Top 10 Questions in Vendor Cybersecurity Questionnaires

Vendor data breaches can be costly, both in terms of money and your organization’s reputation. When you partner with a vendor, you want to ensure that their cybersecurity practices are effective at preventing, detecting, and responding to incidents. A good place to start is with a vendor cybersecurity questionnaire.

But what questions should you ask? And what should you do if you have concerns about the vendor’s answers? Let’s review the top 10 questions you should consider in a questionnaire and some tips on next steps if you have concerns.

The Top 10 Vendor Cybersecurity Questions

Here are the top 10 cybersecurity questions to consider in your vendor questionnaires and why you should ask them:

1. Is there a formal information security program in place?
   
   A formal program should provide the framework for keeping the vendor at a desired security level. The program should outline specific details, such as how the vendor assesses risks, how they decide to mitigate those risks, and how they plan to keep security practices current.
2. What type of security testing is performed and how often?
   
   The vendor should have evidence of regularly scheduled vulnerability and penetration testing performed by a qualified third-party vendor. You may also need to evaluate social engineering testing that includes simulated phishing emails and employee awareness. Verify the details about how often testing is performed and the last testing date. These testing results can reveal whether the vendor is prepared to identify weaknesses and secure them before they’re exploited by an attacker.
3. Is there a formal process to review user access?  
   
   One of the top reasons for exceptions in SOC reports is a failure in logical access review procedures. It’s important to verify that the vendor has a process in place to verify who should and shouldn’t have access to their system.
4. Is the principle of least privilege and multi-factor authentication (MFA) implemented for remote access?  
   
   Ensure that the vendor has implemented role-based access privileges, which determine what type of data is needed for certain employees to perform their specified duties. The vendor should also confirm the presence of MFA for remote access, which helps protect against compromised credentials.  
5. How is data protected in transit and at rest between your vendor’s system, your organization’s system, and the end user?  
   
   Your vendor should verify that they’re always protecting your organization’s data and your customer’s data. Methods like data encryption during both in-transit and at-rest will help keep it safe from unauthorized access.  
6. How is expired media disposed of?  
   
   Physical and electronic data can exist in multiple environments, such as hard drives, flash drives, CDs, paper documents, the cloud, and more. Data is especially vulnerable to theft and other compromises because of the widespread use of public cloud services where it can live on shared resources and move across multiple systems. Wherever it’s stored, make sure that the vendor has a process for secure disposal. This may include the completion of a data destruction certificate when the expired media is disposed.
7. Are employees and contractors required to attend security training?  
   
   Whoever uses the vendor’s systems should be properly educated on security awareness. This reduces the likelihood of human errors that can harm the vendor’s IT infrastructure, and ultimately put your data at risk.
8. What due diligence is performed on third parties before and after the contract stage?  
   
   It’s important to understand how your vendor is performing due diligence on its subcontractors (your fourth parties), especially if they have access to your data. Although you don’t have a contractual relationship with these fourth parties, you should still confirm that they’ll protect your data in a secure environment.
9. Is there a formal incident management program in place?  
   
   Proper incident management and response procedures should include details on analyzing, prioritizing, and responding to cyber incidents and other security events. Breach notifications are also an important part of incident management, with multiple regulations, like HIPAA and the Interagency Guidance in the financial industry, emphasizing this requirement in vendor reporting. Incident management should be tested regularly to verify its effectiveness and you may want to consider whether the vendor has cybersecurity insurance coverage.  
10. What types of technical prevention measures are in place?  
    
    Your vendor should be actively using security tools such as firewalls, anti-virus products, and intrusion detection and prevention systems to secure their network. This ensures that the proper measures are in place to protect your data.

4 Next Steps If You Have Concerns

Asking your vendor all these essential cybersecurity questions is a good first step and will reveal a lot about the thoroughness of their practices. But what if the questionnaire leaves you with some concerns about your vendor’s cybersecurity program?

Here are some next steps to consider:

• Request additional information. Some concerns might be resolved simply by asking the vendor for clarification. Maybe the issue is related to employee training that is slightly outdated. Asking for additional information might reveal that the vendor is currently in the process of scheduling another training session.
• Require further controls and testing. If your concern is about weak or ineffective controls, you may want to consider obligating the vendor to strengthen those controls and provide evidence of further testing. This is especially important to do before you sign or renew the vendor contract.
• Increase the monitoring frequency. Ongoing monitoring should be performed regardless of the information you learn from a cybersecurity questionnaire. However, some concerns might require a more frequent monitoring schedule to ensure that the controls are effective and that any new risks are immediately identified and addressed. This monitoring schedule should be set based on your organization’s risk appetite and the risk of the vendor.
• Reconsider the relationship. As you review the cybersecurity questionnaire and eventually gather more information throughout the due diligence process, you might decide that the relationship isn’t worth the risk. Always make sure to document your concerns and report to senior management or the board so they can determine the next steps.

The next time you’re developing a vendor’s cybersecurity questionnaire, keep these questions in mind to use as a foundation for further review and discussion. Building or reviewing a questionnaire will take some time, but it’s well worth the effort to keep your organization safe from vendor risk.