EXPERT ADVICE
Walking a Mile in Their Shoes: Vendor Security Questionnaires

"Vendor security questionnaire" -- three innocuous-sounding words that can leave security folks trembling.

If you're in security -- no matter what company you're with -- there's a good chance you know exactly what I'm talking about, either because you've experienced firsthand the pain of trying to vet the information security controls of the multitude of third parties (for example vendors and service providers) that your organization exchanges data with, or because you work for a company in the "channel," and you've gone through the process of being actively vetted by your customers.

Whichever side of the process you're on, if you've been through it, you probably realize exactly what the issue is and (probably) why I'm bringing it up. If you haven't yet had the pleasure, well, hold on to your hat, because if things continue the way they have been, it won't be long until you join the ranks of those for whom this is a major problem and a top time-sink.

Fortunately, the problem is still small enough that planning a response now will help save time down the road. To see why this is such a huge problem in our industry, let's walk through the problem from both a vendor's and an enterprise's point of view. By understanding both sides of the coin, we can see why everyone is in the same boat -- and by understanding where the other guy's coming from, we can start to see why we don't always get the responses we're hoping for.

For Enterprises

Picture this: You're a large, heavily regulated enterprise. You have potentially thousands of vendors, service providers and partners that have access to your network for one reason or another. You might have extranets with some, outsourcing arrangements with others, support arrangements with still more.

All the while, during the course of these vendors providing service to you, data that you are accountable for (such as customers' personally identifiable information, healthcare records or financial info) is shared with any number of these third parties. It might be that they host business applications within their infrastructure, it might be that your data has to traverse their network for these folks to provide critical services to you, or it could be that external personnel need to dial/VPN/remote in so that they can support systems that host this critical data.

Since you're on the hook if that data's lost or stolen, you need to somehow enforce that the folks outside your firm that have access to it maintain an acceptable level of information security. Sure, you probably (hopefully) have confidentiality agreements with most of them -- but is a piece of paper with a signature on it really enough for you to sleep comfortably?

So what do you do? Enter the security questionnaire. To at least do some minimal measure of due diligence, you put together a self-assessment that your third parties can fill out that will give you insight about what their controls are. You send it to your vendors and wait for the responses.

For Vendors

Now let's say you're a vendor. For the sake of argument, say you're a successful solutions provider that offers a number of cloud-based applications that your customers use to process customer payments. Since you're successful, you have a lot of clients -- maybe thousands of clients. Since your service hosts data that's both critical to your clients' business and governed by one or more regulations, you are right in the crosshairs of your customers' compliance and data security efforts.

Customers start sending you questionnaires about your information security controls. At first, it's a trickle -- maybe one or two requests come in per week. As time goes by, though, you notice that you're getting more and more of these types of requests. Each one is different from the one before it -- some customers are primarily asking about your physical security, some ask about the nature of the service you provide (Shouldn't they know since they bought it?), while still others ask you about data encryption and your procedure for handling electronic media.

In fact, some customers are sending you the same questionnaire multiple times -- when they've purchased more than one of your products. Large customers might have different business units sending you entirely different questionnaires. Oh, and they've asked you to fill out their questionnaire once per year -- and every time your application changes.

Governance Good, Anarchy Bad

Clearly, both sides in this equation have issues here -- and for both sides, the issue relates to manageability. Enterprises have so many vendors to address that fighting for each set of responses -- and trying to figure out what vague or nonsubstantive responses mean -- cuts directly into time they already don't have.

However, the vendors have so many of these coming in that they can't respond substantively to each question -- they have to crib from prior responses -- just to keep up with the workload. It's a situation that leads very quickly to anarchy on both sides of the coin.

The trick to managing this process and making it a little more manageable is, in my opinion, to start with the understanding that the person on the other side is in exactly the same boat as you. If you're an enterprise, the security folks on the vendor side aren't being unresponsive -- they're being as responsive as time permits. If you're a vendor, the security folks in the enterprise aren't being lazy -- they're using the self-assessment because their situation is just as hairy as yours. Understanding that the other side isn't being difficult (well, usually isn't), is a good first step, because you can work to approach them forthrightly and openly about options for making the process more efficient.

For example, maybe a particular vendor has a certification that you might use to establish a level of confidence. Maybe it's ISO 27001 certified and it's willing to share those results with you. Maybe it's gone through a PCI assessment and is willing to share its attestation of compliance to that standard. Or maybe it has already put together a response to a standard data-gathering process like the BITS FISAP (Financial Institution Shared Assessment Program) SIG (Standardized Information Gathering) that you can use instead of your own internally generated questionnaire.

The point is, approaching the situation as two people working together toward a common goal moves the ball much farther than taking an adversarial approach to the situation. Sure, in some cases, you'll run up against folks who are just hands-down difficult to work with -- but those are the exception. Most of the time, you'll run up against receptive, competent peers who are just as hungry to give you the data you need as to hear what you have to say about the security program and controls you've built.

Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy , consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.