Vendor Risk Assessment: A Necessary Evil

Security assessments are tedious, but they reduce risk and are worth the time. And efforts are underway to simplify and automate the process.

By Jeff Jenkins, The First American Corporation
Tue, May 06, 2008

CIO — "Vendor risk assessment" is to blame for an ever-increasing number of security questionnaires circulating between customers and service providers that are designed to assess security measures on the vendor's side. As an information security professional, my union card says that I should understand and support the necessity of such assessments—and for the most part I do. However, after years of having been on both the giving and receiving end of these assessments, I can certainly understand the consternation that normal humans (those who don't have the InfoSec decoder ring) experience when dealing with it. The good news is I think the world can be saved—maybe. (For more on assessing risk, read 7 Data Leaks You Can't ignore.)

Believe it or not, the questionnaire process actually has value, if implemented properly. Despite being an industry filled with extremely bright people, the information security community as a whole hasn't done a particularly impressive job in managing the way information, systems and security programs are assessed. There have been attempts made, though. (Also read How to Conduct a Vulnerability Assessment and take the quiz for your own system.)

For those of you not familiar with FISAP (Financial Institution Shared Assessments Program), it was an initiative started in 2006 by BITS—an organization made up largely of the major financial institutions. The idea was that, as many financial institutions used the same service providers and asked similar questions when assessing the security programs of those providers, there was potential efficiency in standardizing on one questionnaire. Service providers fill the questionnaire out once and share it with any financial institution needing to assess the provider.

With nearly two years of effort invested into the project the group produced a very comprehensive set of questions in the form of the Standardized Information Gathering (SIG) questionnaire. For those of us who appreciate Excel as the duct tape of our business toolbox, the SIG crew even designed a nifty macro-laden spreadsheet to help automate completion of the questionnaire. Problem solved, right? Not quite. The only thing missing appears to be a consensus among the financial institutions and their vendors to all use the SIG questionnaire.

Now before you write this off as simply another rant, I need to mention that the SIG does far more good than bad for the assessment problem. The challenges the SIG faces, or introduces, are the same for nearly any questionnaire or assessment. So here are some observations of those challenges and some tips on how you can possibly make the best of an admittedly difficult situation regarding "vendor security assessment" practices.

Size matters.

Security and audit professionals have rarely been accused of excessive brevity. One result of trying to come up with a consolidated set of questions in the form of the SIG is that it contains nearly 1,300 questions. That's not to say the questions aren't valid, and a fair number of them are actually "gated" or conditional questions so that they only have to be answered if earlier responses dictate it, but the SIG still requires a lot of questions be answered—much more than the average vendor security questionnaire. The SIG also isn't designed to perform any risk analysis or scoring of the responses, which—for the amount of effort required to complete it—leads to even more speculation that its strength (thoroughness) is also its Achilles heel. If you are assessing a vendor, remember to only ask for what you need. If you are a service provider being assessed and don't like the process, get involved. Give your customer feedback on their process.

Scope matters.

Possibly the most difficult aspect of using questionnaires is that they try to cover a lot of ground in one document. Questions often seek information ranging from high-level enterprise security practices to details about data or system-specific controls. The success of an assessment questionnaire is often related to how intuitive it is to the person or persons completing it. If you are assessing a vendor, never assume that the people providing answers are security or audit professionals. Keep things simple and straightforward—the quality of the information you receive will justify the extra effort. If you are a service provider being assessed and are unsure about the scope or nature of the questions being asked, don't hesitate to ask your local security professional or the customer for clarification.

Speed matters.

In the past few years significant progress has been made regarding in developing tools that can automate and simplify issuing and managing assessment questionnaires. The end result is that more questions can be addressed in a quicker and more accurate fashion. Using gated or conditional questions is one feature where software tools are particularly useful (with all due respect to the designers of the SIG spreadsheet, Excel has run its course as the tool of choice). Risk and compliance management applications, such as those from SAP, Oracle and Archer Technologies, reduce the time required to complete questionnaires and accelerate the analysis of results and reporting, is nothing short of a staggering improvement in information and security management. Quite simply, these tools minimize the time spent assessing information security and allow more time to be focused on improving it. I strongly suspect these applications will also help initiatives, such as the FISAP SIG, overcome many of the implementation hurdles they face and possibly realize greater adoption as a standard practice—a benefit to us all.

Continue Reading

White Papers »
Overcome Top 7 Admin Challenges of Active Directory
As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.
Top Solutions and Tools to Prevent Devastating Malware
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.
Insiders Can Ruin Your Company. Take Action.
Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.
X-Ray of the PCI Process-4 Proactive Steps
This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.
Streamline Compliance and Increase ROI
Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.
Identity Governance: The Business Imperatives
This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make to help achieve project success.
Webcasts »
Gartner Next Generation Network IPS Webcast
Learn how Gartner's criteria for next generation IPS helps organizations achieve effective threat prevention despite changes in network communications, new applications, and changes in the threat landscape.
McAfee Continuous Compliance
3 minute Flash video - overview of the need for and value of Configuration Control.
Taming the Wild West: How to build a strong cloud security strategy
Cloud deployments are playing a critical role in propelling innovation for many companies. At the same time security has become the #1 one of the top concerns for IT and business leaders as they migrate into the cloud. In this webinar, learn from Accenture discusses how to recast the cloud as a "fresh chance to rethink your approach to security."
Virtualization Success is a Team Effort
As greater numbers of datacenter servers transition from the physical to the virtual world, the components of virtualization success come to the fore. What scores of organizations have discovered is that success is derived from an optimal pairing of the right software platform with the right hardware platform.
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn about VMware customer, Navicure, and their experiences testing and evaluating the recovery manager, their progress in implementing it in their environment and their advice other customers considering using vCenter.
Quantifying the Business Value of VMware View - Webcast
Many enterprises have discovered that the use of virtualization to support desktop workloads creates a range of significant benefits. These benefits include price efficiencies, improved IT management and greater agility and choice for end users.

This VMware sponsored webcast with IDC will provide both quantitative measurement of the business value -- defined as the expected ROI -- and qualitative analysis associated with the use of VMware View™. IDC will also provide an analysis of the View Composer and ThinApp™ features of VMware View, including the business value of these solutions and an overview of how they work.

Attend this webcast to learn about:
- Challenges and barriers that might impede the adoption of desktop virtualization
- Navigating roadblocks to facilitate a strategic implementation
- Optimizing qualitative and quantitative benefits to IT and your business
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Overcome Top 7 Admin Challenges of Active Directory

Top Solutions and Tools to Prevent Devastating Malware

Insiders Can Ruin Your Company. Take Action.

X-Ray of the PCI Process-4 Proactive Steps

Streamline Compliance and Increase ROI

Identity Governance: The Business Imperatives

CA Technology Brief: CA Point of View: Content Aware Identity & Access Management

Aberdeen Analyst Insight: Does Your Enterprise Have a Dropbox Problem?

Google: Security for Google Apps Messaging & Collaboration

Architecting the Security of the Next-Generation Data Center

Who Owns Security in the Data Center?

Virtual Patching with Network Security

Gartner Next Generation Network IPS Research Note

Top Ten Security Topics

The New Reality of Stealth Crimeware (McAfee Labs)

2012 Threat Predictions Report (McAfee Labs)

McAfee Security Connected - Mitigates Risk, Maximizes Business Efficiency

Think Your AntiVirus Software is Working? Think Again

Reducing Local Admin Exposure Through Application Whitelisting

Unruly USB Devices Expose Networks to Malware
Resource Center
buy a link »
Ads by TechWords