Asking Vendors the Right Questions

How is your company managing the security of your vendors?

According to the 2018 Ponemon Institute Data Risk in the Third-Party Ecosystem study:

59% of companies have experienced a data breach caused by one of their vendors or third parties.

Do you know how much is at stake if one of your vendors or fourth parties is breached? Security questionnaires are opportunities to understand the scope of your vendor’s security controls.

Creating security questionnaires is an art

Each crafted question can strengthen your vendor management program. The questions you ask are not one-and-done types of deals. Each answer should be an indicator of how you should evaluate your vendors’ security programs. Not asking your vendor the right questions can introduce more risks for your company.

Here are the security areas you should address in your security questionnaires:

Stance on Compliance

How is the vendor establishing information assurance with their clients? This area addresses the vendor’s efforts in maintaining security compliance.

With the growth of privacy laws (GDPR, CCPA, etc.), your clients will demand your company be compliant in all areas which include your vendors. Vendors following established security standards (like SOC 2, ISO, PCI, HITRUST, etc.) can provide the assurance that they are following best practices on an annual basis.

Risk Management Program

The next area you should address is the vendor’s internal and external risk assessments. What vendor risks could your company be exposed to?

Risk registers can provide your company with valuable insights from the vendor’s risk assessments. This is an opportunity to address the risks that impact your company’s services and the steps taken by the vendor to treat them.

Access Management

What controls does the vendor have in place for access provisioning, review, and de-provisioning of accounts with access to your company data?

You should determine if the least-privilege method is applied to accounts with access to your company data. Not every user at the vendor should be a super admin and managing the every service for your company. Once accounts are established, evaluate how the vendor will review access to ensure each access level is appropriate.

Incident Management

When there is an incident on the vendor side, how and when will your company be informed?

Inspect the vendor’s Incident Response Policy to determine how your company will be involved during these events. Based on the answers in this section, your Incident Response Policy should be updated based on the vendor’s procedures.

Service Availability

What security controls are in place to monitor and ensure service level agreements are met?

This is a chance for your company to understand the redundancy controls that are in place. Additionally, your company gets the chance to understand the vendor’s history of breaches and the actions the vendor took to manage their service level agreements. The actions taken should reflect what the vendor’s Business Continuity & Disaster Recovery Program mandates.

Patch Management

What is the vendor’s process of notifying your company of the requirements and timeline for critical patch deployment?

There are two risks to consider in applying patches:

  1. Not having the latest version could leave your company exposed to vulnerabilities
  2. Not testing the patches properly before deployment could impact your company’s service availability

Set the necessary expectations and procedures when it comes to the maintenance windows for the vendor updates. Your company’s Change Management Procedures should have a section addressing the lifecycles of vendor patches.

Physical Security

How will the vendor ensure the protection of your company’s data and services if a social engineering attack occurs?

In the IBM “Cost of a Data Breach Report” from 2019, 24% of data breaches were reported to be caused by human error. To reduce the likelihood of human error on the vendor side, you should evaluate what security controls are in place to protect against tampering, unauthorized access, and user errors.

An additional control outside of physical security to reduce the risk of human error is the development of effective security awareness training.

Vendor Management

Does your company know your fourth-party providers? What controls does the vendor have in place for their Vendor Management program?

If your company is making the effort to mature your Vendor Management Program, you should expect your vendors to do the same to reduce risk. Determine what fourth-party vendors will directly impact your services – especially the vendors that handle your company’s PII.

The goal of security questionnaires is to provide leadership deeper insight when selecting or continuing with a vendor.

What risks is your company willing to take to have the vendors’ services? How will your company track and manage the vendor’s risks?

Contact Us

Creating security questionnaires is an art and a continuous effort, but you do not have do it alone. Reach out to our team to help you ask the right questions to your vendors!

Share to


Share to

Like our content? Subscribe and stay informed.