“Vendor risk assessment” is to blame for an ever-increasing number of security questionnaires circulating between
customers and service providers that are designed to assess security measures on the vendor’s side. As an
information security professional, my union card says that I should understand and support the necessity of such
assessments—and for the most part I do. However, after years of having been on both the giving and receiving
end of these assessments, I can certainly understand the consternation that normal humans (those who don’t have the
InfoSec decoder ring) experience when dealing with it. The good news is I think the world can be
saved—maybe. (For more on assessing risk, read 7 Data Leaks You
Believe it or not, the questionnaire process actually has value, if implemented properly. Despite
being an industry filled with extremely bright people, the information security community as a whole hasn’t done a
particularly impressive job in managing the way information, systems and security programs are assessed. There
have been attempts made, though. (Also read How to Conduct a Vulnerability
Assessment and take the quiz for your own system.)
For those of you not familiar with FISAP (Financial Institution Shared Assessments Program), it was an
initiative started in 2006 by BITS—an organization made up largely of the major financial institutions. The
idea was that, as many financial institutions used the same service providers and asked similar questions when
assessing the security programs of those providers, there was potential efficiency in standardizing on one
questionnaire. Service providers fill the questionnaire out once and share it with any financial institution
needing to assess the provider.
With nearly two years of effort invested into the project the group produced a very comprehensive set of
questions in the form of the Standardized Information Gathering (SIG) questionnaire. For those of us who
appreciate Excel as the duct tape of our business toolbox, the SIG crew even designed a nifty macro-laden
spreadsheet to help automate completion of the questionnaire. Problem solved, right? Not quite. The only thing
missing appears to be a consensus among the financial institutions and their vendors to all use
the SIG questionnaire.
Now before you write this off as simply another rant, I need to mention that the SIG does far more good than bad
for the assessment problem. The challenges the SIG faces, or introduces, are the same for nearly any questionnaire
or assessment. So here are some observations of those challenges and some tips on how you can possibly make the
best of an admittedly difficult situation regarding “vendor security assessment” practices.
Security and audit professionals have rarely been accused of excessive brevity. One result of trying to come up
with a consolidated set of questions in the form of the SIG is that it contains nearly 1,300 questions. That’s not
to say the questions aren’t valid, and a fair number of them are actually “gated” or conditional questions so that
they only have to be answered if earlier responses dictate it, but the SIG still requires a lot of
questions be answered—much more than the average vendor security questionnaire. The SIG also isn’t designed
to perform any risk analysis or scoring of the responses, which—for the amount of effort required to complete
it—leads to even more speculation that its strength (thoroughness) is also its Achilles heel. If you are
assessing a vendor, remember to only ask for what you need. If you are a service provider being assessed and don’t
like the process, get involved. Give your customer feedback on their process.
Possibly the most difficult aspect of using questionnaires is that they try to cover a lot of ground in one
document. Questions often seek information ranging from high-level enterprise security practices to details about
data or system-specific controls. The success of an assessment questionnaire is often related to how intuitive it
is to the person or persons completing it. If you are assessing a vendor, never assume that the people providing
answers are security or audit professionals. Keep things simple and straightforward—the quality of the
information you receive will justify the extra effort. If you are a service provider being assessed and are unsure
about the scope or nature of the questions being asked, don’t hesitate to ask your local security professional or
the customer for clarification.
In the past few years significant progress has been made regarding in developing tools that can automate and
simplify issuing and managing assessment questionnaires. The end result is that more questions can be addressed in
a quicker and more accurate fashion. Using gated or conditional questions is one feature where software tools are
particularly useful (with all due respect to the designers of the SIG spreadsheet, Excel has run its course as the
tool of choice). Risk and compliance management applications, such as those from SAP, Oracle and Archer
Technologies, reduce the time required to complete questionnaires and accelerate the analysis of results and
reporting, is nothing short of a staggering improvement in information and security management. Quite simply,
these tools minimize the time spent assessing information security and allow more time to be focused on improving
it. I strongly suspect these applications will also help initiatives, such as the FISAP SIG, overcome many of the
implementation hurdles they face and possibly realize greater adoption as a standard practice—a benefit to us
Effectively Managing Vendor Risk
For those who manage information and technology, it’s understandable that security assessments and
questionnaires aren’t particularly enjoyable activities. That statement is probably even more true when the
assessment is being conducted between two organizations to simply prove business partners are all doing their part.
Nevertheless, it’s a fact of life in today’s business world—where the perception of security is almost as
important as the ability to actually secure information. (For more on vendor management, check out our resource center.)
Perhaps lost in all the excitement of increasingly complex technologies, concepts and regulations is the fact
that the goal is still to simply assess a situation for risk. The moral of this story? There are a few:
- First, assessments are somewhat tedious even for those of us who create them, so know that you aren’t alone.
- Second, there are good people and organizations out there trying to make the process better. Seek them out and
do what you can to support them.
- Third, be patient. Security technology is finally expanding more into the realm of CSOs, risk officers and
security auditors—which will improve numerous security practices that have been sorely lacking automation and
Jeff Jenkins, CISSP, CISA, CISM, is vice president of Information Security Governance & Compliance for The
First American Corporation. In his current role he is responsible for helping build and maintain all aspects of
the corporation’s information security program with a focus on managing the company’s information security risk
management and compliance efforts.