Do you have a customer that is asking you to fill out a security questionnaire as part of their "due diligence" process? Does it make you nervous to start answering questions that aren't worded clearly or fall outside of your primary domain?
This post covers some of the basics for handling security questionnaires. For most companies, at some point this starts to become a source of anxiety or even just time management. Often, this type of scrutiny is what triggers companies to become securityprogram.io customers. With a program in place, we can confidently handle the diligence reviews in a consistent way.
One pitfall customers fall into is that they want to answer "yes" to every question. This is particularly true when sales or sales engineers are responsible for answering the questions. There are a couple of problems with answering "yes" across the board:
The reality is, even most larger firms can't answer yes to every question. It is much more meaningful to know where your strong points are, maybe where you should answer "yes" and where your weak points are and you are better off answering "no".
Here are two specific examples:
|Do you encrypt data in transit?||Yes. We use TLS 1.2 or above everywhere.|
|Do you use a MDM solution?||No. We do not have the capacity to manage mobile devices through a technical control. We do have a policy that addresses how employees should be using their devices.|
For the first item, we are using TLS. Not only that, this would be a huge red flag to say "no" on. So for this type of item, if we were not using TLS we should take action so that we are.
For the second item, maybe we don't even know what MDM means. It means mobile device management. It allows you to control the installation of software and remotely wipe mobile devices if they are lost or stolen. While MDM is a good control, and may be needed in certain security sensitive environments, it is not something that every company must do.
When you get the questions, is it a big Excel file? Maybe it is even an online system. Does it seem just like others you have answered before, but just a little different? We see a lot of the same questions repurposed and reused. Our customers feel much more comfortable when they realize that a set of questions is mapped to a standard like SIG Lite or ISO 27001 or CAIQ and that there isn't any "magic" to answering them.
Unfortunately, many companies end up making their own questionnaires based on some combination of standards or questionnaires. This makes it even harder to optimize your answers.
One thing we always do is make a directory of the responses we have made so that we can find them and hopefully refer to them as needed. Some customers use tools like rfpio.com to help manage responses. We've talked about adding some of these types of features to securityprogram.io but what we really want to do is use natural language processing and let you upload a questionnaire then download it already filled out.
When we're working with these questionnaires, we also track any places where they are asking us about things we know we need to do but aren't yet. Then we cross reference that into our security plan.
Having a security plan and systems in place that are aligned to a major standard, like NIST 800-53NIST 800-53 is a special publication by the National Institute of Standards and Technology (NIST) that provides a catalog of security and privacy controls for federal information systems and organizations. The publication outlines security requirements and guidelines for the selection, implementation, and assessment of security controls to protect the confidentiality, integrity, and availability of information systems. or ISO 27001ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information and mitigating cybersecurity risks. ISO 27001 includes a set of best practices for establishing, implementing, maintaining, and continually improving an ISMS, which helps organizations identify and manage information security risks and protect against cyber attacks. can help ensure that you have good answers for these questions and that you won't be surprised down the line.
Really, you want to own your security planning and not be reactive to every different customer request.
securityprogram.io helps you build the plan and do the work to make sure you are ready for anything your prospects throw at you.
As you get more advanced, you may consider doing a formal certification like SOC 2 Type 2SOC 2 Type 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time, typically six to twelve months. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover both the design and operating effectiveness of a service organization's systems, processes, and procedures. or ISOISO (International Organization for Standardization) is an independent, non-governmental international organization that develops and publishes standards for various industries and sectors, including cybersecurity. 27001 or both. securityprogram.io can help with that too, but we'll save that for a separate post.