Third Party Supplier Risk 76 security questions to ask

Third Party Security Assessment

Anyone who has ever had to fill out a TPRA will know it can be an arduous job!  Often, questionnaires are supplied either:

  • Through a third party web portal ( multiple forms and sometimes over 700 questions )
  • Excel spreadsheet (with multiple sheets and sometimes over 300+ questions)

After weeks or even months of completing these questionnaires, the vendor follows up with a back-and-forth of further questions designed to validate the answers supplied. Depending on time zones, these can be outside of normal working hours and further compounded by language barriers and the interviewer's lack of technical domain expertise!

I've been talking to a number of CISOs recently from large enterprise organisations, and they are all saying the same thing: that they are spending 30 hours or more a week answering audit questions!

Even those with ISO27001 certification are not exempt from having to answer a ridiculous number of questions to satisfy the Auditor / Supplier that they are "Secure" and don't represent a risk to doing business.

Third Party Risk Management Platforms (TPRM)

In the last five years, a whole industry of GRC and "Third Party Risk Management Solutions" has emerged.

CyberGRX (Now Process Unity), ServiceNow, MetricStream, Prevalent, Security ScoreCard, Upguard are just a few of the hundreds of TPRM SaaS providers that say that they can wave a magic wand and make third party risk management more effortless.  Now broadly, most of these platforms are better than using a spreadsheet, but some of them introduce other complexities and have burdensome workflows.  For example, most offer the capability to upload your assets (policy documents, network diagrams, etc.) as evidence to store them on their platforms for review.  Let's think about that for a minute. Would you be comfortable uploading sensitive data into yet another 3rd party platform and one that is meant to be used to audit 3rd party risk?  There's Irony for you!

One Size fits all approach

Regardless of the platforms or spreadsheets, for that matter, most Audits seem to use a one-size-fits-all approach.  This doesn't work especially for smaller businesses or ones that don't capture, store or process sensitive data. So, as an example, in the past,  I've been on the receiving end of questionnaires that delve into APRA CPS234 requirements or PCI, which would be appropriate if either of those two regulatory frameworks applied, but they didn't!  Then you get into a cat-and-mouse game with the auditor, saying the 200+ questions you sent me are "Not Applicable," so I've only answered the ones appropriate to my organisation.

In the last six years of being involved in audits, I have only ever been asked once by a forward thinking, innovative financial institution whether the audit questionnaire they sent me was appropriate or the "right fit".  They even asked for a meeting with their legal counsel present to walk through and sanitise a best fit approach for their security questionnaire.  After that meeting, we had a fit-for-purpose security questionnaire that focused on our sector (Legal), which could be completed with minimal effort from both sides and achieved an outcome that was a win-win for both parties.

Sadly, the rest of the industry has not caught on, and we continue to play the charade of audits and feed a multimillion dollar industry of third-party risk management. Given the number of breaches that are still occurring, I'm not sure that we are actually fixing the problem with how third-party risk management is approached today.

Asking the right questions

If 700 questions are needed to measure an organisation's "Risk Profile" and provide a risk score/risk worthiness, then you are asking way too many questions and the wrong questions.

Use subject matter experts or, dare I say it, "AI" (for some of it at least)

When it comes to the validation phase of the audit, the platforms I mentioned earlier often use 4th party so-called "experts" to evaluate answers supplied as part of the audit.  I kid you not I have been asked questions like what is EDR?! Who are "CloudStrike" rather than "CrowdStrike"!

Maybe AI might be better for some of these tasks; who knows?

76 Questions and Keep Things Simple

So, let's get to the 76 questions that I've put together over the years of doing thousands of audits.  The questions are split up into the following categories of security:

  • General
  • IAM
  • Connectivity
  • Risk
  • Encryption
  • Security Awareness Training
  • Physical Security
  • Incident Response
  • Security Operations
  • PII Data
  • Software Development

In each area are a number of questions that together should give you a good measure of your suppliers' security. You can add more questions if you feel you need to or conversely, remove questions/categories as you feel right. I know it's another spreadsheet, but hey, if you are feeling innovative, you can build your own web form and do away with the spreadsheet.

Here is the link to the Third Party Risk Assessment Template.  

Let me know your thoughts on how you perform third-party risk management in your business today.

#cybersecurity #riskmanagement #datasecurity

Leave a Comment