Adding an IT Security Assessment Gate That Doesn’t Create 100 New Questions
Think about the last time your company was asked to complete a security questionnaire. It probably involved answering 50-100 questions in 14 days (30 days if you got lucky). Do you remember the dreaded feeling that created? Do you remember feeling that this questionnaire was going to take away precious time from your most important initiative? This article is for those that will soon be adding an IT security assessment gate to the vendor due diligence process. My challenge is to try to convince you not to do what every other company is doing, and instead do better and try something different.
The security due diligence process requires information gathering, this is absolutely necessary. At this step in the process, why not focus on gathering what you absolutely need vs gathering *all the information* under the sun? After all, you’re looking to make an informed decision about partnering with a new vendor (or renewing the contract with an existing vendor). You want assurance that the vendor has adequate security controls, that the vendor will be responsible with non-public personal information, that the contract has the right language, that the implementation team has a set of actionable security requirements to add to the project plan, and that the company will be protected if something goes wrong.
Here is a list of our 3 must-haves, to create an effective security questionnaire, and not a 100 point questionnaire that turns into a time sink for everyone involved in the process.
Add 1-2 security questions to you existing vendor due diligence questionnaire
This helps triage vendors and determine if additional questions are needed. These questions should clarify if NPPI will be shared (y/n) and the extent of NPPI data (email? name, address, SSNs, banking information?).
Create a screening process to determine which vendors can hit the fast lane
This helps determine the optimal path for the vendor. The optimal path is based on the level of data sharing that is happening, the direction of the data flow, and the channel for the data flow. This information is CRUCIAL and what will allow you to determine the depth of the security due diligence. The resources allocated for an IT security assessment should be risk-based. This means that some vendors will take more time than others. This is where the fast lane comes in. A fast lane can be created to handle “low-risk” vendors or vendors that are promising for the business and should be expedited.
Create 2-3 flavors of questionnaires, based on the most common types of vendors you’re partnering with
This contextualizes the questions, based on the vendor relationship. It’s important to point out that general questions will prompt general responses. This creates room for interpretation, or worse, misinterpretation. Misinterpretation from either party can be the difference between making an informed decision and a misinformed decision. So be wise with what you ask and the language that you’re using. When working with clients, we typically carve out 4 types of questionnaires, for lead providers, collection agencies, debt buyers, and a general catch-all for the rest of the vendors. This allows us to ask very targeted questions that helps us assess the effectiveness of key security controls that make sense for the vendor type. In the end, this is a win-win for the client and the consumer-base.
These are simple techniques that we have implemented in the past. Our clients typically face a growing vendor due diligence backlog and feel overwhelmed with the IT security due diligence process. We take on this function and optimize the process, saving time and money for all stakeholders involved.
Did you like this article? Which tip resonated with you the most?