When assessing a third party vendor’s security posture, there are many industry standards and security questionnaires like SIG, SOC, or CAIQ that can be used, as well as industry-specific law and regulations. Do you need them all? Which ones are more suitable to your risk assessment framework?
This security questionnaires comparison guide will come in handy to decide which security questionnaires you need to include in your third party risk management (TPRM) program. It will also help you ask the right questions to establish more secure third party relations.
What is a Security Questionnaire?
Security questionnaires are sets of technical questions to determine an organization’s security and compliance posture. They vary in length according to their scope and objective, ranging anywhere from 100 to 400 questions about security policies and procedures.
The ultimate goal of security questionnaires is to determine if a third party vendor can be trusted to adequately protect sensitive customer information. It’s a way of validating their security stance with a written assessment based on tried and true controls.
An industry standard questionnaire created by a trusted entity can be used as the starting point, but you can tailor it based on your organization’s needs or even create your own custom questionnaire to collect the data you need for your assessment.
Requesting your vendors to respond to security questionnaires and/or show other certifications, like a pentest, is considered a cybersecurity best practice across most industries today. Needless to say, one of the key initiatives of a TPRM program, which is then followed by risk remediation and mitigation, and continuous monitoring throughout the relationship.
What are the most common security questionnaires?
These are some of the most used industry standard security assessment methodologies:
Consensus Assessments Initiative Questionnaire (CAIQ)
The CAIQ was developed by the Cloud Security Alliance, a not-for-profit organization that promotes the use of best practices for providing security assurance within cloud computing.
It provides a set of Yes/No questions for cloud service providers, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings, to determine if their cloud practices are reliably secure.
Its latest version has been recently combined with the Cloud Controls Matrix, comprising a cybersecurity control framework for cloud computing. The Matrix is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. This makes it a de-facto standard for cloud security assurance and compliance.
CIS Controls
The Center for Internet Security (CIS) is a non-profit entity that amis to safeguard private and public organizations against cyber threats.
The assessments formerly known as the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, were recently consolidated and are now officially called the CIS Controls. After a revision of terminology and grouping of safeguards, the number of controls was reduced from 20 to 18.
The CIS Controls are a prioritized set of actions to protect critical systems and data from common cyber attacks. They map to most major frameworks such as the NIST Cybersecurity Framework, NIST 800-53, the ISO 27000 series, and regulations like PCI DSS, HIPAA, NERC CIP, and FISMA.
Standardized Information Gathering Questionnaire (SIG Core & SIG Lite)
Developed by Shared Assessments, the SIG Questionnaire evaluates vendors based on 18 individual risk controls to define how they manage security risks. It is updated every year, reflecting new security and privacy challenges.
There are two variants:
- SIG Core, the full set of extensive questions including topics like GDPR and other specific compliance regulations.
- SIG Lite, a simplified assessment for vendors with lower inherent risk, that focuses on the most high-level questions.
NIST 800-171
The National Institute of Standards and Technology (NIST) developed the NIST 800-171 questionnaire to provide guidance on cybersecurity and privacy for firms serving the U.S. federal government. This ensures that Controlled Unclassified Information (CUI) remains unaltered and confidential in any non-federal system.
Organizations that provide solutions, services or products to the Department of Defense (DoD), the General Services Administration (GSA) ,or the National Aeronautics and Space Administration (NASA) must comply with it.
Why you need security questionnaires in your TPRM program
Your company is probably working with dozens or hundreds of third party vendors managing all kinds of business processes. While this helps to achieve business goals, it also increases the cyber risk surface as vendors access your network and sensitive data while performing their service.
Your customers trust you with their sensitive data and expect you to have adequate data protection safeguards, both internally within your organization's perimeter, and also externally.
However, vendor-caused security incidents such as data breaches have become incredibly common, with Kaseya and SolarWinds as the latest headlines. This makes vendor risk assessments and third party risk management in general a strategic business need, one capable of differentiating your company as one that takes security seriously and thus helping drive more revenue.
How to start using security questionnaires in your vendor risk assessments
The ThirdPartyTrust TPRM platform allows you to set up all these questionnaires and more as part of your vendor risk assessment lifecycle. In addition, you can create your own custom questionnaires -because one size does not fit all and you can’t subject all third parties to the same set of questions.
Then, you can use their responses and any other security documentation they provide, and complement that with the integrated security ratings we provide, to get additional intelligence on their privacy and security policies, their financial strength, data breach history, and more.
This all happens in one place so you get the full third party risk picture, thus helping you develop more robust vendor relationships and maintain a secure supply chain.
Conversely, third party vendors can use the ThirdPartyTrust platform to build a single security profile, where they centralize their updated responses to all these questionnaires, certifications, and attestations.
Whenever an enterprise customer asks for a SIG or SOC report, the vendor just invites them to review those documents that are already hosted in the security profile, thus avoiding starting from scratch on every assessment or using emails and spreadsheets to answer questions.
Are you ready to refine your vendor risk assessments? Talk to a ThirdPartyTrust expert and take your TPRM to the next level.
Requesting and responding to security assessments should not be a killer
This free strategy guide will help enterprises and third party vendors alike to simplify risk assessments. The manual approach won't cut it anymore, and it's time to shift to a more efficient approach.
Take a deep dive into the most common problems for both sides and explore tried and true solutions to fix them.
