Answering Security Questionnaires

June 13, 2020

Do you have customers that are asking you to fill out security questionnaires as part of their "due diligence" process?  Does it make you nervous to start answering questions that aren't worded clearly or fall outside of your primary domain?  

This post covers some of the basics for handling security questionnaires.  For most companies, at some point this starts to become a source of anxiety or even just time management.  Often, this type of scrutiny is what triggers companies to become securityprogram.io customers.  With a program in place, we can confidently handle the diligence reviews in a consistent way.

Let Jemurai Answer your Questionnaire

YES YES YES

One pitfall customers fall into is that they want to answer "yes" to every question.  This is particularly true when sales or sales engineers are responsible for answering the questions.  There are a couple of problems with answering "yes" across the board: 

  1. An attentive reviewer will know that you don't know what you are talking about.
  2. It could result in your company taking on more responsibility than they should and down the road being committed to spend money to implement something you said you did!

The reality is, even most larger firms can't answer yes to every question.  It is much more meaningful to know where your strong points are, maybe where you should answer "yes" and where your weak points are and you are better off answering "no".

Here are two specific examples: 

Do you encrypt data in transit?Yes.  We use TLS 1.2 or above everywhere.
Do you use a MDM solution?No.  We do not have the capacity to manage mobile devices through a technical control.  We do have a policy that addresses how employees should be using their devices.

For the first item, we are using TLS.  Not only that, this would be a huge red flag to say "no" on. So for this type of item, if we were not using TLS we should take action so that we are.

For the second item, maybe we don't even know what MDM means.  It means mobile device management.  It allows you to control the installation of software and remotely wipe mobile devices if they are lost or stolen.  While MDM is a good control, and may be needed in certain security sensitive environments, it is not something that every company must do.

STANDARD?

When you get the questions, is it a big Excel file?  Maybe it is even an online system.  Does it seem just like others you have answered before, but just a little different?  We see a lot of the same questions repurposed and reused.  Our customers feel much more comfortable when they realize that a set of questions is mapped to a standard like SIG Lite or ISO 27001 or CAIQ and that there isn't any "magic" to answering them.

Unfortunately, many companies end up making their own questionnaires based on some combination of standards or questionnaires.  This makes it even harder to optimize your answers.

One thing we always do is make a directory of the responses we have made so that we can find them and hopefully refer to them as needed. We've added some of these types of features to securityprogram.io but what we really want to do is use natural language processing and let you upload a questionnaire then download it already filled out.

When we're working with any security questionnaire, we also track any places where they are asking us about things we know we need to do but aren't yet.  Then we cross reference that into our security plan.

A SECURITY PLAN WILL HELP WITH SECURITY QUESTIONNAIRES

A well-structured security plan not only helps protect you from cyber threats but also instills confidence in customers, partners, and investors. Having a security plan and systems in place that are aligned to a major standard, like NIST 800-53 or ISO 27001 can help ensure that you have good answers for any security questionnaire. If you are feeling a bit uncertain with your security plan, take a look at securityprogram.io as a way to strengthen your security posture. 

So how to handle security questionnaires…

That’s an easy one, let Jemurai handle the burden for you. Our team of experienced professionals will expertly navigate the maze of inquiries on your behalf, ensuring accurate and comprehensive responses that highlight your company's robust security measures. With Jemurai by your side, you can focus on your core business while we take care of the details.

Stay secure!

Let Jemurai Answer your Questionnaire

Share this article with colleagues

Popular Posts

start your Security Journey With a Free SPIO trial

SPIO helps SMBs implement comprehensive cybersecurity. Start a free trial today to track the policies, procedures, and tasks needed to be confident in your security posture.

Ready to get started?

Build a comprehensive security program using our proven model.
© 2012-2024 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram