6 tips for better supplier questionnaire management


To get the most out of your supplier management program, you must trust, then verify. These six best practices are a good place to start.

The questionnaire is an important part of understanding how your providers manage cyber security risks; They will help you understand the investments your supplier has made that result in positive risks on people, processes and technology. They are especially helpful because, frankly, there are some questions you cannot get answers unless you ask them. However, as valuable as a questionnaire to assess third party risks, they have shortcomings. The following are best practices that can enhance your third-party risk program and receive the highest value from the vendor's question process.

Challenge No. 1: A longer questionnaire means greater costs.
The length of a questionnaire has financial implications. For example, according to a RiskRecon study, each additional security assessment question can cost from $ 11.62 to $ 34 - that's a huge range. (The range is due to the economics of the scale involved in asking questions. The more you ask, the lower the cost to add a question to the questionnaire.) Add $ 10,000 if you make the trip spot visits. Long questionnaires can also take a long time for suppliers to answer, which can slow down your business.

Best pratice:
Know the scope of what you are asking.

Only ask questions you need to answer. Do not ask questions that are not related to the relationship you have with your supplier.
Understand whether a standard-based questionnaire is right for your organization or you need to develop a custom question.

Challenge No. 2: The questionnaire doesn't always show you reality.
Your suppliers don't know what they don't know, and you don't know! It is a problem because you trust your suppliers to give the right answers - not just the best predictions. Questionnaires are inherently biased because they are answered by the business being assessed, so you will never get completely objective answers.

Best pratice:
Trust, but verify.

Ask your suppliers for objective evidence of information security performance. This may include reports of independent web and network application security assessments.
Take advantage of network security risk rating data to achieve objective verification of a large number of evaluation criteria. In our experience, risk rating data can objectively verify 25% to 55% of evaluation questions. For example, a common evaluation question is "Do you encrypt email communications?" Providers of cybersecurity risk ratings can explore the provider's email servers and check if it performs email encryption through STARTTLS.
Using open source intelligence - vendors can describe the quality of your provider's network security based on passive observation.

Challenge No. 3: The questionnaire is usually managed with a fixed frequency.
The classic approach to assessing third parties is to divide suppliers into inherent risk levels (high, medium, low, etc.) and then establish a fixed frequency management schedule. . The problem here is that you are allocating risk resources that are not risk-related: Good risk management providers are allocated the same assessment resources as poorly managed suppliers.

Instead, the frequency of the questionnaire should be based on known vendor performance.

Best pratice:
Instead of evaluating vendors at the same frequency (for example, all high-risk suppliers annually), make the frequency of audits a part of your evaluation strategy.

Determine assessment frequency based on residual risk instead of inherent risk.
Constantly monitor the rating of your provider and adjust your assessment schedule accordingly.
Set the best frequency for your goals.

Challenge 4: General questionnaire, but not your supplier.
If you want to make the most of a questionnaire, make sure you ask the right questions based on your relationship with the supplier. The idea is to shape the questionnaire for the risk context you are analyzing. Not every question will apply to all vendors; More importantly, you'll want to ask some vendors more questions that don't apply to others.

Best pratice:
Know your provider, then shape the questions accordingly.

Use the questionnaire to target the data you are most interested in; Don't waste time gathering information you already have.

Challenge No. 5: Judging against irregular questionnaires.
Because the questionnaire must be managed by one person in your company and answered by someone from another company, it takes time to complete the entire process. Meanwhile, the whole digital ecosystem can appear and change. A new gap may arise.

Best pratice:
Use cyber risk ratings - they will tell you if vulnerability management performance is impaired, if your provider has malicious Internet behavior systems and reveals a range of other problems.

Do not rely solely on supplier questionnaires; Making a network security risk rating platform an integral part of your third-party vendor security investigation.

Challenge No. 6: Know the questions to ask.
Even if the provider knows everything there is to know about its security (this never happens), it is your responsibility to ask the right questions. Suppose you want to know if your supplier manages all your assets. Consider two questions: Do you monitor the systems in the configuration management database? How do you ensure that you have a complete archive of all your systems? The first question will tell you that they have purchased some useful asset management software but said nothing about whether it is tracking all their assets or not. However, the second question forces suppliers to disclose their strategy.

Best pratice:
Write the question after determining what you want to explore in the answer.

Never ask yes / no questions unless they are very specific. (Example: "Are you CISO responsible for all security aspects of protecting my relationship with you as an important supplier?")
Ask for details about processes, not just software purchases

The questionnaire is useful in understanding what suppliers have invested in people, processes and technologies. However, using the questionnaire effectively can be challenging. With some strategic thinking and planning, you can get the data you need for good risk results.

Know the scope of what you are asking.
Trust, but verify.
Instead of evaluating vendors with the same frequency (as all high-risk suppliers are assessed annually), make audit frequency part of your evaluation strategy.
Know your provider, then shape the questions accordingly.
Write the question after determining what you want to explore in the answer.



Site aggregating news, knowledge, information about education, schools, feng shui, pictures, beautiful pictures, forms, product photos and product reviews on the market today.
All information is for reference only. We are not responsible for any results.
Email: [email protected]
Tell: 0903030935
117-119 Ly Chinh Thang, Ward 7, District 3, City. Ho Chi Minh
The articles on kidsguide.info are collected by us on the internet. If you find any infringing articles, please contact us and we will delete them immediately. Thank you!
Copyright 2004-2020 www.kidsguide.info , all rights reserved.