Reliability of Questionnaires & How to Validate Answers
JAYEN GODSE, May 2020
Risk assessment questionnaires play a key role in an organization’s vendor governance program. Questionnaire-based due diligence is essential to understanding how your third-party vendors manage cybersecurity risks, as well as determining the investments they have made in mitigating exposure across people, processes, and technology.
Yet, for all their value, questionnaires can have shortcomings. They are often open for interpretation and create new questions of their own. Additionally, there is always the worry of whether the answers reflect reality. How do you know that the answers given are accurate and helpful?
ComplyScore performs thousands of third party vendor risk assessments every year. Based on our experience and discussions we have had with industry experts, we have compiled what we consider to be the best practices to enhance your third-party risk management strategy while getting the most value from your organization’s vendor risk assessment questionnaires.
How Reliable are Vendor Risk Questionnaires?
Third-party vendor management programs rely on trust and verification. Questionnaires play a big role in establishing both of these, but assessing third-party risk does present some challenges.
We believe that asking the right questions is the first step in getting the right answers. Just as no two organizations are alike, each vendor also comes with its own environment and risks. When creating questionnaires, it’s important to:
- Know the scope of what’s being asked. A good questionnaire is thorough but intentional, which means it asks only the questions that need to be answered.
- Factor in inherent bias. Because questionnaires are answered by the vendor that’s being assessed, the responses will never be fully objective.
- Customize to get better results. Generic questionnaires that ask questions irrelevant to the vendor relationship frustrate vendors and waste your time. Drilling down on the specifics of the risks associated with environments particular to your vendors ensures that you get the best and most complete picture of potential risks.
Validation Best Practices
To ensure accuracy, organizations should establish assessment processes and guidelines for how to gather data, review answers, and remedy pending issues. Specific controls should be used to evaluate the vendors’ environments. For example, if your third-party vendor hosts on AWS, AWS-related best practices questions should be asked rather than generic, cloud-related questions. For vendors who use multiple operating environments, each system should have its own set of questions.
ComplyScore uses proven practices to evaluate and verify the accuracy of vendor responses. Questions are separated by asset categories, such as datacenter network, corporate network, and log management, for different device types. To gain clear and direct insights into the specifics, questions are kept simple and direct, and clubbing multiple questions into a single question is avoided.
Once you are confident that you are asking the right questions, and thus encouraging the right answers, it’s time to move on to other techniques to validate the answers.
The practices used to validate answers include:
- Documentation review
- Verifying the scope of security-related certifications like ISO 27001 and SOC2 and ensuring that they are properly renewed.
- Checking the quality of documentation, verifying the consistency of style across documents, and cross-checking for consistent policies.
- We find that documents that have not been deployed in practice lack specificity and generally have a different style than “mature” documents.
- It’s a good idea to drill down on these documents if they address critical areas of info security.
- Discovering, mapping, and scoring a vendor’s digital footprint to identify threat models and defend against fraud.
- A digital review of a sample of vendors’ online assets reveals whether the documents are being put into practice.
- Multiple open-source tools can be used for this purpose.
- Areas that you can analyze include the existence of malware, patching cadence, previous history of spam/virus originating from the vendor and social standing.
- Assessing a vendor’s website to discern company health, GDPR and other regulatory compliance, and security patch level.
- The overall rating of the website will reveal things like a commitment to details, compliance with regulations, adequacy of resources and general security-related culture.
- Conducting quick 10 to 15-minute interviews at the start of the vendor assessment process reveals the level of security talent heading the infosec program, the confidence of the vendor in their program, openness, and other key traits. We have found that these personal interactions reveal a significant amount of information, leading to a greater understanding of the maturity of the vendor’s infosec program.
Trust and Verify
Information security, aka InfoSec, questionnaires provide valuable insight into a third-party vendor’s risk and security culture. To get the most out of a questionnaire, it is important to ask precise questions of each vendor. Empowering vendors to provide specific answers reduces ambiguity and improves the validation process. ComplyScore’s vendor risk management solutions are designed to streamline the validation process and help you get the most from your vendor questionnaires.
For more information or an evaluation of your company’s questionnaires, don’t hesitate to contact us here.