Why You Should Optimize Your Security Questionnaire Response Process

Security Assessments – A Reality of the Future

‘I love Security Questionnaires’–said no one ever.

Pretty much anyone who’s involved in responding to Security Assessments would say that there are other things they’d rather be doing with their time. But Security Questionnaires are the reality of conducting a business in a lot of industries: SaaS, finance, healthcare, etc.

Risks involved in handling sensitive data are steadily-increasing and evolving as companies opt to store data in the cloud and outsource their core processes. So it’s no surprise that companies and government agencies are constantly looking for ways to prevent and mitigate security threats.

Government Push on Security

Government involvement in preventing Security threats comes in the form of regulations. In the industries that are most vulnerable (healthcare, banking, telecommunications, etc.), federal and state governments are setting security standards and expectations for companies to follow. Government intervention in security also goes beyond federal and state level and can affect an entire economic region.

Cybersecurity Regulation 23 NYCRR PART 500

Earlier this year, the New York State Department of Financial Services (NYSDFS) passed cybersecurity regulation 23 NYCRR PART 500. Its aim is to decrease the vulnerability of information systems in the banking and insurance sectors by placing strict security requirements on Financial Services providers and third-party vendors. The government expects these organizations to continuously monitor for and assess any potential internal and external risks and take actions to mitigate them.

Privacy Shield Agreement

We also recently learned of a larger-scale government security initiative from one of our customers, Tanner Volz at iovaition. During his webinar on iovation’s Security Assessment Response Process, Tanner talked about the Privacy Shield agreement which affects US-based vendors selling to customers in Europe.

The agreement came into effect in early 2016, replacing the Safe Harbour framework. Privacy Shield outlines requirements around the use of personal data transferred from the European Union and Switzerland.

Staying Proactive

The push for increased security does not only come from the government. To make their products and services more secure, companies are setting higher security standards not just for themselves but also for their vendors. They regularly evaluate and improve their external networks, processes, and systems.

• A lot of companies conduct audits of their vendors to meet security standards such as PCI and HIPPA. Some of these audits come in standardized formats, e.g. Standard Information Gathering Questionnaire (SIG).
• The threshold for security standards a company wants to see from its vendors has been on the rise. More and more, companies are seeking Security certifications such as SOC 2, ISO, or COBIT from their vendors.

For example, in the world of SaaS, companies are starting to ask for SOC 2 certification from their vendors, whereas before it was sufficient to show that the vendor’s hosting provider was SOC 2 compliant.

Find a Way to Manage Your Security Assessments

It’s a good time to make your Security Assessment response process into a well-oiled machine! Not only will it help you get through those questionnaires faster, but it will also help your customers get through their audits faster.

Consider this: your customers have government regulations or their own Security teams imposing compliance. The easier you can make it for your customers to meet their security requirements, the more value they will see in your partnership. Have all your documentation and security information accessible. The last thing you want is to be digging for it when a customer asks you for compliance information.

Two Tips to Make Responding to Security Assessments Easier

These two tips will help you effectively manage any volume and size of Security Questionnaires:

• Make security content accessible by saving it in one place
• Create a repeatable process with security questionnaire automation

No matter how many Security Questionnaires you get, there are always questions that are common across each request. Being able to easily find the necessary content and quickly get the standard questions out of the way can save you a lot of time when responding (start building a well-organized Security library with this template).

Beyond making your content accessible, you should develop a process that you can apply to all the Security and Compliance Assessments and share across your entire team (learn how iovation streamlined their process with Loopio).

Summary

It’s important that your team has an efficient way of handling Security Questionnaires to keep up with tightening government security regulations and the increasing measures companies are taking to comply.