Responding to Information Security Questionnaires

Published by Joe D on

Responding to Information Security Questionnaires

Companies are placing an increased amount of attention on their information security exposure in the supply chain. While establishing a relationship and doing business with you, your customers have a vested interest in understanding the risk of exposing their protected information to additional downstream parties. To help understand the inherent and observed risk, companies will often issue
questionnaires that attempt to identify where risks in your organization may translate to risks in the data they expose. These questionnaires are issued by your customer or an organization they hire to assess risk. Additionally, the questionnaires can be issued in various ways, ranging from worksheets to web portals where responses can be provided. Once the information is collected, the assessor will
review and determine the risk of the information that is exposed to your organization.

These questionnaires may also be issued by auditors or other regulators.

There are general guidelines that should be considered when responding to these questionnaires:

  1. Honesty. Do not misrepresent your organization’s security posture or controls. These questionnaires and the respective responses can be used in legal eDiscovery and misrepresenting your posture or controls may lead to subsequent legal concerns.
  2. Avoid Puffery. Avoid using terms that imply your organization is “the best” or “world-class”. These are subjective terms that can be interpreted differently by each reviewer.
  3. Never Answer an Unasked Question. Answer the question directly and avoid providing additional information not relevant to the question at hand. More is not always better.
  4. Be Clear About Shared Security Responsibilities. If you are utilizing a third-party information technology partner, cloud-hosting service, Security Operations Center (SOC), or other organization that shares in the implementation of your security controls, declare this if asked. Do not assume these inherited controls are under your control.
  5. Consider Softer Language. Many respondents read directly from their own policies and procedures and submit those words verbatim in the questionnaire. The same objective can be accomplished by using terms such as “strive” or “aspire”. For example, if asked about application of critical riskpatches, one may respond, “Our organization strives to implement patches to critical risk vulnerabilities within a 15-day timeframe.” Softer language provides the latitude for us to be imperfect. While we strive for security perfection, we know it is not achievable.

Be aware of your Information Security Policies and Procedures.
Always consult your Privacy and Security Official with question

Categories: Bulletins