BLOG

Vendor responses to third-party security assessment questionnaires can have a wide range of “truthiness”. Questions about “how does your organization protect x” or “explain your process for y” can often be met with “yes” or “no” responses or the classic less-then-informative response of “we are HIPAA compliant”.

This phenomenon can be chalked up to a variety of root causes, including security responses being completed by sales personnel who have limited security knowledge or expertise, missing security controls and a lack of transparency by the vendor, or pressures of the sales cycle to get responses completed quickly for a large volume of customer security assessments.

There are also times where a vendor may be hoping that the customer does not have the time or cycles to follow up on responses, which is quite often the case with organizations that follow a “check the box” mentality for third-party risk and compliance. In such instances, a short or erroneous answer from the vendor may very well go unchecked.

Decoding and deciphering the reality of risk based on questionnaire responses requires an experienced and skilled assessment team. Here are some recommended leading practices for making the security assessment questionnaire and review process more efficient and effective:

• Understand that the questionnaire is only a first step in assessing risk for vendors; responses for critical risk controls must be backed up and validated by supporting evidence. This takes some additional investment of time, but if there is no validation of answers, then there is little value in issuing the questionnaire in the first place.
• Prioritize risk control areas of interest. More questions and more responses do not mean a higher degree of security. Put the risk in context with your business and information security environment and prioritize control areas accordingly. If you make everything a high risk, then nothing is a high risk. Third-party risk teams often struggle to make meaningful risk decisions based on questionnaires simply because they have asked too many or the wrong questions.
• A mature security program will also have ample documentation of processes and controls. If questionnaire responses indicate a high degree of maturity but are unable to supply supporting documentation, then the responses are likely rosier than reality.
• Get on the phone. Back and forth electronic communication about detailed controls over email and spreadsheets can drag out the assessment process for weeks and months on end. Having a candid dialog about the security and risk control areas that are most important for your organization while working to identify reasonable remediation measures is sometimes far more productive to manage risk than swapping email paragraphs about hundreds of control areas. Recognize that these are your business partners, not your adversaries, and engage in collaborative dialog.
• Request and review security certifications from the vendor. Many of the most common security control questions may have already been vetted by a trusted third party via a security certification like SOC 2 Type II or HITRUST. Security certifications should not replace your assessment process altogether, but can save everyone a great deal of time and cost in the third-party risk assessment process.
• Validate that the responses to your questionnaire apply to the specific applications or systems in scope. Quite often a vendor may maintain a SOC 2 or HITRUST certification, but that certification may apply to a part of the business or application that is not in scope for your specific implementation.
• Reuse and recycle vendor questionnaire responses. Here at CORL, we have a Data Reuse program that is designed to allow vendors to leverage previous questionnaire responses for new clients. When vendors are notified that a new client has requested an assessment, they will have the option to explicitly approve the reuse of data for the new client. This saves everyone the time and energy of crafting and responding to standard security questions. You can read more about our Data Reuse program in our Vendor FAQ.
• Recognize that no security program is perfect and very few, if any, organizations are managing all risk areas to a high degree of maturity. If you see questionnaire responses that appear too good to be true, then this should raise a red flag for further assessment and validation of evidence.

Security and risk questionnaires are an important piece of the puzzle, but they are not a fool-proof mechanism for assessing third-party risk. Effective third-party risk assessments require the right balance of risk data and information, processes, skilled people, and technology.

Here at CORL, we deliver tech-enabled managed services that provide the keys to decipher and decode vendor audit responses in a collaborative way - driving results to measurably lower organization risk across your entire vendor portfolio.