Do you have a customer that is asking you to fill out a security questionnaire as part of their "due diligence" process? Does it make you nervous to start answering questions that aren't worded clearly or fall outside of your primary domain?
This post covers some of the basics for handling security questionnaires. For most companies, at some point this starts to become a source of anxiety or even just time management. Often, this type of scrutiny is what triggers companies to become securityprogram.io customers. With a program in place, we can confidently handle the diligence reviews in a consistent way.
Yes Yes Yes
One pitfall customers fall into is that they want to answer "yes" to every question. This is particularly true when sales or sales engineers are responsible for answering the questions. There are a couple of problems with answering "yes" across the board:
- An attentive reviewer will know that you don't know what you are talking about.
- It could result in your company taking on more responsibility than they should and down the road being committed to spend money to implement something you said you did!
The reality is, even most larger firms can't answer yes to every question. It is much more meaningful to know where your strong points are, maybe where you should answer "yes" and where your weak points are and you are better off answering "no".
Here are two specific examples:
|Do you encrypt data in transit?||Yes. We use TLS 1.2 or above everywhere.|
|Do you use a MDM solution?||No. We do not have the capacity to manage mobile devices through a technical control. We do have a policy that addresses how employees should be using their devices.|
For the first item, we are using TLS. Not only that, this would be a huge red flag to say "no" on. So for this type of item, if we were not using TLS we should take action so that we are.
For the second item, maybe we don't even know what MDM means. It means mobile device management. It allows you to control the installation of software and remotely wipe mobile devices if they are lost or stolen. While MDM is a good control, and may be needed in certain security sensitive environments, it is not something that every company must do.
When you get the questions, is it a big Excel file? Maybe it is even an online system. Does it seem just like others you have answered before, but just a little different? We see a lot of the same questions repurposed and reused. Our customers feel much more comfortable when they realize that a set of questions is mapped to a standard like SIG Lite or ISO 27001 or CAIQ and that there isn't any "magic" to answering them.
Unfortunately, many companies end up making their own questionnaires based on some combination of standards or questionnaires. This makes it even harder to optimize your answers.
One thing we always do is make a directory of the responses we have made so that we can find them and hopefully refer to them as needed. Some customers use tools like rfpio.com to help manage responses. We've talked about adding some of these types of features to securityprogram.io but what we really want to do is use natural language processing and let you upload a questionnaire then download it already filled out.
When we're working with these questionnaires, we also track any places where they are asking us about things we know we need to do but aren't yet. Then we cross reference that into our security plan.
Have A Security Plan
Having a security plan and systems in place that are aligned to a major standard, like NIST 800-53 or ISO 27001 can help ensure that you have good answers for these questions and that you won't be surprised down the line.
Really, you want to own your security planning and not be reactive to every different customer request.
securityprogram.io helps you build the plan and do the work to make sure you are ready for anything your prospects throw at you.
As you get more advanced, you may consider doing a formal certification like SOC 2 Type 2 or ISO 27001 or both. securityprogram.io can help with that too, but we'll save that for a separate post.