionnaire around those categories.
- Scorable questions: Whenever possible, create scorable questions (yes/no, multiple choice, etc.) so you can quickly draw attention to problems, rather than needing to carefully read free text answers.
- Conditional requests for explanation, document artifacts: Pair scorable questions with requests for explanation. For example, “Do they have control X,” if so, then you drill down with more detailed questions about the control and then perhaps questions that require validating free text answers and documentation.
- Intelligent scoring: Build scoring around topics beginning with a yes/no question to determine if the topic is relevant, subsidiary questions to elaborate if the control works and they only get the maximum score if their answers are in alignment with your security policy.
Following this structure will make it easier for you to manage the process, but automating the process will also make it more efficient. Automation is key for a comprehensive third-party security program. It provides the ability to rapidly scale the vendor security evaluation process while ensuring your third parties align with your company’s security policies, regulations and risk appetite.
Want to learn more about how automation can help you implement a rapid and robust third-party security management process? Join our upcoming webinar and we’ll show you how.