Let’s face it, not many of us enjoy completing security questionnaires, those longwinded documents are often intentionally complex, technical and never-ending. Fortunately, there are some general tips and guidelines we can provide to help make security questionnaires a little more manageable. But first, let’s examine why they exist, the overall structure, potential topics and how you can complete them with minimal stress.
What Are They Good For?
Data breaches happen on a daily basis and, as a result, cybersecurity can keep an organizations’ InfoSec leaders awake at night. Business organizations have the due diligence, to themselves and their customers, to avoid all possibility for potential risks and, often, that means carefully investigating their vendors. Not only is the security questionnaire a part of the vendor selection process, but, quite often, it may be an annual exercise put in place to ensure vendors remain compliant and current with the latest security updates.
In business, vendor relationships are increasingly critical to long-term success. As a result of these close partnerships, vendors routinely interact with their clients’ sensitive data. For this reason, business organizations take their security assessments very seriously and why they have developed them as standard part of their procurement process.
What is a Security Questionnaire?
A security questionnaire is an instrument document that an enterprise organization distributes in consideration of service organizations to assess and validate another organization’s security practices prior to choosing to do business with that organization. Most organizations, requesting information about a company’s security practices, will typically develop its own security questionnaire based on its requirements. They are used to investigate the security program, or lack thereof, to review the risks involved with using an organizations’ products and/or services.
Often, the questionnaires are designed by the client organization’s IT department and typically include a wide range of topics. Depending on the industry, surveys can from as few as two-dozen to as many as several hundred security questions.
Topics typically covered by the questionnaire may include:
- Penetration Testing
- Web Application Security
- Internal Privacy Policies
- IT Infrastructure Security
- Physical Security
- Incident Response
- Access Control
- Business Continuity
- Hiring Practices & Training
- Security Certifications
Breaking Down Security Questionnaires
As you can imagine, these surveys vary from organization to organization and industry to industry; however, all seek a clear answer to one question — can they trust your organization, the vendor, to protect their business and client data?
While it may take a significant amount of time to answer the questionnaire, it will often take much, much longer to become compliant if the vendor questionnaire exposes gaps in your current security program. Depending on the length and scope of the security questionnaire, you may be required to plan time from several team members to organize your responses. To be prepared, it is advisable to plan not only to answer the questionnaire but also to launch any company initiatives required to mitigate any issues it uncovers.
Review and Clarify
First, ahead of trying to answer anything, review the list of questions in its entirety.
Consider the number and clarity of the questions, does anything seem unclear? When is the questionnaire expected to be returned and how much time can be dedicated to each question? Do you need multiple team members to complete the security questionnaire? Are there any questions that you can immediately identify as ‘not applicable’? This is the initial approach you should take before attempting to put anything down in writing.
Remember, if you can reduce the number of questions required of you, based on their relevance, that will allow you more time for the questions that require more attention. That said, it is often wise to make a note of why a question may be ‘not applicable’ to your organization – do not leave any room for ambiguity.
After ruling out any questions and/or sections that are not applicable, you will need to fine tune your attention and comprehension of the remaining questions. If something seems ambiguous, whether intentional or not, mark it and ask the client to clarify, in writing. It is always important to keep in mind, if you do not respond to each question to their level of satisfaction, you may threaten your future relationship with the potential client and they may even disqualify you from their list of approved service vendors, indefinitely – be sure to breakdown each question to identify each component, prior to writing your response.
Immediately Identify & Action Your Organizations’ Limitations
During the initial security questionnaire review process, you may identify items of importance that you do not have adequately covered. If this is the case, depending on the individual security control, you may have the opportunity to develop a remediation plan to bring your service up to the client’s security standards prior to the time a new engagement begins. The remediation plan itself should demonstrate that you have a process in place to work through any security limitations exposed by the questionnaire. This plan of action serves as a demonstration you are doing your due diligence and taking their security concerns very seriously. Remember, communication a remediation plan for security upgrades may seem like a lot of extra work, but it goes a long way to develop trust with your client.
Quick Tips: Preparing Your Security Questionnaires
- Keep it succinct, and to the point. Remember, just as questions can be ambiguous, so too can your responses – avoid ambiguity at all costs. Depending on the client, they may simply disqualify you and move on. If a question is very straightforward and can be answered briefly in a single paragraph, or less, do that.
- Don’t answer questions that aren’t posed. It is important to provide the information required by the question. If the client did not ask, the client is responsible to clarification. Too much information can be just as detrimental as not enough.
- If required, based on timelines or expertise, do not hesitate to divide the questions across multiple individuals, setting guidelines and deadlines to ensure proper completion.
- Again, clarify, clarify, clarify. If there are any concerns regarding the content or time requirements of the security questionnaire, be sure to keep those lines of communication open with the client. Remember, the process, as well as the questionnaire, is a great opportunity to build trust!
- Develop a security questionnaire database! Usually, you cannot reuse a security questionnaire, verbatim, however, that is not so say you cannot make use of previous answers if the question is identical or contains significant overlap. Definitely be sure to keep any of your completed questionnaires on file. This will allow you to reference past questionnaires and reuse the relevant answers which, ultimately, will save your organization a lot of time.
Summary and Conclusion
Although often time-consuming, security questionnaires play a vital role in building a relationship of trust between your organization, the vendor, and the client. When all goes to plan, it is this same client-vendor relationship that will become critical to the long-term success of both parties. If you have any further questions regarding the completion of security questionnaires, or any of our dedicated services, please contact us. We’re here to help.