Information security assurance across your supply chain

October 16, 2020

The challenge: You are a security and/or risk professional andyou need to conduct information security assurance of companies in your supplychain.

Do you know:

  1. What is the scope of your assurance?
  2. Which questions should you ask?
  3. Are the questions you ask aligned to any framework? Which one do you choose?
  4. How do you measure the responses you are given?
  5. What do you do when the supplier can’t respond or won’t?
  6. What fair and reasonable looks like?

What is the scope of your questionnaire?

When developing a questionnaire program be aware that scope MATTERS.  

When you ask your supplier to answer information security questions consider very carefully what you are asking them to respond in relation to.  For example are they answering the questions in relation to a piece of software they sold you or on behalf of their entire organisation and how their whole companies manages security.  Is the question you are asking related to the supplier services for example if you are buying a piece of hardware from them and you are asking them how they manage cloud security, is this relevant?  

Having a few questionnaire’s that meet the needs of your business works for most of our clients.  

Which questions should you ask?

Look to your business goals and your information security program.  Hopefully your organisation has developed a set of information security policies and standards that you are adhering to.  If so, build your questions around these standards.  If you don’t have standards in place then you should develop a set of questions that is right for your business.  This might include questions about how your supplier manages your information assets in their service (if you are using a cloud based SaaS service) or if they are PCI compliant (if they are managing credit card information on your behalf).  If they give your company a web application where you enter and they manage confidential information on your behalf then if would be right to ask them how they secure their web application or how they scan and test for security vulnerabilities in their software.  

InfoSecAssure has a set of questions you can use if you need help.

Are the questions you ask aligned to any framework? Which one do you choose?

If you are company in a regulated industry such as banking or health you may need to ask specific questions that allow you measure compliance against specific set of requirements.  If you are not regulated you can choose to align your organisation with a particular standard.  Be careful not to overdo the questions you ask as you may create unnecessary work for your supplier and yourself.

How do you measure the responses you are given?

At InfoSecAssure we believe there is no point in asking questions unless the answer can be measured.  We have developed a number of models for our clients that help them measure responses to questions consistently and methodically.  There is always some objectivity applied to open ended questions but in the most part you should know what you expect your suppliers to say and what is the most important areas which are deal breakers for you if they do not measure up.

What do you do when the supplier can’t respond or won’t?

If you are a small or medium organisation and you want a big tech company such as Amazon or Microsoft to answer a custom security questionnaire you will be met with a big fat NO or more likely silence.  In most of these cases these organisations publish a detailed list of security features on their websites and in some cases in white papers or compliance documents which they make publicly available.  Try to find the answers to your questions there and if you can’t find them you will need to decide how important this information security questionnaire response is for these bigger suppliers in your supply chain.

Being fair and reasonable when assessing results

It makes sense for companies to work with suppliers of the same maturity and size as they often work better together when providing assurance to each other howeverthat really puts limits on what sort of innovative solutions your business can utilise and prevents smaller companies from participating in the supply chain of bigger companies.  At InfoSecAssure we think that this one of the biggest downsides to security questionnaires.  At InfoSecAssure, we love working with companies to help them uplift practices or help them be able to explain to their bigger clients where they are at in their security journey.  If this is you please get in touch for our special consulting rates for start-ups.

Remember no-one is perfect – be reasonable and fair when assessing your suppliers not every one of your suppliers will have be operating in a defence grade building with anti ballistic windows!

Picture credits

Photo by Immo Wegmann

Photo by William Warby

Photo by kili wei

Learn More About InfoSecAssure

Learn more about how InfoSecAssure can help you achieve great information security outcomes so you can get on with what you do best.

Secure your business.
Today is the day to build the business of your dreams. Let us help you secure your assets without blowing your budget — and focus on the things that count!