It is a fact of our new evolving world of complex technology that most suppliers of goods or services have a supply chain that includes software, hardware or service providers. These providers are specialised at what they do and that’s why a good supply chain works. The better suppliers you have the better goods and services you can offer your customers.
But how do you ensure that your suppliers have good information security governance? How do you ensure they are meeting the requirements you are obliged to meet for your industry regulators or for your customers?
This is where the Security Questionnaire has become a “useful” tool. It provides a process for suppliers to report to their client what they do to govern information security in their organisation and protect the valuable information assets being shared with them as they work together to win the heart and mind of their end customer.
In theory it sounds good right? In reality, the Security Questionnaire has become lengthy and onerous and lets face it, a damn pain in the butt. It comes in many formats from a 355 questionnaire about detailed security controls to a 12 question form that only asks questions about a companies security policies.
You are not alone. These are problems being experienced throughout the industry.
Despite the great work industry bodies like OWASP and ISO and CCM and PCI have done create guidelines and standards to direct businesses to follow similar patterns of information security governance, Cyber Security Consulting has never seen two questionnaires that have been the same.
Why are all the questionnaire’s different? Because most businesses have unique challenges, they have unique people with various skill sets and they have unique goals.
For more information about how to deal with these challenges in your business please contact us.