Vendor Risk Assessment Questionnaire Template

Vendor Risk Assessment Questionnaire Template

Table of contents

  1. Why are vendor risk assessment questionnaires important?
  2. What are the downsides of vendor risk assessment questionnaires?
  3. How can my organization build a robust vendor risk management program?
  4. A vendor risk assessment template
  5. How UpGuard can automate your vendor risk assessment questionnaires

1. Why are vendor risk assessment questionnaires important?

2. What are the downsides of vendor risk assessment questionnaires?

3. How can my organization build a robust vendor risk management program?

  1. CIS Critical Security Controls (CIS First 5 / CIS Top 20): The Center for Internet Security (CIS) is a non-profit entity that wants to safeguard private and public organizations against cyber threats. CIS’s 20 controls are a prioritized set of actions to protect critical systems and data from common cyber attacks. These are high-priority, highly effective controls that reduce cybersecurity risk and map to most major frameworks such as the NIST Cybersecurity Framework, NIST 800–53, ISO 27000 series and regulations like PCI DSS, HIPAA, NERC CIP and FISMA.
  2. Consensus Assessments Initiative Questionnaire (CAIQ): CAIQ comes from the Cloud Security Alliance (CSA), an organization dedicated to defining and raising awareness of best practices for secure cloud computing. The questionnaire provides industry-accepted ways to document security controls in IaaS, PaaS and SaaS offerings. There are a set of questions that you should ask your cloud provider.
  3. NIST 800–171: The National Institute of Standards and Technology (NIST) implements provides guidance on cybersecurity and privacy for the U.S. through best practices and standards. The purpose of NIST 800–171 is to help protect controlled unclassified information (CUI) in nonfederal systems and organizations. It contains 14 specific security objectives with a variety of controls and maps to NIST 800–53 and ISO 27001. If your organization offers products, solutions or services to the Department of Defense (DoD), General Services Administration (GSA) or National Aeronautics and Space Administration (NASA) it must comply with NIST 800–171.
  4. Standardized Information Gathering Questionnaire (SIG / SIG-Lite): SIG and SIG-Lite were created by the Shared Assessments Program, a trusted source for third-party risk management resources including tools and best practices to manage vendor risk. The SIG questionnaire is a tool to assess cybersecurity, IT, privacy,data security and business resiliency. SIG-Lite is a compilation of higher level questions from SIG and is generally used for low risk vendors.
  5. VSA Questionnaire (VSAQ): The Vendor Security Alliance (VSA) is a coalition of companies committed to improving Internet security. VSAQ was first published in 2016 and is designed specifically to help companies monitor their supplier’s security practices. It contains six sections: data protection, security policy, preventative and reactive security measures, supply chain management and compliance.

4. A vendor risk assessment template

  1. Information security and privacy
  2. Physical and data center security
  3. Web application security
  4. Infrastructure security

Information security and privacy questions

  • Does your organization have a security program?
  • If so, what standards and guidelines does it follow?
  • Does your information security and privacy program cover all operations, services and systems that process sensitive data?
  • Who is responsible for managing your information security and privacy program?
  • What controls do you employ as part of your information security and privacy program?
  • Please provide a link to your public information security and/or privacy policy
  • Are there any additional details you would like to provide about your information security and privacy program?

Physical and data center security questions

  • Are you in a shared office?
  • Do you review physical and environmental risks?
  • Do you have procedures in place for business continuity in the event that your office is inaccessible?
  • Do you have a written policy for physical security requirements for your office?
  • Is your network equipment physically secured?
  • What data center providers do you use if any?
  • How many data centers store sensitive data?
  • What countries are data centers located in?
  • Are there any additional details you would like to provide about your physical and data center security program?

Web application security questions

  • What is the name of your application? And what does it do?
  • Do you have a bug bounty program or other way to report vulnerabilities?
  • Does your application require login credentials?
  • How do users get their initial password?
  • Do you have minimum password security standards?
  • How do you store passwords?
  • Do you offer single sign-on (SSO)?
  • How can users recover their credentials?
  • Does your application employ a defense in depth strategy? If so, what?
  • How do you do quality assurance?
  • Do you employ pentesting?
  • Who can we contact for more information related to your web application security?

Infrastructure security questions

  • Do you have a written network security policy?
  • Do you use a VPN?
  • Do you employ server hardening?
  • How do you keep your server operating systems patched?
  • Do you log security events?
  • What operating systems are used on your servers?
  • Do you backup your data?
  • How do you store backups?
  • Do you test backups?
  • Who manages your email infrastructure?
  • How do they prevent email spoofing? e.g.DMARC
  • What operating systems do employee devices use?
  • Are employee devices encrypted?
  • Do you employ a third-party to test your infrastructure security?
  • Who can we contact in relation to infrastructure security?

How UpGuard can automate your vendor risk assessment questionnaires

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
UpGuard

UpGuard

1.3K Followers

https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.