Expert View

Vendor Risk Assessment: A Necessary Evil

Security assessments are tedious, but they reduce risk and are worth the time. And efforts are underway to simplify and automate the process.

By Jeff Jenkins, The First American Corporation

May 06, 2008 — CIO —

"Vendor risk assessment" is to blame for an ever-increasing number of security questionnaires circulating between customers and service providers that are designed to assess security measures on the vendor's side. As an information security professional, my union card says that I should understand and support the necessity of such assessments—and for the most part I do. However, after years of having been on both the giving and receiving end of these assessments, I can certainly understand the consternation that normal humans (those who don't have the InfoSec decoder ring) experience when dealing with it. The good news is I think the world can be saved—maybe. (For more on assessing risk, read 7 Data Leaks You Can't ignore.)

Believe it or not, the questionnaire process actually has value, if implemented properly. Despite being an industry filled with extremely bright people, the information security community as a whole hasn't done a particularly impressive job in managing the way information, systems and security programs are assessed. There have been attempts made, though. (Also read How to Conduct a Vulnerability Assessment and take the quiz for your own system.)

For those of you not familiar with FISAP (Financial Institution Shared Assessments Program), it was an initiative started in 2006 by BITS—an organization made up largely of the major financial institutions. The idea was that, as many financial institutions used the same service providers and asked similar questions when assessing the security programs of those providers, there was potential efficiency in standardizing on one questionnaire. Service providers fill the questionnaire out once and share it with any financial institution needing to assess the provider.

With nearly two years of effort invested into the project the group produced a very comprehensive set of questions in the form of the Standardized Information Gathering (SIG) questionnaire. For those of us who appreciate Excel as the duct tape of our business toolbox, the SIG crew even designed a nifty macro-laden spreadsheet to help automate completion of the questionnaire. Problem solved, right? Not quite. The only thing missing appears to be a consensus among the financial institutions and their vendors to all use the SIG questionnaire.

Now before you write this off as simply another rant, I need to mention that the SIG does far more good than bad for the assessment problem. The challenges the SIG faces, or introduces, are the same for nearly any questionnaire or assessment. So here are some observations of those challenges and some tips on how you can possibly make the best of an admittedly difficult situation regarding "vendor security assessment" practices.

Size matters.

Security and audit professionals have rarely been accused of excessive brevity. One result of trying to come up with a consolidated set of questions in the form of the SIG is that it contains nearly 1,300 questions. That's not to say the questions aren't valid, and a fair number of them are actually "gated" or conditional questions so that they only have to be answered if earlier responses dictate it, but the SIG still requires a lot of questions be answered—much more than the average vendor security questionnaire. The SIG also isn't designed to perform any risk analysis or scoring of the responses, which—for the amount of effort required to complete it—leads to even more speculation that its strength (thoroughness) is also its Achilles heel. If you are assessing a vendor, remember to only ask for what you need. If you are a service provider being assessed and don't like the process, get involved. Give your customer feedback on their process.

Scope matters.

Possibly the most difficult aspect of using questionnaires is that they try to cover a lot of ground in one document. Questions often seek information ranging from high-level enterprise security practices to details about data or system-specific controls. The success of an assessment questionnaire is often related to how intuitive it is to the person or persons completing it. If you are assessing a vendor, never assume that the people providing answers are security or audit professionals. Keep things simple and straightforward—the quality of the information you receive will justify the extra effort. If you are a service provider being assessed and are unsure about the scope or nature of the questions being asked, don't hesitate to ask your local security professional or the customer for clarification.

Speed matters.

In the past few years significant progress has been made regarding in developing tools that can automate and simplify issuing and managing assessment questionnaires. The end result is that more questions can be addressed in a quicker and more accurate fashion. Using gated or conditional questions is one feature where software tools are particularly useful (with all due respect to the designers of the SIG spreadsheet, Excel has run its course as the tool of choice). Risk and compliance management applications, such as those from SAP, Oracle and Archer Technologies, reduce the time required to complete questionnaires and accelerate the analysis of results and reporting, is nothing short of a staggering improvement in information and security management. Quite simply, these tools minimize the time spent assessing information security and allow more time to be focused on improving it. I strongly suspect these applications will also help initiatives, such as the FISAP SIG, overcome many of the implementation hurdles they face and possibly realize greater adoption as a standard practice—a benefit to us all.