Key Takeaways:
A weak response to a security assessment questionnaire merely delays the inevitable. Make it easy on the client reviewer by putting your best foot forward out of the gate.
A third party certification (e.g., ISO 27001) or audit (e.g., SOC 2 Type II) usually provides a significant reassurance to the client that you have reasonable controls security controls.
It is appropriate to not provide highly sensitive documents such as penetration tests, incident response playbooks, details on specific technical controls, etc. Summary documents or a table of contents is a reasonable response.
Read the Full Blog Post:
As the Information Security Officer for a large financial accounting firm, I receive 2-3 requests a week from either potential or existing clients asking for evidence of our control environment. These types of assessment requests usually come in 3 different types of forms: 1.) a general inquiry with very few specifics, 2.) a ‘homegrown’ assessment with a series of control questions in Word or Excel format, or 3.) a formal 3rd party on-line Standardized Information Gathering (SIG) questionnaire, Consensus Assessments Initiative Questionnaire (CAIQ), Vendor Security Alliance (VSA), etc that may contain hundreds of security control questions. I’ll talk about how we handle all 3 assessment versions in a minute.
The assessments usually come from clients in the Financial Services or Healthcare sectors or various levels of government agencies. These types of clients can have extremely sensitive types of data (i.e., PII, ePHI, M&A due diligence, etc.) that our Firm will be accessing and they want to be assured that our level of controls meet their expectations. I used to cringe at some of the assessment questions, knowing that we didn’t have all the controls needed in place – and therefore had to take a pass on those clients’ business. But over the years our Security Governance Team has gradually built up our control environment(s) to the point where we can cover even the most stringent control requirements. Our Firm now has a private cloud that’s SOC 2 Type II-audited for which we provide a report upon request (but even that sometimes isn’t good enough). We also include a statement in the assessment that describes our control environment complies with the NIST 800-53 Cybersecurity Framework - as a basis for clients looking for formal standardization.
Getting back to addressing the types of assessments described above. For the general inquiries, we have put together a ‘Security Posture’ whitepaper – a simple 2-page document that contains key control category summary statements (e.g., an excerpt from our Acceptable Use Policy, how we handle Disaster Recovery, Incident Response, Awareness Training, encryption for their data etc.) – without providing detailed internal-sensitive information. The whitepaper starts out with the Firm’s current ‘security score’, a free 3rd party service provides a grade that rates your organization’s external security ‘posture’ using any documented web vulnerabilities, known identity theft incidents that have been reported to state agencies, etc. in addition to comparing scores with like-industry organizations. The other two types of assessments mentioned have to be dealt with in answering all control questions as completely as possible. Sometimes the client will accept our SOC 2 report in lieu completing their questionnaire. In each case, if we can’t meet a specific control requirement, we always include any compensating controls to provide the client assurance that a particular requirement is being met. The caveat for each assessment is that our Firm does not share our internal Policies, network diagrams, etc. with clients. Instead, we offer to meet with the client to address specific security questions or screenshare with certain policies. I estimate less than 10% of clients we offer to meet with to discuss our control environment follow-up on the offer.
I’m curious if any of you deal with customer or client inquiries/control assessments differently. If you have any questions about our process, please contact me at: jredfield@cbh.com