5 Steps How to Improve Vendor Questionnaire

by | May 8, 2019 | Blogs | 0 comments

Minnesota Vendor Risk Qeustions
Improve the process of addressing vendor security questions.

 

How do you handle the request to fill out a vendor risk assessment questionnaire? Do you fill it out line by line? Do you instead reply back with your information security policy? Do you have a previously answered questionnaire that you provide instead? Or do you ignore it?

 

The frequency, complexity, and depth of vendor assessment questionnaires have been steadily increasing over the last several years. Companies are taking more responsibility by interrogating their partners with a set of questions, and attestations so that they can effectively lower their risk.

Still, these assessments can seem non-standardized, subjective, and incomplete. How partners answer these questions are also not based on a standard and often do not address the heart of the question being asked.  There are issues on both sides of this assessment. But that does not remove the fact that they should be completed, reviewed, and used as a diligent and responsible part of a mature information security program.

So how, when, and why should vendor risk questionnaires be requested? And how should the process be managed and maintained? In this article, we will attempt to provide an overview of how to mature your security program by using a standard framework and provide ideas on how you can improve your vendor risk management program through the questionnaire process.

 

Step 1 – Decide ‘When’

The number of vendor partnerships has continued to grow. As companies attempt to become ‘leaner’ the more they build external relationships with other companies that can provide significant value. I recently worked with a small company that had over five hundred external vendor partnerships. Not all vendors should be assessed. The time, effort, resources would be too costly and not provide a return on the risk reduction effort.

Decide ‘when’ a vendor should be assessed. Ideally, this answer will be an output of other security processes you have in place. An application or system risk measurement tools is a great example. Your asset management system that documents risk would be another great example. A great article to refer to for more information is linked below.

Mature Security: Building Security Into Asset Management

https://www.maturesecurity.com/building-security-into-asset-management/

 

This output is derived from asset attributes such as:

  • Exposure / Availability: How is the application or system assessed? Can it be publicly assessed, or is it over a secured private line?
  • Data Classification
  • Criticality: Impact to supply chain or company revenue. How much would it hurt if this vendor was breached and could no longer supply your business with which you depend on them?

Use this system attributes to determine a benchmark of when a vendor should be assessed. If you are new to implementing a vendor risk questionnaire process start with the step down from the highest criticality to pilot your question process. Refine it to where you feel it’s acceptable, and then assess all ‘critical’ vendors.

 

Step 2 – Decide ‘why’ or the purpose

Take time to decide what your purpose is for asking these questions. I’ve seen some groups just create a random group of questions so that they had a process in place and could check the box and consider it done.

Instead, take the time to outline all the risk this vendor poses to your company. Is it supplies, or SaaS? Is it payroll or HR services? Do they have remote access to your business and a breach of their company could equal a breach of your company?

Determine if the goal of your questionnaire is the confidentiality of your employee or client records at the vendor location, or if it’s a dependency on a deliverable that could be impacted by availability. Or does the vendor supply you with software code that you use in your equipment or computers? All of these purposes lead back to the information security triad ‘CIA’ that are:

  • Confidentiality
  • Integrity
  • Availability

Ensure your questions are driven towards the purpose and a goal of why you are assessing them. If you have assessed some vendors for one reason, and others vendors for another reason, consider adding your questions to a single questionnaire but then having a qualification area that leads to what specific questions or sections that vendor has to answer based on their risk profile.

 

Step 3 – Predetermine Acceptable

Treat this vendor questionnaire like a test. As the assessor or the teacher, you should have an answer sheet that has all the correct answers. Save your assessment as ‘Teachers Guide’. You can then refer to this as the assessments come back populated with answers.

If acceptable criteria is not premeditated and documented, reading through and deciding what qualifies as a pass or fail can be overwhelming and extremely time-consuming.

Instead, do yourself a favor and write two to three specific words you are looking for that justifies a ‘pass’.

 

Step 4 – Decide non-compliance

Just like you need to determine what a ‘pass’ looks like, or ‘compliance’ looks like, you also need to determine how you will handle vendor answers that do not meet your requirements.

For example, let’s pretend you are asking a question for the purpose of confidentiality and your ‘pass’ criteria equals them having an application whitelisting policy, but instead they answer with, “we have a firewall.”

How do you handle this?

  1. You fail this vendor, notify the business they need to find another vendor (don’t we wish right?)
  2. Have a response process that provides feedback to the client that is responsible for completing the assessment on all answers that fell short.
  3. Document shortfalls, and proceed with the vendor.

One process I recommend is having an automated response for any submitted questionnaire that doesn’t’ equal the ‘required’ fields populated. If the assessment questionnaire comes back with answers that are not acceptable, compile and highlight them and issue a short response to the vendor that asks them to elaborate and go more in-depth on those specific questions. Inform them that their response to the specific questions does not ‘satisfy’ the goal of the question.

Also, decide how to handle a vendor that doesn’t respond to your questionnaire. Historically this has been a process of someone on the cybersecurity staff manually reminding the vendor that the questionnaire is due, and/or past due. This cycle repeats several times and then it gets escalated.

A better solution is to either have the business partner within your company managing the relationship drive completion or leverage an external security solution to help you.

I recommend Process Bolt and will explain more at the end of this article.

My opinion is that cybersecurity should not be leveraged to babysit vendors to complete a process that is required to be a partner (and get paid) by the business. By getting leadership approval to add a section to the information security policy that all ‘high risk’ vendors must provide a completed and satisfactory vendor question response, and then assigning that responsibility to the vendor manager within the company, the completion rate goes way up and the time expenditure by cybersecurity staff goes way down.

 

Step 5 – Decide Frequency

The last thing you need to decide is how often the vendor should renew their answers and attestations to your questionnaire.

It’s often assumed that once a year is standard. In actuality, there is no standard and whatever you choose should be driven by risk. The more frequent you have the attest to the stated answers the more control you have over your risk posture.

You should carefully consider how frequently you want vendors to review and update their answers and attestations. I recommend this is correlated to the risk of the vendor based on previously criteria outlined above.

 

Recommendation

If you’re looking to offset this risk and outsource this service I highly recommend you consider Process Bolt. Check out the link below:

 

Check out www.processbolt.com

I am not an affiliate of Process Bolt and do make money on referring you, but I have personally met their leadership and have heard their mission and believe in it. I do think they can offer a significate cost savings through their services.

 

Conclusion

The development of a risk assessment process and questionnaire is a critical part of a mature information security program and can be streamlined and made efficient through a vendor assessment questionnaire. Through the proper preparation and planning risk can be greatly reduced through this effort.

 

Trackbacks/Pingbacks

  1. Improving Vendor Questionnaires – ProcessBolt - […] Asher Security, offers 5 ways to answer these questions and improve your questionnaire process in their recent article. When…

Submit a Comment

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!