Embed Size (px)
Citation preview
Process PerformanceLet us help you improve your security environment. Our
team will handle specific processes or measurement
activities in your program so your team can focus on
running your business.
We offer:
► Risk Assessment Management
► Third-Party Risk Assessment Responses
► Vulnerability Management
► Penetration Testing
Our Value to Your Organization ► Work with a Team of Experts
► Services tailored to your unique needs
► Visibility over your security environment
► Develop Efficient and Repeatable Processes
CONTACT US
800.203.3817
www.CISOSHARE.com
Security Questionnaire Response and Readiness
Security questionnaires, customer assessments, or third-party risk assessments are all a vital part of doing business, especially if you or a potential business partner handle any sensitive data.
While completing these questionnaires might seem like a formality, these questionnaires are a good way for businesses to manage the risk that they’re taking on from their partners in their environment. The way in which you respond to a security assessment can make or break a deal with your client.
We’ve put together a checklist to help you and your team prepare and effectively answer any incoming risk assessments.
Step 1: Measure How Risky Your Business Is
□ Ask yourself the following question. If you answer “yes” to any of these
questions, chances are that your organization should have a strong security
program in place. If you answer “no” to all of these, security might be a limited
focus for your company.
• Does your product or service potentially impact human safety?
• Do you manage or have access to sensitive records on behalf of your
partners or customers?
• Is customer data stored on systems that are internet-accessible?
• Is Does your company participate in a highly regulated industry
(healthcare, finance, etc)?
□ Understand exactly how customer or partner data flows through your
environment.
□ Know what technical security safeguards are protecting this data when it’s in
your environment with an effective security program.
SECURITY QUESTIONNAIRE READINESS CHECKLIST
Step 2: Assign Key Responsibilities for Completing the Assessment You should have the following roles working on completing the questionnaire:
□ A consulting security expert, internal or outsourced, should be able to help
you communicate effectively about your security program.
□ If your security expert is outsourced, make sure to have someone who
understands your security environment review the answers as well.
□ Strong writing skills are important to ensuring your responses are
grammatically correct with appropriate sentence structure.
□ Project management skills will help you create action-oriented responses
for remediation plans, as well as manage the deliverables when remediation
starts.
□ Senior management representation is important for understanding and
approving any business commitments that are made during assessments.
□ Legal expertise will help you make sure that your answers are in line with
your contractual obligations.
□ A sales or account representative will maintain contact at the business level
throughout the questionnaire process.
SECURITY QUESTIONNAIRE READINESS CHECKLIST
Step 3: Maximize How You Respond — The Do’s and Don’ts
DO:
□ Add necessary detail to responses where you can.
□ Make sure your responses are grammatically correct and have propersentence structure.
□ Accurately use security nomenclature.
□ Make sure any provided documentation is sent on consistent andapproved templates.
□ If you have “last modified” dates on deliverables, make sure they’re up-to-date. They shouldn’t be more than a year old.
□ If you have authorized or approved bylines on your documents, usecopies that are signed.
□ Limit sending documents that say “draft” and only send finals whenpossible.
□ Use action-oriented statements with dates for any areas identified as“deficient” and plan on remediating.
□ Build a project plan that includes all the remediation activities your teamidentifies.
□ Have some with a security skill set review anything you present or say toan auditor.
□ Senior management should stay informed and be accountable forassessment responses.
□ Archive anything drafted or provided during the assessment in a centrallocation.
□ Build an overall project plan that aggregates all remediation activitiesacross all the assessments your company has completed.
SECURITY QUESTIONNAIRE READINESS CHECKLIST
Step 3: Maximize How You Respond — The Do’s and Don’ts
DON'T:
□ Send template documentation that isn’t specifically designed orcustomized for your organization.
□ Have one person perform the entire questionnaire alone.
□ Answer “N/A” for a majority of the questions.
□ Respond that you’re compliant for all of the questions if you can’tsupport these answers in a more detailed section.
□ Provide more information than what’s asked for, unless you’re supplyingscope and schedule for remediation areas.
□ Deliver documentation in a sharp and organized manner, including usingthe right letterhead and updating “last modified” dates.
SECURITY QUESTIONNAIRE READINESS CHECKLIST
Step 4: Understand the Common Deal Breakers If any of the following items are happening with data in your environment, you may have
a deal breaker to address.
□ Shipping data overseas or outside the U.S.
□ Not encrypting data that’s stored in your database
□ Not encrypting data while it’s being transmitted through internet-accessible
systems
□ Securing data in non-secure cloud environments
Step 5: Prepare Your Documentation
□ Have one person perform the entire questionnaire alone.
• Overall security program documentation
• Charter
• Audit reports
• Previous remediation plans submitted to this customer
• Documented security training and awareness
• Policies, standards, and guidelines
□ Detailed process documentation
• Risk management
• Vulnerability management
• Patch management
• Incident management
• System monitoring
• User on- and off-boarding
• Disaster recovery
• Security and network architecture
□ Proof of measurement activities and results
• Documented internal and external risk assessments
• System patching notes and updates
• Quarterly pen tests and vulnerability scans
• Audits logs of user access
• Business impact analysis
• System monitoring audit reports and logs
• Internal security training and awareness activities
SECURITY QUESTIONNAIRE READINESS CHECKLIST
For more information on
security questionnaires, visit
our website.
www.cisoshare.com | [email protected] | +1-800-203-3817
