How to have an accurate vendor risk assessment?
Assessing your vendors, suppliers, business associates…or any other term you give to who is providing services to your firm is crucial and even might be required from a regulatory stand point (i.e. like in HIPAA). I do not want to get into detail of what would be the best questionnaire and what logic you should follow to get the best result without a spreadsheet with hundreds or thousands of questions. But I would like to emphasis is key element which could be apply to almost every single question in your RFI.
When asking questions about security policies and procedures, “effective date” is usually overlooked during assessment or completely missed from questionnaire. However, ‘time’ in general is the most important factor in any security policy: effective date, and duration of enforcing a policy.
Experience shows when suppliers face a VRA, the main concern and strategy is to avoid potentially negative answers to questions by fixing things overnight. This means in reality, if vendor is capable of fixing an issue, they prefer to mitigate before answering the questionnaire, so they go and put new policies, new procedures… and the fact is sometime those actions are really effective but the result won’t be an accurate risk assessment because effective date of a policy, a new security measure, even the perfect secure settings is important, and duration of an active policy is crucial.
An analogy would be the effectiveness of vitamins consumption; while consuming vitamin might be helpful, nothing is going to change overnight even with the best multi-vitamin and we always need to give time to body to refine the equation by introducing vitamin in a regular basis for a minimum of time before seeing any benefit, and longer for eliminating all the negative effects of vitamin deficiency.
Changing a policy or setting up a security rule would not mitigate a risk right away and for that, asking for effective dates and duration is so useful. For example:
Do you have a policy for passwords? If yes please describe the policy briefly indicating effective date (evidence may be requested)