Security Assessments, Security Questionnaires, Vendor Assessments, Technical RFPs – whatever you call them – are unavoidable in the world of SaaS and are a pain to complete. Moreover, they’re a big part of closing new opportunities and maintaining or upselling existing accounts. But what many people don’t realize is that the Security Assessment response process can be made less painful and, dare we say, fun! There are resources available for making the process of responding to these Security Questionnaires more efficient.
Standardized Vendor Assessments
You’ve probably heard of standardized vendor assessments. They are becoming more and more popular for assessing Security and Compliance because they help both vendors and customers save time. These Standardized Questionnaires cover a broad spectrum of Security topics that your clients are likely to ask about. So why reinvent the wheel if you can have access to an existing one? Let’s look at the top 3:
VSAQ stands for Vendor Security Assessment Questionnaire. It’s a set of self-assessment Security questions that was developed by Google to help them evaluate “multiple aspects of a vendor’s security and privacy posture.” Since Google made the VSAQ Framework available to the public early last year, a lot of companies have started using it to assess their vendors.
Consensus Assessments Initiative Questionnaire (CAIQ) was developed by Cloud Security Alliance to help provide “industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency.” Overall, their document contains 300 questions across 16 different areas of security.
SIG and SIG Lite
SIG and SIG Lite – Standardized Information Gathering Questionnaires – contain industry standard questions that were developed by Shared Assessments. Out of the three standardized frameworks, SIG and SIG Lite are the most comprehensive. However, a SIG Questionnaire contains over 1,500 questions and even the “Lite” version, geared towards vendors offering lower risk services, contains hundreds of questions!
1,500 questions — that’s massive! No doubt, if you answer all the questions in the SIG, you’ll get an in-depth glimpse into what most customer concerns are around Security.
But if you want to start a bit smaller, we’ve got you covered. Being a SaaS company, we’re all too familiar with Security Questionnaires and have responded to a fair share of them.
Check out the infographic below summarizing the categories of questions that we often see across Security Questionnaires.
Common questions we typically see:
- Are employees subject to background checks? Please describe the type and level of background check.
- Are employees required to sign NDA or confidentiality agreements?
- Describe any employee access to client data.
- Is there a security incident management process in place? Please describe.
- How frequently are your information security policies reviewed?
- Is there a formal process for reporting and responding to privacy complaints or privacy incidents? Please describe.
- Are visitors permitted? Please describe what locations within your office(s) visitors have access to.
- Please describe security systems in place for visitors, including badges, supervision, and sign-in systems.
- Are closed-circuit cameras utilized at all entrances and exits in your offices?
- What third-party audits are regularly performed?
- What third-party security certifications does your organization have? When were these last updated?
- Does your organization run intrusion detection or intrusion protection on the network?
- Do you have alternate data centers in case of disasters?
- Does your solution support redundancy and load balancing?
- What is the recovery time from failure due to technical issues?
Our goal is to make your life simpler. So, here is a handy template to access these questions and more. Download it to get your Library started!
The answers to these questions will form the base of your security content library. Having a searchable Library will help make this content reusable so you and your team can leverage it for that next Security Questionnaire that comes in through the door!