The challenge: You are a security and/or risk professional and you need to conduct information security assurance of companies in your supply chain.
Do you know:
When developing a questionnaire program be aware that scope MATTERS.
When you ask your supplier to answer information security questions consider very carefully what you are asking them to respond in relation to. For example are they answering the questions in relation to a piece of software they sold you or on behalf of their entire organisation and how their whole companies manages security. Is the question you are asking related to the supplier services for example if you are buying a piece of hardware from them and you are asking them how they manage cloud security, is this relevant?
Having a few questionnaire’s that meet the needs of your business works for most of our clients.
Look to your business goals and your information security program. Hopefully your organisation has developed a set of information security policies and standards that you are adhering to. If so, build your questions around these standards. If you don’t have standards in place then you should develop a set of questions that is right for your business. This might include questions about how your supplier manages your information assets in their service (if you are using a cloud based SaaS service) or if they are PCI compliant (if they are managing credit card information on your behalf). If they give your company a web application where you enter and they manage confidential information on your behalf then if would be right to ask them how they secure their web application or how they scan and test for security vulnerabilities in their software.
Cyber Security Consulting has a set of questions you can use if you need help.
If you are company in a regulated industry such as banking or health you may need to ask specific questions that allow you measure compliance against specific set of requirements. If you are not regulated you can choose to align your organisation with a particular standard. Be careful not to overdo the questions you ask as you may create unnecessary work for your supplier and yourself.
At Cyber Security Consulting we believe there is no point in asking questions unless the answer can be measured. We have developed a number of models for our clients that help them measure responses to questions consistently and methodically. There is always some objectivity applied to open ended questions but in the most part you should know what you expect your suppliers to say and what is the most important areas which are deal breakers for you if they do not measure up.
If you are a small or medium organisation and you want a big tech company such as Amazon or Microsoft to answer a custom security questionnaire you will be met with a big fat NO or more likely silence. In most of these cases these organisations publish a detailed list of security features on their websites and in some cases in white papers or compliance documents which they make publicly available. Try to find the answers to your questions there and if you can’t find them you will need to decide how important this information security questionnaire response is for these bigger suppliers in your supply chain.
It makes sense for companies to work with suppliers of the same maturity and size as they often work better together when providing assurance to each other however that really puts limits on what sort of innovative solutions your business can utilise and prevents smaller companies from participating in the supply chain of bigger companies. At Cyber Security Consulting we think that this one of the biggest downsides to security questionnaires. At Cyber Security Consulting we love working with companies to help them uplift practices or help them be able to explain to their bigger clients where they are at in their security journey. If this is you please get in touch for our special consulting rates for start-ups.
Remember no-one is perfect – be reasonable and fair when assessing your suppliers not every one of your suppliers will have be operating in a defence grade building with anti ballistic windows!
Picture credits
Photo by Immo Wegmann
Photo by William Warby
Photo by kili wei