Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/6/2019
02:30 PM
Kelly White
Kelly White
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

It's Time to Rethink Your Vendor Questionnaire

To get the most from a vendor management program you must trust, then verify. These six best practices are a good place to begin.

Questionnaires are a vital part of understanding how your vendors manage cybersecurity risk; they'll help you understand the investments your vendors have made for positive risk outcomes across people, processes, and technology. They're especially useful because, frankly, there are some questions you can't get answers to unless you ask.

Yet as valuable as questionnaires are for assessing third-party risk, they have shortcomings. Here are best practices that can enhance your third-party risk program and get the most value from your vendor questionnaire process.

Challenge #1: Longer questionnaires mean greater costs.
The length of a questionnaire has financial implications. For example, according to a study by RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34 — that's a huge range. (The range is due to economies of scale related to asking questions. The more questions you ask, the lower the cost to add an additional question to the questionnaire.) Add another $10,000 if you conduct an on-site visit. Long questionnaires can also take a long time for the vendor to answer, which can slow down your business.

Best Practices: 
Know the scope of what you're asking.

  • Only ask questions you need answered. Don't ask questions that are irrelevant to the relationship you have with your vendor.
  • Understand whether a standards-based questionnaire is right for your organization or whether you need to develop a custom one.

Challenge #2: Questionnaires don't always show you reality.
Your vendors don't know what they don't know, and neither do you! That's a problem because you trust your vendors to give accurate answers — not just best guesses. Questionnaires are inherently biased because they're answered by the enterprise being assessed, so you'll never receive fully objective answers.

Best Practices: 
Trust, but verify.

  • Require your vendors to provide objective evidence of information security performance. This can include reports of independent network and web application security assessments.
  • Leverage cybersecurity risk ratings data to gain objective verification of a large swath of the assessment criteria. In our experience, risk ratings data can objectively verify between 25% and 55% of assessment questions. For example, a common assessment question is "Do you encrypt email communications?" Cybersecurity risk rating providers can discover the vendor's email servers and check to see if it implements email encryption through STARTTLS.
  • Use open source intelligence — providers can describe the quality of your vendors' cybersecurity based on passive observation.

Challenge #3: Questionnaires are typically administered at a fixed frequency.
The classic approach to assessing third parties is to divide vendors into inherent risk tiers (high, medium, low, etc.) and then establish a fixed frequency administration schedule. The problem here is that you're allocating risk resources without regard to risk: Vendors managing risk well are allocated the same assessment resources as vendors that are managing poorly.

The frequency of questionnaires should instead be based on known vendor performance.

Best Practices:
Instead of assessing vendors at the same frequency (for example, all high-risk vendors annually), make the assessment frequency part of your assessment strategy.

  • Determine assessment frequency based on residual risk rather than inherent risk.
  • Continually monitor your vendors' ratings and adjust your assessment schedules accordingly.
  • Establish the best frequency for your objectives.

Challenge #4: Questionnaires are generic, but your vendors aren't.
If you want to get the most out of a questionnaire, make sure you ask the right questions based on your relationship with the vendor. The idea is to shape the questionnaire to the risk context that you're analyzing. Not every question will apply to every vendor; more importantly, you'll want to ask some vendors additional questions that won't apply to others.

Best Practices:
Know your vendor, then shape the questionnaire accordingly.

  • Use the questionnaire to target the data you're most interested in; don't waste time gathering information you already have.

Challenge #5: Questionnaire-based assessments are infrequent.
Because questionnaires have to be administered by a person in your company and responded to by a person in the other company, it takes time to complete the entire process. In the meantime, entire digital ecosystems can emerge and change. New vulnerabilities can arise.

Best Practices:
Use cyber-risk ratings — they'll tell you if vulnerability management performance is degrading, if your vendor has systems behaving maliciously on the Internet, and reveal a host of other issues.

  • Don't only rely on a vendor questionnaire; make a cybersecurity risk rating platform an integral part of your third-party vendor security investigation.

Challenge #6: Know which questions to ask.
Even if the vendor knows everything there is to know about its security (which never happens), the onus is on you to ask the correct questions. Let's say you want to know if your vendor is managing all of your assets. Consider two questions: Do you track systems in a configuration management database? How do you ensure that you have a complete inventory of all of your systems? The first question will tell you that it bought some software that's helpful for managing assets but says shows nothing about whether or not it's tracking all of their its assets. However, the second question forces the vendor to reveal its strategy.

Best Practices:
Craft the question after determining what you want to discover in the answer.

  • Never ask yes/no questions unless they're very specific. (For instance, "Do you have a CISO responsible for all security aspects of protecting my relationship with you as a critical vendor?")
  • Ask for details on processes, not just software purchases

Questionnaires are useful in finding out what vendors have invested in across people, processes, and technology. Still, using questionnaires effectively can be challenging. With some strategic thought and planning, you can get the data you need for good risk outcomes.

  • Know the scope of what you're asking.
  • Trust, but verify.
  • Instead of assessing vendors at the same frequency (such as all high-risk vendors assessed annually), make the assessment frequency part of your assessment strategy.
  • Know your vendor, then shape the questionnaire accordingly.
  • Craft the question after determining what you want to discover in the answer.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly White is the CEO and co-founder of RiskRecon where he is transforming third-party cyber risk management. Kelly has held various enterprise security roles, including CISO and Director of Information Security for financial services companies. Kelly was also a practice ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.