How to Fill out a Vendor Security Assessment Questionnaire

How do I fill out a vendor security assessment questionnaire? As company’s are beginning to become more security focused and realize that suppliers/vendors represent potential security threats, we are constantly being asked how to fill out a supplier assessment related to information security. While we think this is great for the security industry, it often times creates more questions than answers for small suppliers that do not have a technical or security focused person on staff. Today, we’re going to detail some tips that can assist in the process.

  1. Be honest – First and foremost, when filling out a security assessment questionnaire you should always be honest in your answers. This should go without saying, however, the legal impacts and ramifications of a potential breach are still in their infancy so may be unclear to you. The last thing you want to do is provide false information to a company and then have your organizational security be the reason they are compromised.
  2. Policies, Policies, Policies – If you have ever had the pleasure of looking at a security assessment questionnaire, odds are you saw the word “policy” a minimum of 10 times. As defined by the SANS institute, a policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. The SANS institute provides various policy templates that be leveraged to create policies from scratch. These policies are not only a good way to prove that your security practices meet compliance requirements, but they also provide a good baseline for your security program in general. And if your security staff moves on to another position, you have a written record to enforce your security policies during the handover.
  3. Penetration Testing – These days, it is common practice to request that a third party supplier or vendor have some basic level of penetration testing performed at a regular interval (we recommend annually). For small and even mid-size businesses that do not have dedicated IT or security teams, this most likely has never occurred. Depending on your expected turn-around time and the client, you can always indicate that you have previously not conducted penetration testing. If you do that, it’s best to share your plan and expected timeline of completion though, explaining that you will do so in the near future and provide the results to them following the assessment.
  4. Simple Fixes – There are often tasks or items that have to be completed, but are quick, low-hanging fruit that can be addressed in relatively short order, such as:
    • Background Checks – If you do not conduct background checks at hiring, now is probably the time to start. There are plenty of fairly priced services out there that can provide an extensive background check and provide a certificate of completion that can be sent to a third party (without revealing sensitive employee information).
    • Asset Inventory – A simple spreadsheet used to track the various hardware on your network will not only help you complete most questionnaires, it will help you keep track of inventory. This inventory is invaluable when considering network architecture modifications, security control rollouts, and certain aspects of incident response.

All vendor security assessment questionnaires may vary, so they may have more or less than what we have detailed above. While these may seem cumbersome, they are meant to protect both your company and your client. We strongly encourage you to take them seriously and look to implement anything suggested that is not currently in place at your company or in your environment. As always, we would be happy to assist in any way that we can, so feel free to contact us today!