Answering Security Questionnaires

Do you have customers that are asking you to fill out security questionnaires as part of their "due diligence" process?  Does it make you nervous to start answering questions that aren't worded clearly or fall outside of your primary domain?  

This post covers some of the basics for handling security questionnaires.  For most companies, at some point this starts to become a source of anxiety or even just time management.  Often, this type of scrutiny is what triggers companies to become securityprogram.io customers.  With a program in place, we can confidently handle the diligence reviews in a consistent way.

YES YES YES

One pitfall customers fall into is that they want to answer "yes" to every question.  This is particularly true when sales or sales engineers are responsible for answering the questions.  There are a couple of problems with answering "yes" across the board: 

1. An attentive reviewer will know that you don't know what you are talking about.
2. It could result in your company taking on more responsibility than they should and down the road being committed to spend money to implement something you said you did!

The reality is, even most larger firms can't answer yes to every question.  It is much more meaningful to know where your strong points are, maybe where you should answer "yes" and where your weak points are and you are better off answering "no".

Here are two specific examples: 

For the first item, we are using TLS.  Not only that, this would be a huge red flag to say "no" on. So for this type of item, if we were not using TLS we should take action so that we are.

For the second item, maybe we don't even know what MDM means.  It means mobile device management.  It allows you to control the installation of software and remotely wipe mobile devices if they are lost or stolen.  While MDM is a good control, and may be needed in certain security sensitive environments, it is not something that every company must do.

STANDARD?

When you get the questions, is it a big Excel file?  Maybe it is even an online system.  Does it seem just like others you have answered before, but just a little different?  We see a lot of the same questions repurposed and reused.  Our customers feel much more comfortable when they realize that a set of questions is mapped to a standard like SIG Lite or ISO 27001 or CAIQ and that there isn't any "magic" to answering them.

Unfortunately, many companies end up making their own questionnaires based on some combination of standards or questionnaires.  This makes it even harder to optimize your answers.

One thing we always do is make a directory of the responses we have made so that we can find them and hopefully refer to them as needed. We've added some of these types of features to securityprogram.io but what we really want to do is use natural language processing and let you upload a questionnaire then download it already filled out.

When we're working with any security questionnaire, we also track any places where they are asking us about things we know we need to do but aren't yet.  Then we cross reference that into our security plan.

A SECURITY PLAN WILL HELP WITH SECURITY QUESTIONNAIRES

A well-structured security plan not only helps protect you from cyber threats but also instills confidence in customers, partners, and investors. Having a security plan and systems in place that are aligned to a major standard, like NIST 800-53NIST 800-53 is a special publication by the National Institute of Standards and Technology (NIST) that provides a catalog of security and privacy controls for federal information systems and organizations. The publication outlines security requirements and guidelines for the selection, implementation, and assessment of security controls to protect the confidentiality, integrity, and availability of information systems. or ISO 27001ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information and mitigating cybersecurity risks. ISO 27001 includes a set of best practices for establishing, implementing, maintaining, and continually improving an ISMS, which helps organizations identify and manage information security risks and protect against cyber attacks. can help ensure that you have good answers for any security questionnaire. If you are feeling a bit uncertain with your security plan, take a look at securityprogram.io as a way to strengthen your security posture. 

So how to handle security questionnaires…

That’s an easy one, let Jemurai handle the burden for you. Our team of experienced professionals will expertly navigate the maze of inquiries on your behalf, ensuring accurate and comprehensive responses that highlight your company's robust security measures. With Jemurai by your side, you can focus on your core business while we take care of the details.

Stay secure!