Reliability of Questionnaires & How to Validate Answers
JAYEN GODSE, May 2020
Risk assessment questionnaires play an important role in an organization’s vendor governance program. Questionnaires based due diligence is essential to understanding how your third-party vendors manage cybersecurity risks as well as the investments they have made to mitigate exposure across people, processes, and technology.
Yet for all their value, questionnaires can have shortcomings. They are often open for interpretation, and create questions of their own. In addition, there is always the question that do the answers reflect the reality. How do you know the answers given are accurate and helpful?
ComplyScore performs thousands of third party vendor risk assessments every year. Based on our experience and discussions we have had with industry experts, here are what we consider to be the best practices to enhance your third-party risk management strategy while getting the most value from your organization’s vendor risk assessment questionnaires.
How Reliable are Vendor Risk Questionnaires?
Third-party vendor management programs rely on trust and verification. Questionnaires play a big role in establishing both but assessing third-party risk does have some challenges.
It is our belief that asking the right questions is the start to getting the right answers. Just like no two organizations are alike, each vendor comes with their own environment and risks. When creating questionnaires it’s important to:
- Know the scope of what’s being asked. A good questionnaire is thorough but intentional. That means only asking questions you need to be answered.
- Factor in inherent bias. Because questionnaires are answered by the vendor being assessed, the responses will never be fully objective.
- Customize to get better results. Generic questionnaires that ask questions irrelevant to the vendor relationship frustrate the vendor and waste your time. Drilling down on the specifics of the risks associated with environments particular to the vendor ensures getting the best picture of potential risks.
Validation Best Practices
To ensure accuracy, organizations should establish assessment processes and guidelines on how to gather data, review answers, and remedy pending issues. Specific controls should be used to evaluate the vendors’ environments. For example, if your third-party vendor hosts on AWS, AWS-related best practices questions should be asked instead of generic cloud ones. For vendors who use multiple operating environments, each system should have its own set of questions.
ComplyScore uses proven practices to evaluate and verify the accuracy of vendor responses. Questions are separated by asset types such as datacenter network, corporate network, and log management for different device types. To gain clear direct insights into the specifics, questions are kept simple and direct, and clubbing multiple questions into a single question is avoided.
Once you are confident that you are asking the right questions thus enabling the right answers, it is time to move on to other techniques to validate the answers.
The practices used to validate answers include:
- Documentation review
- Verifying the scope of security-related certifications like ISO 27001 and SOC2 and ensuring they are properly renewed.
- Checking the quality of documentation, verifying consistency of style across documents, and cross-checking for consistent policies.
- We find that documents that have not been deployed in practice, lack specificity and generally have a different style than mature documents
- It’s a good idea to drill down on these documents if they address critical areas of info security
- Discovering, mapping, and scoring a vendor’s digital footprint to identify threat models and defend against fraud.
- Digital review of a sample of the vendor’s online assets reveals if the documents are put in practice.
- Multiple open-source tools can be used for this purpose.
- Areas that you can analyze are the existence of malware, patching cadence, previous history spam/ virus originating from the vendor & social standing
- Assessing a vendor’s website to discern company health, GDPR and other regulatory compliance, and security patch level.
- The overall rating of the website will reveal things like commitment to details, compliance with regulations, adequacy of resources, and general security related culture.
- Conducting a quick 10 to 15-minute interviews at the start of the vendor assessment process reveals the level of security talent heading the infosec program, the confidence of the vendor in their program, openness, and other key traits. We have found these personal interactions reveal a significant amount of information leading to the inference of the infosec program maturity.
Trust and Verify
Information security, aka InfoSec questionnaires provide valuable insight into a third-party vendor’s risk and security culture. To get the most out of a questionnaire, it is important to ask precise questions of each vendor. Empowering vendors to provide specific answers reduces ambiguity and improves the validation process. ComplyScore’s vendor risk management solutions are designed to streamline the validation process and help you get the most from your vendor questionnaires.
For more information or an evaluation of your company’s questionnaires, don’t hesitate to contact us here.