Cybersecurity Awareness Month: Third Party Security Questionnaires

Posted by Tyler Ward on Oct 15, 2020 3:12:04 PM

Part of a good cybersecurity strategy is ensuring partners and vendors you work with also have good cybersecurity in order to reduce risk and exposure from third parties. It's an issue that affects many organizations, regardless of business vertical.

If you manage an organization in 2020, it is highly likely that you have received a multitude of questionnaires that seek deep technical, administrative, and organizational information about your information security and privacy posture. You may have received these from business partners, customers, legal counsel, insurance, or even financial institutions. However, there is also a high probability that none of these questionnaires are the same or even closely resemble one another.

These assessments generally fall into the responsibility of your IT Manager, CISO, or another business leader. The time that your personnel spend on these questionnaires is valuable and costly. Aside from the time that is required to answer these questions, there is also a level of liability associated as well.

Let’s take a look at an example question, answer, and potential pitfall.

Question: Does your organization encrypt sensitive client, customer, and partner information both at-rest and in-transit?

Answer: Yes, the organization encrypts all sensitive information, both at-rest and in-transit.

Pitfall: Let’s say that your organization assumed that such information was encrypted. However, a data breach has occurred, and it was revealed that a database was not actually encrypted. This resulted in an attacker gaining control of the database and underlying sensitive personal or business information. This could trigger a series of events that negatively impact your organization. By answering yes to the question above, your organization assumed liability and provided false information to a client. This could spell disaster for your organization and you could be subject to legal ramifications and damages caused by the data breach, due to false information provided.

Adding insult to injury, after an already damaging data breach, your organization is now under legal scrutiny from your client(s) that are affected by the data breach and lack of protective measures.

So, how does your organization manage these questionnaires or assessments?

One of the best methods to approach these seemingly never-ending questionnaires is to have an external firm perform a detailed assessment of your information security posture. The assessment firm would perform an unbiased, detailed, and technical analysis of your information security controls and provide answers to these difficult and potentially dangerous questions. Furthermore, the assessment firm would also provide insights and recommendations on how to elevate your security posture and place you into a legally defensible security position.

Taking on these questionnaires may appear to be a mundane, harmless, and repetitive task. However, experienced information security consultants can attest that these endless lists of questions hold far great implications than expected. Preparing for these questionnaires and assessments should be a priority for your organization as most businesses are now assessing their partners, suppliers, and providers; regardless of your business sector.

Update Frequently

Going beyond a point-in-time assessment, your organization should actively seek a third-party firm to provide such an assessment on a regular basis and also assign a primary point of contact to manage updates to these types of questions. Often times, the answers to such questions become antiquated after a short time period. Therefore, it is paramount that these are frequently updated as your information security posture changes.

This can be one of the most valuable tools within your business toolkit as information security compliance has rapidly become as aspect of every business vertical. These questionnaires and assessments should be answered by an experienced information security professional that has the requisite experience and knowledge for providing such detailed information.


  • Be proactive: Understanding that these questionnaires will continue to flow into your business is critical. Take the initiative to have a detailed assessment performed and have the answers pre-formulated so that proving your information security posture is a seamless exercise and not a frequent fire drill.
  • Assign a Qualified Individual: Assigning the Chief Financial Officer to providing responses to deep information security questionnaires may not be the best route for your organization. Ensure that these are reviewed, analyzed and answered by a qualified information security professional that understands the nuanced information being asked.
  • Acknowledge the Weight of Such Questionnaires: Understand that these questionnaires have business implications that go beyond what they may appear to hold. These questionnaires and assessments, if answered falsely, could wreak havoc on your business if there is an incident or if your organization undergoes an audit.

As always, if you have questions about your cybersecurity posture, third-party questionnaires, or compliance requirements, schedule an appointment with an IGI cybersecurity expert to discuss your needs.