By: Shannon Noonan, Co-Founder/President of QoS Consulting Solutions, LLC
As organizations become more reliant on SAAS environments and solutions we need to complete our necessary due diligence to ensure the security of our companies, internal controls for various audits or certifications, privacy at a global level and simply put the survival of the company and employees. We are all constantly asking is this “safe & secure” and are we doing the right thing by going to a 3rd party vs keeping in-house. As we continue to explore SAAS based environments, the SAAS providers have opened themselves up to the endless vendor management questionnaires and assessments from potential and existing customers. There are various ways to studiously respond to questionnaires. Responses include third-party audit reports such as SOC Reports, complete standard questionnaires such as SIG/CSA/CIS/NIST, etc. This tends to work for larger companies who have “made it” and can push back, but for those organizations that are looking for the next big win and looking to survive in a highly competitive world, they tend to complete questionnaires over and over again. Is a burgeoning business looking for growth willing to risk security just to win a customer? Or are they willing to uphold their standards and limit the responses?
I recently completed a vendor questionnaire which went beyond the simple “yes” or “no” do you have a process in place style. The instructions noted, “response may start with Yes, No, or N/A, but you need to explain in as many details as possible the answers to the questions”. To a person who is not familiar with security and looking to complete a sale, they may provide an inordinate amount of detail based on the instructions listed above. This puts into question, “Are the right teams completing these questionnaires?”. In some cases, no, they tend to be completed by the sales team working to meet a sales quota. This does not mean a salesperson does not understand how to limit the sharing of information, but under pressure for a win, will unnecessary risks be taken. In other cases, this falls to the security & compliance teams to complete. Could they too provide too much information based on their familiarity with auditor expectations?
As a security and compliance professional, and understanding overall risk to an organization, I looked at this questionnaire as a simple way for companies to create the “new” form of a phishing attempt. As we answer questions, we open ourselves up to providing sensitive security details (i.e providing a full list of your security team and developers to a customer or providing an architect diagram).
As you determine who, what and how questionnaires are answered, what risks would you see associated with answering the below questions? At what point is it considered too much information?
As these questionnaires go beyond the “yes” or “no” questions, are we providing teams with the right tools to assess and answer these questionnaires? Are we, as organizations, doing our due diligence and asking the right questions back to these customers? Is my company information safe in this questionnaire or is there a risk associated with answering these questions? How do I know it won’t lead to a breach as I describe the process and systems?
I am starting to notice questionnaires and tools used to answer questionnaires can present a risk to the overall security of the company if not handled properly. Adding specific details can open companies up to various vulnerabilities that correlate with external and insider threats, cyberattacks, hacking, or breaches. The takeaway for all on questionnaires includes providing the teams the right resources and understanding to answer each question. As well as, educating and training the necessary teams on business and security risks involved with providing too much detail. Additionally, the responsive teams need to know who to ask questions as they arise.
If challenges exist with your organization’s vendor management program QoS Consulting Solutions is here to assist with a readiness assessment, remediation/implementation plan, process development, and/or training. Contact us today at firstname.lastname@example.org.