I have been on the receiving end of many vendor security assessments from customers and prospects.  Here are some tips to increase the likelihood that you’ll get a timely, usable response to the next vendor security assessment that you send out.

Understand what data you will be providing

One size doesn’t fit all. The level of attention and resources appropriate to a vendor security assessment will vary based on the nature and extent of the data and networks that the vendor will (or may) have access to. Determine the nature of the data (e.g. financial, health or other protected personal data, EU-origin personal data, other regulated data, sensitive intellectual property or business data, etc.), the source of the data (from which countries is the data originating) and which internal systems the vendor will have access to.

Understand which products and services you are interested in

You are more likely to receive a timely, usable response if both you and the vendor understand the products and services that the vendor will be providing. For example, a vendor may offer both hosted services and on-premise license software. The vendor may offer various geographically-specific or market-specific product and services. If you let the vendor know which services, products and options you’re interested in, the vendor can more quickly provide the relevant information. If you ask for an assessment applicable to all products and services worldwide, you’re much less likely to get a timely, specific, usable response. A phone call to the sales or account rep at the vendor may save both you and the vendor significant assessment time.

Fit the questions to the risks

There are a number of pre-made or customizable vendor security questionnaires available, such as:

• Consensus Assessments Initiative Questionnaire (CAIQ) offered by the Cloud Security Alliance)
• (Read more...)