Vendor Risk Assessment: A Necessary Evil

Security assessments are tedious, but they reduce risk and are worth the time. And efforts are underway to simplify and automate the process.

By Jeff Jenkins, The First American Corporation

Tue, May 06, 2008CIO "Vendor risk assessment" is to blame for an ever-increasing number of security questionnaires circulating between customers and service providers that are designed to assess security measures on the vendor's side. As an information security professional, my union card says that I should understand and support the necessity of such assessments—and for the most part I do. However, after years of having been on both the giving and receiving end of these assessments, I can certainly understand the consternation that normal humans (those who don't have the InfoSec decoder ring) experience when dealing with it. The good news is I think the world can be saved—maybe. (For more on assessing risk, read 7 Data Leaks You Can't ignore.)

Believe it or not, the questionnaire process actually has value, if implemented properly. Despite being an industry filled with extremely bright people, the information security community as a whole hasn't done a particularly impressive job in managing the way information, systems and security programs are assessed. There have been attempts made, though. (Also read How to Conduct a Vulnerability Assessment and take the quiz for your own system.)

For those of you not familiar with FISAP (Financial Institution Shared Assessments Program), it was an initiative started in 2006 by BITS—an organization made up largely of the major financial institutions. The idea was that, as many financial institutions used the same service providers and asked similar questions when assessing the security programs of those providers, there was potential efficiency in standardizing on one questionnaire. Service providers fill the questionnaire out once and share it with any financial institution needing to assess the provider.

With nearly two years of effort invested into the project the group produced a very comprehensive set of questions in the form of the Standardized Information Gathering (SIG) questionnaire. For those of us who appreciate Excel as the duct tape of our business toolbox, the SIG crew even designed a nifty macro-laden spreadsheet to help automate completion of the questionnaire. Problem solved, right? Not quite. The only thing missing appears to be a consensus among the financial institutions and their vendors to all use the SIG questionnaire.

Now before you write this off as simply another rant, I need to mention that the SIG does far more good than bad for the assessment problem. The challenges the SIG faces, or introduces, are the same for nearly any questionnaire or assessment. So here are some observations of those challenges and some tips on how you can possibly make the best of an admittedly difficult situation regarding "vendor security assessment" practices.

Size matters.

Security and audit professionals have rarely been accused of excessive brevity. One result of trying to come up with a consolidated set of questions in the form of the SIG is that it contains nearly 1,300 questions. That's not to say the questions aren't valid, and a fair number of them are actually "gated" or conditional questions so that they only have to be answered if earlier responses dictate it, but the SIG still requires a lot of questions be answered—much more than the average vendor security questionnaire. The SIG also isn't designed to perform any risk analysis or scoring of the responses, which—for the amount of effort required to complete it—leads to even more speculation that its strength (thoroughness) is also its Achilles heel. If you are assessing a vendor, remember to only ask for what you need. If you are a service provider being assessed and don't like the process, get involved. Give your customer feedback on their process.

Scope matters.

Possibly the most difficult aspect of using questionnaires is that they try to cover a lot of ground in one document. Questions often seek information ranging from high-level enterprise security practices to details about data or system-specific controls. The success of an assessment questionnaire is often related to how intuitive it is to the person or persons completing it. If you are assessing a vendor, never assume that the people providing answers are security or audit professionals. Keep things simple and straightforward—the quality of the information you receive will justify the extra effort. If you are a service provider being assessed and are unsure about the scope or nature of the questions being asked, don't hesitate to ask your local security professional or the customer for clarification.

Speed matters.

In the past few years significant progress has been made regarding in developing tools that can automate and simplify issuing and managing assessment questionnaires. The end result is that more questions can be addressed in a quicker and more accurate fashion. Using gated or conditional questions is one feature where software tools are particularly useful (with all due respect to the designers of the SIG spreadsheet, Excel has run its course as the tool of choice). Risk and compliance management applications, such as those from SAP, Oracle and Archer Technologies, reduce the time required to complete questionnaires and accelerate the analysis of results and reporting, is nothing short of a staggering improvement in information and security management. Quite simply, these tools minimize the time spent assessing information security and allow more time to be focused on improving it. I strongly suspect these applications will also help initiatives, such as the FISAP SIG, overcome many of the implementation hurdles they face and possibly realize greater adoption as a standard practice—a benefit to us all.

Loading...
Security MarketSpace
White Papers
5 Tips for Data Loss Prevention Solutions
RSA® The Security Division of EMC has identified 5 key considerations to help organizations simplify the evaluation process for selecting a DLP solution that is right for their business. Learn more »
Secure Training Videos to Prevent Theft
Learn how Dream Force extended their marketing reach without being constricted. Learn more »
Prevent Intellectual Property Theft
Learn what the key components were in Hock International's purchasing decision. Learn more »
Webcasts
Maximizing the Business Value of the PC Infrastructure
Reduced IT budgets have CIOs hunting for ways to maximize their PC infrastructure, while saving money and IT staff time. Diane Bryant, CIO of Intel Corp., talks with CIO magazine's Gary Beach about how her organization is addressing these challenges. Learn more »
 
SPONSORED LINKS
 

Data Loss Prevention: A Better Way to Approach Security

Software Executives: Take Control of Your Organization's Code Quality

Delivering Secure and Reliable Data through Spreadsheet Automation

Taking the Service Desk to the Next Level

Why Data Loss is Increasing--and What You Can Do About It

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Mid-Sized Company CIO Community: infoBOOM!

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Accenture IT Consulting: Logical meets technological. More . . .

White Paper: 8 Key Ingredients to Building an Internal Cloud

Read about virtualization and consolidation effort best practices

Building the Virtualized Enterprise with VMware Infrastructure

Top 10 Business and IT Drivers for the Wealth Management Sector

Bottom-Line Benefits of Virtualization

White Paper: The Building Blocks for Cloud Computing

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Learn about The Information Technology Infrastructure Library.

Achieving Pervasive Performance Management

Gartner Shares Predictions for 2009

64-page prescriptive guide to security, compliance, and IT operations.

Stop Application Fraud at the Source with Device Reputation

Ready to Act: 3 Recommendations for Agile Processes

Automating the Generation and Secure Distribution of Excel Reports

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

Top-line Performance that's Bottom-line Efficient

Accenture: Outsourcing for uncertain times. Click to learn more.

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Learn how a virtualized enterprise can help your company reduce costs

Why Isn't Server Virtualization Saving Us More?

8 Key Ingredients to Building an Internal Cloud

Data Center Optimization: Three Key Strategies

A CIO Executive Guide: Cloud Computing Looms Big on the Horizon

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Tips for successful virtualization management.

Smart Decisions: The Role of Key Performance Indicators

Reduce risk, gain agility. See how Progress can help your business.

Improve ROI, lower TCO and reduce energy consumption.

 
 
RESOURCE CENTER