Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/6/2019
02:30 PM
Kelly White
Kelly White
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

It's Time to Rethink Your Vendor Questionnaire

To get the most from a vendor management program you must trust, then verify. These six best practices are a good place to begin.

Questionnaires are a vital part of understanding how your vendors manage cybersecurity risk; they'll help you understand the investments your vendors have made for positive risk outcomes across people, processes, and technology. They're especially useful because, frankly, there are some questions you can't get answers to unless you ask.

Yet as valuable as questionnaires are for assessing third-party risk, they have shortcomings. Here are best practices that can enhance your third-party risk program and get the most value from your vendor questionnaire process.

Challenge #1: Longer questionnaires mean greater costs.
The length of a questionnaire has financial implications. For example, according to a study by RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34 — that's a huge range. (The range is due to economies of scale related to asking questions. The more questions you ask, the lower the cost to add an additional question to the questionnaire.) Add another $10,000 if you conduct an on-site visit. Long questionnaires can also take a long time for the vendor to answer, which can slow down your business.

Best Practices: 
Know the scope of what you're asking.

  • Only ask questions you need answered. Don't ask questions that are irrelevant to the relationship you have with your vendor.
  • Understand whether a standards-based questionnaire is right for your organization or whether you need to develop a custom one.

Challenge #2: Questionnaires don't always show you reality.
Your vendors don't know what they don't know, and neither do you! That's a problem because you trust your vendors to give accurate answers — not just best guesses. Questionnaires are inherently biased because they're answered by the enterprise being assessed, so you'll never receive fully objective answers.

Best Practices: 
Trust, but verify.

  • Require your vendors to provide objective evidence of information security performance. This can include reports of independent network and web application security assessments.
  • Leverage cybersecurity risk ratings data to gain objective verification of a large swath of the assessment criteria. In our experience, risk ratings data can objectively verify between 25% and 55% of assessment questions. For example, a common assessment question is "Do you encrypt email communications?" Cybersecurity risk rating providers can discover the vendor's email servers and check to see if it implements email encryption through STARTTLS.
  • Use open source intelligence — providers can describe the quality of your vendors' cybersecurity based on passive observation.

Challenge #3: Questionnaires are typically administered at a fixed frequency.
The classic approach to assessing third parties is to divide vendors into inherent risk tiers (high, medium, low, etc.) and then establish a fixed frequency administration schedule. The problem here is that you're allocating risk resources without regard to risk: Vendors managing risk well are allocated the same assessment resources as vendors that are managing poorly.

The frequency of questionnaires should instead be based on known vendor performance.

Best Practices:
Instead of assessing vendors at the same frequency (for example, all high-risk vendors annually), make the assessment frequency part of your assessment strategy.

  • Determine assessment frequency based on residual risk rather than inherent risk.
  • Continually monitor your vendors' ratings and adjust your assessment schedules accordingly.
  • Establish the best frequency for your objectives.

Challenge #4: Questionnaires are generic, but your vendors aren't.
If you want to get the most out of a questionnaire, make sure you ask the right questions based on your relationship with the vendor. The idea is to shape the questionnaire to the risk context that you're analyzing. Not every question will apply to every vendor; more importantly, you'll want to ask some vendors additional questions that won't apply to others.

Best Practices:
Know your vendor, then shape the questionnaire accordingly.

  • Use the questionnaire to target the data you're most interested in; don't waste time gathering information you already have.

Challenge #5: Questionnaire-based assessments are infrequent.
Because questionnaires have to be administered by a person in your company and responded to by a person in the other company, it takes time to complete the entire process. In the meantime, entire digital ecosystems can emerge and change. New vulnerabilities can arise.

Best Practices:
Use cyber-risk ratings — they'll tell you if vulnerability management performance is degrading, if your vendor has systems behaving maliciously on the Internet, and reveal a host of other issues.

  • Don't only rely on a vendor questionnaire; make a cybersecurity risk rating platform an integral part of your third-party vendor security investigation.

Challenge #6: Know which questions to ask.
Even if the vendor knows everything there is to know about its security (which never happens), the onus is on you to ask the correct questions. Let's say you want to know if your vendor is managing all of your assets. Consider two questions: Do you track systems in a configuration management database? How do you ensure that you have a complete inventory of all of your systems? The first question will tell you that it bought some software that's helpful for managing assets but says shows nothing about whether or not it's tracking all of their its assets. However, the second question forces the vendor to reveal its strategy.

Best Practices:
Craft the question after determining what you want to discover in the answer.

  • Never ask yes/no questions unless they're very specific. (For instance, "Do you have a CISO responsible for all security aspects of protecting my relationship with you as a critical vendor?")
  • Ask for details on processes, not just software purchases

Questionnaires are useful in finding out what vendors have invested in across people, processes, and technology. Still, using questionnaires effectively can be challenging. With some strategic thought and planning, you can get the data you need for good risk outcomes.

  • Know the scope of what you're asking.
  • Trust, but verify.
  • Instead of assessing vendors at the same frequency (such as all high-risk vendors assessed annually), make the assessment frequency part of your assessment strategy.
  • Know your vendor, then shape the questionnaire accordingly.
  • Craft the question after determining what you want to discover in the answer.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly White is the CEO and co-founder of RiskRecon where he is transforming third-party cyber risk management. Kelly has held various enterprise security roles, including CISO and Director of Information Security for financial services companies. Kelly was also a practice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.