Security Assessments: Using Excel is Bad, Word is Worse
When it comes to administering security assessments to vendors, most companies are still using an old process that has limited capabilities and functionality. If you’ve ever sent or received a 10+ page long security assessment in Word or Excel, you know what I’m talking about. The hassle it takes to go through the 100+ questions, some of which do not seem applicable or cannot be answered by you, is time consuming and a miserable experience. Even worse is the experience of the person who has to grade that assessment and compare it to others that they have received. There are a lot of problems with the current system of vendor risk management, but the bureaucracy of business sometimes gets in the way of needed change. At Privva, we’ve turned the current model of vendor risk management on its head, addressing the issues that we know you face daily. Time is limited so using a platform to manage this process will allow you to focus your resources on the high-risk areas to strengthen your network.
In the current system, communication is slow and clunky. If you’re sending and receiving assessments via email, then you’re probably communicating questions via email as well. This completely decentralizes the process of vendor risk management, lumping in assessments and questions with the rest of your already cluttered inbox. A missed email can mean a missed assessment, which could lead to a missed business opportunity. Questions being sent back and forth via email lack context and are detached from the actual process of filling out the assessment.
Using our platform, communication is centralized and the process is simplified. Instead of sending and receiving assessments via email, everything is uploaded and downloaded via a centralized, cloud-based platform. Questions can be easily posed via the platform, enabling the sender of the assessment to see the context of the question. Even better, if you’re sending out 5+ assessments, you don’t have to send and receive 5+ emails; you can simply send and receive the assessments on the platform, where they’re all organized in one place.
Another issue in the current model of vendor risk management is how to compare assessments once you receive them. If you receive 5 assessments from different vendors, it is hard to compare those efficiently. Not only are they all in separate emails, but each vendor may have answered a question differently. A lot of times vendors may answer the question the same way, but leave comments explaining their answers that might vary greatly.
To avoid this problem, and make it easier to grade assessments, Privva collects all answers and comments in one place, standardizing the process. The platform also allows you to grade responses on a sliding scale, as to differentiate from two vendors that may have the same core answer, but different processes for getting there. In Privva, you can view assessment grades side by side online, rather than on Excel, Word, or in print. This ease of comparison allows your company to make actionable decisions regarding the vendors that you want to onboard or which vendors need to be more compliant with your security benchmarks.
Questions - One size does not fit all in data security
Questions you ask your vendors should be as diverse as the services those vendors provide to you. Having one standard risk assessment may give you a baseline idea of what’s happening, but if you want to onboard a healthcare provider, should you be asking them the same questions as your HVAC provider? In addition, for most standard security questions (i.e. is your data encrypted at rest?), the acceptable response is “yes”; however, sometimes, the correct answer is no. For example, if the question is “are your servers in places where there may be a high risk of a natural disaster?”, the compliant response would be “no”. When an employee goes to review the assessment, they may be skimming for “yes” answers, and not correctly identify “no” as the correct response for that question.
At Privva, our assessment questions are curated to reflect industry standards in compliance for healthcare providers, banks, etc. In addition, questions are written in a way where the answers are clearly ranked by degree of compliance, meaning that if the 5th answer option is the most compliant for one question, it is also the most compliant for the next question, and so on. The questions are the core content of your security assessment, and they should reflect the quality that your organization projects to vendors.
We know data security is a priority across the organization not just the IT team anymore. Executive Management, Board, and Auditors are asking to review reports based on internal and external threats. Knowing third party vendors and supply chain risk pose a great threat it is important to provide summary reports of the security assessments. Using a third party vendor assessment platform allows the security assessment manager to create reports that meets the needs of each stakeholder. We want our customers to spend time on the high priority risk areas not spending time compiling results, updating them manually, then creating presentations.
If you are using Word or Excel to complete your security assessment, contact us for a demo.