The different formats & mistakes made when writing or answering security questionnaires

Context - The increasing number of security questionnaires

Companies, regulators, and consumers need to build trust as they address emerging challenges in business, risk management, and compliance. This has attracted the attention of regulators, as many sectors face very high requirements regarding the protection of their information technology (PCI-DSS for Payments or HIPAA for healthcare). Companies are therefore required to frequently go through Vendor Security Assessments (VSAs) as well as making sure their own third parties are secure. Furthermore, these VSAs are getting longer and more complex. If you would like to know more about why security questionnaires are becoming increasingly difficult and demanding, check out our previous blog article.

‍

The different formats of security questionnaires

At Skypher, we have been able to collect data from over 100,000 security questions from our 100+ clients worldwide. Security questionnaires are gathered in 3 formats - Excel documents (71.2%), Online Portals (19.2%) and Word documents (9.6%). The proportion of each format for security questionnaires can be seen in the graph below.

Security questionnaires have not evolved much in their form, as most of them are still done on Word and Excel. To address these repetitive and laborious security questionnaires, we have decided to use Machine Learning and LLM to detect questions in a document and answer them using the company’s knowledge base. At Skypher, we did not forget online portals, that represent 19.2% of security questionnaires and are increasingly used by companies. Our team has therefore focused on our browser extension that works with 40+ online platforms (OneTrust, Prevalent, Archer, ServiceNow, CyberGRX etc.).

‍

The most asked questions in security questionnaires

Our database with over 100,000 security questions answered has enabled us to output some analytics regarding the most requested topics by top-tier companies. In the first place, hosting questions account for 14% of overall security questions. Companies' next biggest concerns are authentication & password policies, which account for 13.8%, and privacy & protection of data, which account for 11.5%. A more detailed and exhaustive analysis of the most requested security questions is illustrated in the graph below:

The most common security frameworks:

Whenever a company makes a deal, it automatically triggers a security assessment. On top of enabling a security assessment for the organization and its clients, it allows to establish liability in the event of a security breach. Here, we outline some of the most commonly used security frameworks:

• SSAE SOC: Reports assess and report on the controls and processes of service organizations. SOC 1 focuses on financial reporting controls, while SOC 2 assesses security, availability, processing integrity, confidentiality, and privacy controls.
• CAIQ: Security assessment framework developed by the Cloud Security Alliance (CSA). It is designed to provide a standardized set of questions that organizations can use to evaluate the security posture of cloud service providers. 
• CIS Security Controls: Prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. 
• ISO/IEC 27001: Establishes information security management systems (ISMS) that helps organizations establish and maintain robust security practices. It emphasizes risk management, continual improvement, and compliance with legal and regulatory requirements.
• NIST SP 800-171: Issued by the National Institute of Standards and Technology (NIST), the NIST SP 800-171, to provide a comprehensive set of security requirements and guidelines for safeguarding controlled unclassified information (CUI) within nonfederal systems and organizations. It is particularly critical for organizations that collaborate with or provide services to the U.S. federal government, as compliance with these standards is often a contractual obligation.
• SIG: Tool developed by the Shared Assessments Program, a risk management nonprofit organization. SIG is designed to streamline the process of assessing and evaluating the information security practices and controls of third-party vendors and service providers. It comes in several variations, the basic SIG questionnaire (for initial vendor assessments), SIG LITE (for low-risk vendors), and SIG CORE (library of questions that security teams can pick and choose from).

‍

Common mistakes that organizations make!

While these frameworks provide a structured approach to cybersecurity, they must be customized. Indeed, many organizations rely too much on common standards instead of doing their own risk assessment process regarding their vendors. Organizations should assess their vendors individually depending on the level of access that they have to their internal systems and data.

Our customers often receive security questionnaires that are totally inappropriate to their business or technology. For example, a cloud SaaS solution is usually hosted on the servers of a big cloud provider such as AWS, GCP, or Azure, meaning it should not be audited as a license type of software which manages its own servers and infrastructure. It is also irrelevant to ask questions regarding network or infrastructure to a vendor with a self-hosted solution since you will be managing that, not the vendors. This can lead to a lot of frustration on the vendor side since they have to answer 300 questions that are totally not applicable to their relationship with the organization. Communication and feedback are essential here. Organizations and vendors should maintain open lines of communication, regarding security assessments. Vendors should feel comfortable providing feedback on the appropriateness of the questions that they receive, and organizations should use this feedback to refine their assessment processes over time.

‍

The responsibility of vendors

Vendors have significant responsibilities when answering security questionnaires from their customers or partners. It is essential for them to demonstrate their commitment to cybersecurity and to build trust with their clients. 

Key responsibilities include:

• Accuracy and Transparency: Vendors must provide accurate and honest responses to all questions in the security questionnaire. It is okay to have some weaknesses as long as there is a timeline for remediation. This will build far more trust if your customers feel that you are aware of some of your weaknesses and that there is already a security roadmap in place to address them.
• Responsibility towards the End-Client: Many end clients may not be aware of the complex network of service providers involved in delivering the services that they use. Trust in data security is placed in the hands of the primary vendor (the organization), making it crucial for third-party vendors to accurately respond to questionnaires and maintain the same level of security. 
• Accountability: Vendors are responsible for all the responses that they give in security questionnaires and  held accountable if they fail to demonstrate what they said.
• Communication: Vendors should communicate any changes in their security assessment responses as soon as possible for the organization to take account of these changes in its own risk assessment. 
• Speed: Vendors should respond to security questionnaires promptly and within the specified deadline. Delay can create doubts about a vendor's commitment to security.
  

‍

Here are a few best practices vendors should implement to be best prepared:

• Appoint a person leading & responsible for security: This could be your CTO if you are a startup or a security professional if you are a larger organization.
• Prepare documentation: Vendors should first have their security documentation ready to share with existing customers and prospects. It should be as easy as signing an NDA and then have access to, for example, the latest penetration test report of the vendor. 
• Standardized Responses: Vendors should create standardized responses to common security questions. These templates can be used as a starting point for questionnaire responses and ensure consistency in answers.
• Review Process: Vendors should Implement a rigorous review process to verify the accuracy of responses before submission, especially if there are a lot of stakeholders involved.
• Keep a record of them for future audits: This history can be valuable for future assessments and audits.

At Skypher, we provide the software with built-in tools that support the best practices for responding to security questionnaires, used by Fortune 500 companies. With our advanced technology and integrations, you can respond accurately, collaborate seamlessly, along with keeping all records without worrying about the future audit and analysis again.

If you are ready to streamline your process and boost your reliability, book a demo here today and let's discuss how we can help you succeed!

‍

Sources:

https://www.cisecurity.org/controls/v8

https://ssae-16.com/ 

https://cloudsecurityalliance.org/  

https://www.ssi.gouv.fr/particulier/formations/secnumedu-fc-labellisation-de-formations-continues-en-cybersecurite/formations-continues-labellisees-secnumedu/certification-lead-auditor-iso-27001/ 

https://www.upguard.com/blog/sig-questionnaire 

Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2019). Protecting controlled unclassified information in nonfederal systems and organizations (No. NIST Special Publication (SP) 800-171 Rev. 2 (Draft)). National Institute of Standards and Technology.