One of your major customers wants to know how you protect their information. This is a challenge many security and risk professionals face every day. Here are our Top 7 Tips to approaching this the right way, every time!
To solve the first challenge we have set out the most common sticky areas and our suggestion for solving this so your business can get on with growing and not get stuck in the details.
Agree with your management team if there is any information about your security controls you are not willing to share and if so what other statements can you make to give your customers the confidence you are doing the right thing.
Review the questions and make sure you ask the customers for further information if the question is not clear. We have seen many cases where customers are writing questions that do not make sense and should not be answered until clarified.
Decide where you will store the answers you write. Decide if you will sanitise the answers so you can provide them again in the future to the same client or other clients or potential auditors of your organisation.
Ensure you have a register of organisations in your supply chain and business units within your organisation who are a part of your information security broad governance team. List the key contacts in these businesses who are experts at providing you answers you may wish to ask.
Engage a security consult like Cyber Security Consulting Pty Ltd to help you write professional answers that everyone can understand and not filled with jargons or acronyms which can’t be understood when reviewed a year later.
Ensure you document any control gaps you find along the way. No-one has perfect security controls and you will inevitably find areas which you or your customer may be concerned about. By documenting the gaps you can report this to management and start to plan what, if any remediation you will take to reduce control gaps.
Be honest and don’t try to hide the gaps you may have. Your clients deserve the truth and if the truth is that you don’t have great password controls then let them know but make sure you do something about it and let them know your plan to improve your controls over time.
In summary here are our top 7 tips to answering security questionnaires: