Security Assessments – A Reality of the Future
'I love Security Questionnaires!' – said no one ever!
Pretty much anyone who’s involved in responding to Security Assessments would say that there are other things they’d rather be doing with their time. But Security Questionnaires are the reality of conducting a business in a lot of industries: SaaS, finance, healthcare, etc.
Risks involved in handling sensitive data are steadily-increasing and evolving as companies opt to store data in the cloud and outsource their core processes. So it’s no surprise that companies and government agencies are constantly looking for ways to prevent and mitigate security threats.
Government Push on Security
Government involvement in preventing Security threats comes in the form of regulations. In the industries that are most vulnerable (healthcare, banking, telecommunications, etc.), federal and state governments are setting security standards and expectations for companies to follow. Government intervention in security also goes beyond federal and state level and can affect an entire economic region.
Cybersecurity Regulation 23 NYCRR PART 500
Earlier this year, the New York State Department of Financial Services (NYSDFS) passed cybersecurity regulation 23 NYCRR PART 500. Its aim is to decrease the vulnerability of information systems in the banking and insurance sectors by placing strict security requirements on Financial Services providers and third-party vendors. The government expects these organizations to continuously monitor for and assess any potential internal and external risks and take actions to mitigate them.
Privacy Shield Agreement
We also recently learned of a larger-scale government security initiative from one of our customers, Tanner Volz at iovaition. During his webinar on iovation’s Security Assessment Response Process, Tanner talked about the Privacy Shield agreement which affects US-based vendors selling to customers in Europe.
The agreement came into effect in early 2016, replacing the Safe Harbour framework. Privacy Shield outlines requirements around the use of personal data transferred from the European Union and Switzerland.
The push for increased security does not only come from the government. To make their products and services more secure, companies are setting higher security standards not just for themselves but also for their vendors. They regularly evaluate and improve their external networks, processes, and systems.
- A lot of companies conduct audits of their vendors to meet security standards such as PCI and HIPPA. Some of these audits come in standardized formats, e.g. Standard Information Gathering Questionnaire (SIG).
- The threshold for security standards a company wants to see from its vendors has been on the rise. More and more, companies are seeking Security certifications such as SOC 2, ISO, or COBIT from their vendors.
For example, in the world of SaaS, companies are starting to ask for SOC 2 certification from their vendors, whereas before it was sufficient to show that the vendor’s hosting provider was SOC 2 compliant.
Find a Way to Manage Your Security Assessments
It’s a good time to make your Security Assessment response process into a well-oiled machine! Not only will it help you get through those questionnaires faster, but it will also help your customers get through their audits faster.
Consider this: your customers have government regulations or their own Security teams imposing compliance. The easier you can make it for your customers to meet their security requirements, the more value they will see in your partnership. Have all your documentation and security information accessible. The last thing you want is to be digging for it when a customer asks you for compliance information.
Two Tips to Make Responding to Security Assessments Easier
These two tips will help you effectively manage any volume and size of Security Questionnaires:
- Make Security content accessible
- Create a repeatable process
No matter how many Security Questionnaires you get, there are always questions that are common across each request. Being able to easily find the necessary content and quickly get the standard questions out of the way can save you a lot of time when responding (start building a well-organized Security library with this template).
Beyond making your content accessible, you should develop a process that you can apply to all the Security and Compliance Assessments and share across your entire team (learn how iovation streamlined their process with Loopio).
Tightening government security regulations and increasing measures that companies are taking to comply with these regulations can only mean one thing - more Security Questionnaires for vendors. So your team needs to have an efficient way of handling these requests.
The last thing you want your busy IT and security teams to do is to reinvent the wheel every time a Security Questionnaire comes in. The more assessments they have to be involved in, the less time they’ll have to focus on the core areas that can help your company close more deals.