If one of your customers is a Fortune 500 corporation, financial services, or healthcare organization, then you’ve probably become well acquainted with the formulaic security questionnaires that these organizations send to their service providers. Do you have a Security Officer? What type of Incident Response Plan is in place? How is sensitive data destroyed? The spreadsheets may vary in their particular flavor of controls, but ultimately the question is the same: What are you doing about security?
SecureState is no stranger to this dilemma. We’ve developed vendor assessment programs, as well as assisted clients in responding to these security questions…we’ve tackled the problem from both sides. What we’re finding is that many companies are increasing the depth in which they go to assess risk with the companies that they contract services from. An increase in data breaches as well as increasing regulation (PCI, HIPAA, GLBA, SOX) are pushing these companies to assess the security of providers which they’ve happily done business with for many years, and to probe more deeply in these assessments.
Companies that aren’t heavily regulated themselves, and haven’t undergone this scrutiny before are typically unprepared for the onslaught of obtusely worded questions provided on a client’s lengthy spreadsheet. If there is no employee tasked with Information Security, then there is no one that speaks the same language as the questions being posed. It’s unclear to both the client and their service provider which security controls are actually in place, and which truly are gaps. Even worse, sometimes questions from the vendor are placed as intentional “red flags,” which if answered incorrectly will result in much more scrutiny and even onsite audits from the vendor. This is generally the “worst case” scenario, taking an already time-consuming process and turning it into a major remediation project, as this type of audit almost always turns up significant problems.
The best approach that we have found to get both parties what they need is to “fight fire with fire” and get a security expert engaged to review and respond to these questionnaires. This means either hiring your own Security Officer, or contracting a third party to manage the questionnaire responses for you (Learn more about SecureState’s dual approach by clicking either Vendor Management or Vendor Response).
Contracting these out works well until you hit a “critical mass” of questionnaires, typically about a dozen a year. At this point you will typically want to develop a standardized way to respond to these requests. AICPA’s SSAE16/SOC2 and BSI’s ISO 27001 are both designed to deal with this exact situation. Most organizations will look at a SOC2 first, as it is considerably cheaper and less impactful than the cultural shift often involved in 27001. It will also do quite well in managing requests from US-based companies. Those of you with significant operations in Europe and Asia will want to more closely consider ISO 27001. (Learn more about SecureState’s SOC2 and ISO 27001 offerings)
Vendor assessment is currently undergoing a marked increase…SecureState encourages everyone to take a proactive approach in responding to their client’s security questions to ensure minimal cost and minimal business disruption.