In today’s world of interlocked companies and IT service providers, it’s standard practice for a company to ask its tech suppliers to fill out detailed questionnaires about their security practices. Companies use that information when choosing a supplier. Too much is at stake, in terms of company reputation and customer trust, to be anything but thorough with information security.
But how can a company’s IT security teams be most effective in that technology buying process? How do they get all the information they need, while also staying focused on what really matters and not wasting their time? Oracle Chief Security Officer Mary Ann Davidson at the recent RSA Conference offered her tips on this IT security risk assessment process. Drawing on her extensive experience as both supplier and buyer of technology and cloud services in her role at Oracle, Davidson shared advice from both points of view.
Advice on Business Risk Assessments
When it’s time to put out an RFP to engage new technology providers or to conduct an annual assessment of existing service providers, what do you ask in such a vendor security assessment questionnaire? There are many existing documents and templates, some focused on specific industries, others on regulated sectors or regulated information. Those should guide any assessment process, but aren’t the only factors, says Davidson. Consider these practical tips to get the crucial data you need, and avoid gathering a lot of information that will only distract you from issues that are important for keeping your data secure.
Have a clear objective in mind. The purpose of the vendor security assessment questionnaire should be to assess the security performance of the vendor in light of the organization’s tolerance for risk on a given project.
Limit the scope of an assessment to the potential security risks for services that the supplier is offering you. Those services are obviously critical, because they could affect your data, operations, and security. There is no value in focusing on a supplier’s purely internal systems if they don’t contain or connect to your data. By analogy, “you care about the security of a childcare provider’s facility,” says Davidson. “It’s not relevant to ask about the security of the facility owner’s vacation home in Lake Tahoe.”
When possible, align the questions with internationally recognized, relevant, independently developed standards. It’s reasonable to expect service providers to offer open services that conform to true industry standards. Be wary of faux standards, which are the opposite of open—they could be designed to encourage tech buyers to trust what they think are specifications designed around industry consensus, but which are really pushing one tech supplier’s agenda or that of a third-party certification business.
If a request seems unusual, clarify whether there are regulatory or compliance requirements involved. By understanding the relevant regulations, a tech supplier may be able to provide other documentation, such as certification, that satisfies the customer’s need for due diligence. And suppliers and tech users may together decide they should push back on regulations that are unclear or unreasonable, to help regulators understand “unfortunate yet unintended consequences,” Davidson says.
If any request seems out of the norm, explore the bigger reasons behind it. “Ask them, ‘Tell me what you’re worried about,’” advises Davidson.
Have clear rules of engagement and easily accessible assessment requirements documentation. This will help make it faster, less expensive, and more efficient to provide the needed information.
Risk assessment questionnaires can be huge, and consume considerable resources to complete and interpret. Turn the process from a hostile examination into a powerful dialog between two potential partners. When customers and suppliers work together, the risk-assessment process can be less onerous, more informative, and far more useful to all parties.
Alan Zeichick is principal analyst at Camden Associates, a tech consultancy specializing in software development, enterprise networking, and cybersecurity.