How to Write An Effective Security Assessment
Remember back in the day when you're cybersecurity consisted of securing your own firewalls? It was a hassle, but it had controlled factors. As long as you kept your organization secure, you were good to go.
A lot has changed since then.
These days, 90% of businesses use some form of cloud service, 77% have at least one application in the cloud, and according to IBM projects, 98% of businesses will use some form of hybrid cloud in 2021, with two-thirds of surveyed executives reporting that such services are critical cost-cutting measures.
That’s good news for businesses–it means you’re able to provide better services than ever. But it’s bad news for your cybersecurity, since you now need to account for cybersecurity practices outside your own. This is where a security assessment comes in. Here’s why you need one and how to write yours.
Why You Need a Security Risk Assessment
In this day and age, we don’t need to give cybersecurity a sales pitch. You already know you need it. After all, the average cost of a data breach is $4.26 million.
But knowing you need third-party risk management and applying it to your vendors’ practices are two different things. This is where security assessments come in.
Your security assessment, also called a vendor risk management questionnaire, is the basic tool of your third-party risk management process. It’s your means of collecting information from your vendors, which shapes the rest of your risk assessment going forward–including whether a vendor is the right fit for your organization.
In other words? If you don’t have a security assessment, you don’t have a risk management process.
Writing Your Security Risk Assessment
So, how do you begin writing your security assessment?
The short answer: it depends.
Much like no two vendors are alike, no two businesses are like. Similarly, no two security assessments should be exactly alike. The trick is to write a security assessment that serves your business’s risk needs.
It is a good idea to draw some of your standard material from industry-standard questionnaires, if only because they provide an excellent place to get started. These include:
These two questionnaires alone will give you thousands of potential questions, each grouped by category. Plus, by using industry standards, you know you’ll be up-to-date with compliance. Just make sure to check the questionnaires periodically–you’re only compliant if you’re using up-to-date questions.
If you take this approach, you can then tailor your questionnaire based on issues unique to your industry. By the time you review these standards, you’ll be able to identify what’s missing.
If you’d like to structure your questionnaire on your own, here are a few essential categories and a brief review of what they should include.
As you can probably guess, governance refers to how a vendor manages its own affairs. In this case, you’re not concerned with who the CEO is. You’re concerned with who’s in charge of data governance and cybersecurity, what policies the vendor has in place, how they handle security issues, and how they protect assets.
A good way to break this down is by organization, practice, and training. For example, asking “Who is responsible for cybersecurity in your organization?” and asking for details can give you an idea of who’s calling the shots, but also the workforce responsible for managing cybersecurity. This counts as organization.
Practice involves how that governance goes into action. For example, asking how the organization prioritizes critical assets and the steps it takes to protect them are both best practices in this category.
Then there’s training, which helps ensure employees know how to contribute to cybersecurity rather than working against it. Your questions should probe cybersecurity training at all levels of the organization.
When you look at controls, you’re technically looking at three categories:
Technical controls are security measures implemented by the system through hardware and software. Process controls are tools used to monitor work processes to ensure security so that the organization can made adjustments as needed. People controls are all about mitigating the risks attached to human employees.
The best approach to controls is to separate them into three distinct categories, each with their own set of questions. This is the area where you probe the vendor’s technical security processes and best practices, so you want your questions to be specific enough to give a whole picture of the vendor’s risk approach. Otherwise, you won’t be able to assess whether their risk tolerance matches yours.
For example, one of the most basic questions in technical controls is, “Do you have a firewall?” At a more technical level, you can ask if they encrypt data at-rest and in-transit, then ask them to explicate their encryption in the comments section.
With all of these questions, anytime you run into a yes or no question, ask the vendor to explicate their processes in the comments. It doesn’t do you any good to know that the vendor installs anti-malware software on its devices if the software isn’t very good.
Last but not least are questions attached to risk. This is when you quantify the unique risk level attached to this vendor and what that means for your organization, which means the risk section is focused heavily on data.
For example, one question in the risk section is, “Do you collect, store, or transmit personally identifiable information (PII)?” From there, you can ask how PII is collected, how it’s stored, how users can access PII, and how the vendor monitors use of PII, to name a few.
Basically, this section should clarify exactly what will happen if the vendor works with PII in your system. That way, you can assess if their risk management matches your risk tolerance.
Let’s Put Your Security Assessment Into Action
We know that it can be hard to know where to begin with security assessments. A single assessment could easily have a few hundred questions, and that’s before you get to any questions that are unique to your industry. And once you collect it, you have to sift through the information.
At Privva, we offer vendor risk management solutions that make it easy to ask the right vendor the right question at the right moment. That way, you’re never doing guesswork.
Ready to take charge of your security? Get in touch to learn how we can help.