Great, another security questionnaire from a potential customer. We briefly discussed these in the article “Managing the Risk of Third-Party Vendors” when we looked at things from the vendor’s perspective.
Completing security questionnaires from customers can be a tedious process. However, the positive is that larger customers are beginning to include your product in their due diligence when looking for solutions to their problems. As the saying goes, no pain, no gain, right?
| What | Start | Next |
|---|---|---|
| Customer security reviews | MVSP | Managed tool or team |
| Compliance | Risk assessment | Certification |
When large or risk averse companies seek to work with other vendors, they typically evaluate the vendor’s security baseline to ensure it meets their own standards or that they are comfortable with the associated risks. These evaluations often take the form of questionnaires, which can vary in size and complexity and are typically based on industry standards such as the CSA CCM, MVSP, SIG, ISO 27001, or PCI-DSS. The benefit of this common lineage is that you can often reuse your previous answers across different questionnaires. However, the challenge is that some customers may reword the questions based on their own experiences or risk tolerance levels.
Basics to get started?
Start by using a simple tool like the Minimum Viable Secure Product (MVSP) control list, which outlines a basic set of controls that B2B companies and others handling sensitive data should implement.
Once you have the list, fill out answers to each control with both a public facing response and a private internal only response that includes links and references to internal documentation. For example, for control 1.5 regarding security training for your team, the public response might be something generic like “All employees take part in a company-wide security awareness training session twice a year, which includes updates on recent business threats and a short quiz.” The private response would include links to evidence such as a calendar invite, the content distributed to your team, or feedback from the quiz.
While your customers may not have the exact same questions, providing this list of responses on your website can help address their concerns and build trust. You can then build off of these responses to answer any additional specific questions they may have.
Whats next?
Like many other tasks, you can automate some of the work involved in third-party risk management by using a tool designed for the purpose. Many of the tools recommended in the “Managing the Risk of Third-Party Vendors” article can be used here as well. Along with using a tool, it may be worth assigning the role of responding to these risks to a specific person or team to ensure consistency in responses.
What does Kinde do?
Kindle has a dedicated security specialist whose responsibilities include promptly responding to customer inquiries. Additionally, we hold an ISO 27001 certification which greatly reduces the number of questions we need to answer.
Achieving external compliance is a significant step in demonstrating to customers that your team takes information security seriously. Having an external auditor come into your company and scrutinize your systems and practices can be daunting. This process benefits everyone. It builds trust with your customers and forces your team to standardize common business security practices.
We’re biased towards ISO 27001 because it’s what our customers wanted from us, which means the guidance here will generally follow the ISO 27001 standard.
Read up on as much as you can about how other companies have gone about their compliance journey. Their insights and methods might work well in how you approach it. There is also a ton of information out there from compliance experts and industry forums. Their practical lessons and advice will help you figure out what works for you and your team.
Basics to get started?
Start by conducting an information security risk assessment using a control list from a security framework or standard, such as CAIQ-Lite. This option is ideal because it’s a subset of a much larger control set, aligns with other industry standards, and is freely available online. If you’re willing to pay for it, you can get a copy of the ISO 27001 standard, which includes a section called Annex A with a long list of security controls.
Note that there are many different ways to perform this risk assessment, such as starting with your information assets. We just found using a control list to start with as the easiest approach for us.
Go through the list of controls and determine whether your business and team are adhering to them. After completing a first pass, identify risks based on the responses where you needed a control, but it wasn’t applied. Some risks may encompass multiple related controls.
How you capture your risks is up to you. At the very least, the process should be documented, along with any templates to use, severity criteria, and how the risks will be treated or mitigated.
The output should be a list of risks and should help form a security strategy.
Whats next?
Certification or attestation, depending on your preferred flavor for compliance, is an important step for many organizations.
Before beginning the compliance journey, it is generally recommended to find a security partner. This could be a security consultant, local managed service provider, or one of the growing list of compliance automation vendors. Their job will be to prepare the finer details of the compliance requirements to make sure all your documentation, systems, and processes are in order to ensure a smooth audit.
And don’t rush things for the sake of compliance. Achieving certification is meant to show customers that you take information security seriously. Rushing through to get certified for the sake of being certified will likely create a bunch of out of place processes and policies that will cause more confusion than benefit.
What does Kinde do?
Kinde started out by running through a CAIQ-Lite to help identify what was already in place and what we needed to do to improve. The results spawned a few key risks that needed to be addressed before we launched our product and hired too many more new starters. You can read more details about it in our blog post Security at Kinde.
We’ve also completed our ISO 27001 certification back in April this year, which represents a huge milestone for us and validates all the hard work we continue to put into securing our systems.
Get started now
Boost security, drive conversion and save money — in just a few minutes.