So, you’ve just been handed a security questionnaire by a potential customer, and you’re not sure where to start.
What is access control? What should you answer when asked if you utilize strong authentication across all applications with sensitive data?
This Rhymetec guide will not only help you answer these questions but will also provide suggestions that you can use to strengthen your security posture and work with potential customers more confidently, with less risk of non-compliance or a data breach.
What Is A Security Questionnaire?
Security questionnaires are used by your potential customers to assess their third-party vendors and suppliers. Numerous major third-party incidents have occurred in recent years, and threat actors are increasingly attempting “supply chain attacks” – cyberattacks that target a critical element of a particular supply chain and then attempt to move laterally into other parts of the supply chain.
For example, the identity and access management platform Okta recently suffered from numerous compromises that threat actors attempted to use to gain access to Okta’s customers’ data. All of this was a long way of saying companies with mature cybersecurity programs care about supply chain attacks – a lot.
Enter the security questionnaire.
Security questionnaires are required by some compliance requirements such as HIPAA, GLBA, and PCI DSS. In addition, understanding who you’re doing business with, what their security controls are, and what types of data you will be sharing with them is important from a simple risk mitigation perspective.
Security Questionnaire Example Questions
So, what exactly do security questionnaires typically ask?
It can vary a lot, but here are some common types of questions:
- Does your organization employ strong authentication measures such as multi-factor authentication for all corporate applications that hold customer data?
- Does your organization offboard employees within 8 hours of the termination of employment?
- Does your organization conduct routine penetration testing to identify vulnerabilities in your environment?
- Does your organization have documented incident response plans and processes?
- Does your organization routinely train users regarding information security and risk?
Depending on the potential customer you are working with, questions may be very in-depth or very cursory. In many cases, your customers may tier their security questionnaires; a company that stores data about tennis shoe manufacturing needs far less scrutiny than a company storing Protected Health Information (PHI).
Security Questionnaires and Compliance
Security questionnaires aren’t only driven by risk requirements. They are also driven by specific legal compliance requirements that your customers fall under. We will provide two examples of major compliance regulations that directly touch on vendor security.
In both of these, notice that nowhere is it mandated that you must send a security questionnaire. Instead, both require that organizations assess their vendors. The security questionnaire is the form that this assessment takes.
The HIPAA Security Rule
The Health Insurance Portability and Accountability Act Security Rule (HIPAA): HIPAA applies to healthcare organizations and other organizations that handle Protected Health Information (PHI).
Under HIPAA, any organization handling PHI that is considered a “covered entity” is required to comply with the HIPAA Security Rule, a specific set of information security standards. In addition, “business associates” of covered entities are also required to meet all requirements in the security rule:
- 164.308 Administrative safeguards. (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
The U.S. Department of Health and Human Services also publishes guidance on how to conduct the risk analysis required by section 164.308.
The Bottom Line: If your organization gets a security questionnaire from a healthcare organization and you will be handing PHI, take it extremely seriously. You may be considered a HIPAA business associate and be required to comply with the HIPAA Security Rule. An experienced vCISO can help guide you on how to answer questions and implement missing security controls.
The Gramm-Leach Bliley Act and The Security Questionnaire
The GLBA applies to financial services organizations. Part of the regulation requires organizations to meet certain information security requirements. eCFR Part 16, § 314.4 spells out specifically what financial institutions need to do in order to maintain compliance regarding third-party suppliers:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
- Requiring your service providers by contract to implement and maintain such safeguards; and
- Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.
The Bottom Line: If you are getting a security questionnaire from a financial services organization, they are likely trying to meet their legal requirements under GLBA. The organization likely isn’t measuring you against a specific standard where all requirements must be met to do work with your organization. If you don’t meet every control in the risk questionnaire, consider having a conversation with the customer about which ones they find totally necessary to work with a vendor, and identify a plan to meet those on a set time scale.
How Do You Answer a Security Questionnaire?
Answers to security questionnaires from customers should be honest, straightforward, and complete.
For example, to answer the following question:
- Does your organization routinely train users regarding information security and risk?
You might reply:
- Users are trained on a monthly basis on information security best practices using the security awareness training platform KnowBe4. In addition, regular simulated phishing campaigns are conducted against employees. If an employee fails a phishing test additional training is mandated.
Notice this answer gives a specific example of not only that the activity is being carried out but how the activity is being carried out (KnowBe4).
It also goes into detail about how often the phishing test takes place, and even provides additional evidence of a serious security posture by describing an interrelated simulated exercise.
However, don’t go overboard with information. If your customer is asking a question about training, you don’t need to tell them about your amazing vulnerability management practice. Instead, answering questions with additional detail on related policies, procedures, or technology can help make the customer’s job easier.
The most important thing to do is never lie.
If there are certain questions that your potential customer has asked that you don’t want to disclose, have a frank and honest discussion about what information you can provide, what you can’t, and why. Lying on vendor risk questionnaires can put your organization in potential legal jeopardy, both civilly and criminally.
Should I Get Outside Help in Answering a Security Questionnaire?
Many organizations turn to managed security services organizations for help in answering security questionnaires.
Why choose a managed security services company to help you?
There are a few different reasons.
First, cybersecurity can be extremely complex! Answering vendor risk questionnaires isn’t always a straightforward exercise. Does your routine security assessment performed by a third party satisfy the definition of a penetration test? Does annual user training meet the question, “Do you regularly engage in security awareness training?”
These types of details matter but aren’t always immediately apparent to those answering a security questionnaire.
Secondly, the “why” of a security questionnaire matters. Mistakenly answering a question on a security questionnaire from a customer who is simply doing their due diligence can be damaging. But mistakenly answering a question for an organization assessing your HIPAA compliance under the business associates rule can be fraught with legal peril.
An experienced vCISO can help navigate these waters and ensure that answers are correct and backed with evidence.
Finally, answering security questionnaires doesn’t have to be hard! There’s no reason that you should be spending weeks fretting over whether your security awareness training program is up to snuff.
Engaging a managed security services company can help you rapidly respond to security questionnaires, unclogging your sales pipeline and turning security compliance into a selling strength.
SOC 2 and The Security Questionnaire
Fortunately, there may be a way that you don’t need to answer every security questionnaire that comes your way.
Enter the SOC 2 Report.
SOC 2 is a voluntary framework that organizations can meet and be audited against on an annual basis. By meeting requirements under SOC 2 Type 2 and undergoing an annual audit, you can have a specific report outlining your security controls to provide to prospective customers, dramatically simplifying the process.
SOC 2 isn’t just a way to get out of doing security questionnaires, though.
Organizations are increasingly choosing their vendors based on good security practices and continuous compliance. Using a vendor like Rhymetec to help you meet SOC 2 can expedite your sales process, build trust with potential customers, and enable you to engage prospects who want to see evidence of your security before doing business.
The Bottom Line
Many organizations use security questionnaires as a way to screen potential vendors for unacceptable security risks. This is becoming increasingly common, as companies wish to strengthen their third-party risk management in light of recent breaches due to vendors and suppliers.
Hopefully, this guide helped clarify how to answer questions on security questionnaires and how to turn risk assessments into a business enabler rather than a cost center.
About Rhymetec
Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while also balancing security with budget.
We enable our clients to outsource the complexity of security and focus on what really matters – their business. If you are interested in our services, or if you simply have questions about security, you can contact our team for more information.
About The Author: Metin Kortak, CISO
Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering. Under Metin’s leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.