Are vendor Questionnaires causing a security risk to your organization?

By: Shannon Noonan, Co-Founder/President of QoS Consulting Solutions, LLC

As organizations become more reliant on SAAS environments and solutions we need to complete our necessary due diligence to ensure the security of our companies, internal controls for various audits or certifications, privacy at a global level and simply put the survival of the company and employees. We are all constantly asking is this “safe & secure” and are we doing the right thing by going to a 3rd party vs keeping in-house. As we continue to explore SAAS based environments, the SAAS providers have opened themselves up to the endless vendor management questionnaires and assessments from potential and existing customers. There are various ways to studiously respond to questionnaires. Responses include third-party audit reports such as SOC Reports, complete standard questionnaires such as SIG/CSA/CIS/NIST, etc. This tends to work for larger companies who have “made it” and can push back, but for those organizations that are looking for the next big win and looking to survive in a highly competitive world, they tend to complete questionnaires over and over again. Is a burgeoning business looking for growth willing to risk security just to win a customer? Or are they willing to uphold their standards and limit the responses?

I recently completed a vendor questionnaire which went beyond the simple “yes” or “no” do you have a process in place style. The instructions noted, “response may start with Yes, No, or N/A, but you need to explain in as many details as possible the answers to the questions”. To a person who is not familiar with security and looking to complete a sale, they may provide an inordinate amount of detail based on the instructions listed above. This puts into question, “Are the right teams completing these questionnaires?”. In some cases, no, they tend to be completed by the sales team working to meet a sales quota. This does not mean a salesperson does not understand how to limit the sharing of information, but under pressure for a win, will unnecessary risks be taken. In other cases, this falls to the security & compliance teams to complete. Could they too provide too much information based on their familiarity with auditor expectations?

As a security and compliance professional, and understanding overall risk to an organization, I looked at this questionnaire as a simple way for companies to create the “new” form of a phishing attempt. As we answer questions, we open ourselves up to providing sensitive security details (i.e providing a full list of your security team and developers to a customer or providing an architect diagram).

As you determine who, what and how questionnaires are answered, what risks would you see associated with answering the below questions? At what point is it considered too much information?

QuestionExample of an Acceptable Answer
How many developers work on your software?We currently have 300 employees.
Does the developed software have a corresponding data flow diagram to document in detail how sensitive information is processed by hardware and software?  If so, please provide.Yes, this document is managed internally.  We do not provide any documentation around our data flow. However, we have 3rd party audits that review and validate our process.  We can provide the reports under NDA.
What verification mechanisms are in place to prevent the unauthorized modification of code?We have a strict policy for code reviews which includes completing testing and obtaining approvals before deployment.
Does your database platform encrypt customer data? If so, what are the specifications for encryptions?  How are keys stored?Yes, data transmission is protected using TLS 1.2 or later.  Data at rest is stored using strong encryption (AES256 or better).  We have a multi-layer system for key management and key rotation.
How is the platform backed up?  How often is the backup ran?All backend data services are continually synced between the primary and secondary failover.
Are all employees required to wear a photo badge?Badges are always required to be worn onsite.
Do you outsource any information security services?  If so can provide the name of the third parties and the service they provide.Security is managed by full-time employees.  If at any time we determine the use of an outsourced resource, they would go through our vendor assessment process and follow all employee requirements for security and training.

As these questionnaires go beyond the “yes” or “no” questions, are we providing teams with the right tools to assess and answer these questionnaires? Are we, as organizations, doing our due diligence and asking the right questions back to these customers? Is my company information safe in this questionnaire or is there a risk associated with answering these questions? How do I know it won’t lead to a breach as I describe the process and systems?

I am starting to notice questionnaires and tools used to answer questionnaires can present a risk to the overall security of the company if not handled properly. Adding specific details can open companies up to various vulnerabilities that correlate with external and insider threats, cyberattacks, hacking, or breaches. The takeaway for all on questionnaires includes providing the teams the right resources and understanding to answer each question. As well as, educating and training the necessary teams on business and security risks involved with providing too much detail. Additionally, the responsive teams need to know who to ask questions as they arise.

If challenges exist with your organization’s vendor management program QoS Consulting Solutions is here to assist with a readiness assessment, remediation/implementation plan, process development, and/or training. Contact us today at